Page MenuHomeFreeBSD

Protect ng_iface(4) private data
ClosedPublic

Authored by eugen_grosbein.net on Sep 21 2017, 4:04 PM.
Tags
None
Referenced Files
Unknown Object (File)
Mon, Oct 13, 5:41 AM
Unknown Object (File)
Tue, Oct 7, 6:02 AM
Unknown Object (File)
Sat, Sep 20, 4:05 AM
Unknown Object (File)
Sep 4 2025, 1:17 PM
Unknown Object (File)
Sep 1 2025, 5:02 AM
Unknown Object (File)
Aug 8 2025, 3:24 AM
Unknown Object (File)
Jul 28 2025, 8:50 AM
Unknown Object (File)
Jul 22 2025, 6:17 AM
Subscribers

Details

Summary

There is a race between ng_iface(4) using its private data to select a hook and send data and another kernel thread removing selected hook. Kernel panices in such case due to access to memory just freed.

See also https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=220076 for backtrace details.

Test Plan

The nature of the race makes it hard to reproduce the bug, but it can easily happen using high loaded (or stress-tested) net/mpd5 installation.

  1. Apply the patch.
  2. Rebuild a kernel and/or ng_iface kernel module.
  3. Run busy mpd5 server with hundreds of users reconnecting very often.

Diff Detail

Repository
rS FreeBSD src repository - subversion
Lint
Lint Not Applicable
Unit
Tests Not Applicable

Event Timeline

Other than the NULL pointer check, looks good to me.
Thank you!

sys/netgraph/ng_iface.c
459 ↗(On Diff #33268)

I think that a NULL pointer check is missing here.

hook needs to be NULL-checked before refcounting.

Approved.

But please wait for a node from @mav.

This revision is now accepted and ready to land.Sep 21 2017, 4:37 PM
This revision was automatically updated to reflect the committed changes.