Page MenuHomeFreeBSD

Protect ng_iface(4) private data
ClosedPublic

Authored by eugen_grosbein.net on Sep 21 2017, 4:04 PM.
Tags
None
Referenced Files
Unknown Object (File)
Wed, Mar 6, 1:54 PM
Unknown Object (File)
Dec 26 2023, 1:15 AM
Unknown Object (File)
Dec 12 2023, 4:56 PM
Unknown Object (File)
Nov 30 2023, 4:55 PM
Unknown Object (File)
Nov 22 2023, 9:04 PM
Unknown Object (File)
Nov 22 2023, 8:42 PM
Unknown Object (File)
Nov 22 2023, 4:23 PM
Unknown Object (File)
Nov 21 2023, 8:00 PM
Subscribers

Details

Summary

There is a race between ng_iface(4) using its private data to select a hook and send data and another kernel thread removing selected hook. Kernel panices in such case due to access to memory just freed.

See also https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=220076 for backtrace details.

Test Plan

The nature of the race makes it hard to reproduce the bug, but it can easily happen using high loaded (or stress-tested) net/mpd5 installation.

  1. Apply the patch.
  2. Rebuild a kernel and/or ng_iface kernel module.
  3. Run busy mpd5 server with hundreds of users reconnecting very often.

Diff Detail

Repository
rS FreeBSD src repository - subversion
Lint
Lint Not Applicable
Unit
Tests Not Applicable

Event Timeline

Other than the NULL pointer check, looks good to me.
Thank you!

sys/netgraph/ng_iface.c
459 ↗(On Diff #33268)

I think that a NULL pointer check is missing here.

hook needs to be NULL-checked before refcounting.

Approved.

But please wait for a node from @mav.

This revision is now accepted and ready to land.Sep 21 2017, 4:37 PM
This revision was automatically updated to reflect the committed changes.