Page MenuHomeFreeBSD

Protect ng_iface(4) private data
ClosedPublic

Authored by eugen_grosbein.net on Sep 21 2017, 4:04 PM.
Tags
None
Referenced Files
Unknown Object (File)
Sat, Dec 21, 12:26 AM
Unknown Object (File)
Wed, Dec 4, 2:04 PM
Unknown Object (File)
Nov 28 2024, 8:15 AM
Unknown Object (File)
Nov 22 2024, 11:12 PM
Unknown Object (File)
Nov 21 2024, 2:38 AM
Unknown Object (File)
Nov 20 2024, 5:22 PM
Unknown Object (File)
Nov 15 2024, 3:19 AM
Unknown Object (File)
Nov 10 2024, 3:45 AM
Subscribers

Details

Summary

There is a race between ng_iface(4) using its private data to select a hook and send data and another kernel thread removing selected hook. Kernel panices in such case due to access to memory just freed.

See also https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=220076 for backtrace details.

Test Plan

The nature of the race makes it hard to reproduce the bug, but it can easily happen using high loaded (or stress-tested) net/mpd5 installation.

  1. Apply the patch.
  2. Rebuild a kernel and/or ng_iface kernel module.
  3. Run busy mpd5 server with hundreds of users reconnecting very often.

Diff Detail

Repository
rS FreeBSD src repository - subversion
Lint
Lint Skipped
Unit
Tests Skipped

Event Timeline

Other than the NULL pointer check, looks good to me.
Thank you!

sys/netgraph/ng_iface.c
459

I think that a NULL pointer check is missing here.

hook needs to be NULL-checked before refcounting.

Approved.

But please wait for a node from @mav.

This revision is now accepted and ready to land.Sep 21 2017, 4:37 PM
This revision was automatically updated to reflect the committed changes.