Page MenuHomeFreeBSD
Differential D21664

Fix handling of Hop-by-Hop options over the loopback interface
ClosedPublic
Actions

Authored by tuexen on Sep 15 2019, 2:37 PM.
Tags
None
Referenced Files
F132374018: D21664.diff
Thu, Oct 16, 8:28 AM
Unknown Object (File)
Wed, Oct 15, 7:53 AM
Unknown Object (File)
Thu, Oct 9, 3:38 AM
Unknown Object (File)
Sat, Oct 4, 8:51 AM
Unknown Object (File)
Sep 11 2025, 10:11 PM
Unknown Object (File)
Sep 4 2025, 1:26 AM
Unknown Object (File)
Aug 27 2025, 1:57 PM
Unknown Object (File)
Aug 24 2025, 10:39 AM
View All Files
Subscribers
ae
imp
melifaro

Details

Reviewers
bz
markj
Commits
rS360733: MFC r352511: Improve IPv6 handling over the loopback interface
rS353038: MFS r352672:
rS352672: MFC r352511:
rS352511: When processing an incoming IPv6 packet over the loopback interface which
Summary

When processing an incoming packet over the loopback interface which contains Hop-by-Hop options, the mbuf chain is potentially changed in ip6_hopopts_input(), called by ip6_input_hbh. This can happen, because of the the use of IP6_EXTHDR_CHECK, which might call m_pullup().
So provide the updated pointer back to the called of ip6_input_hbh() to avoid using a freed mbuf chain in`ip6_input()`.

This issue was found by running an instance of syzkaller.

Test Plan

Test with the reproducer generated by syzkaller:

r.c19 KBDownload
.
Here is the issue: Fatal trap 9: general protection fault in ip6_input.

Diff Detail

Repository
rS FreeBSD src repository - subversion
Lint
Lint Not Applicable
Unit
Tests Not Applicable

Event Timeline

tuexen created this revision.Sep 15 2019, 2:37 PM
Herald added subscribers: ae, imp. · View Herald TranscriptSep 15 2019, 2:37 PM
Harbormaster completed remote builds in B26506: Diff 62124.Sep 15 2019, 2:37 PM
markj added inline comments.Sep 15 2019, 4:57 PM
sys/netinet6/ip6_input.c
448 ↗(On Diff #62124)

Isn't it possible for m to be freed here too?

tuexen added inline comments.Sep 15 2019, 6:03 PM
sys/netinet6/ip6_input.c
448 ↗(On Diff #62124)

I assumed that the kernel is compiled without the PULLDOWN_TEST test. So we are not hitting this code. Also IP6_EXTHDR_GET calls in some cases m_pulldown(), which does not destroy pointers to the data before the Hop-by-Hop options. In addition, ip6_hopopts_input() also made sure that the Hop-by-Hop options is in contiguous memory. So if it would be called, it shouldn't do anything. So in short, the answer to your question is "No", I think.

markj accepted this revision.Sep 15 2019, 6:08 PM
markj added inline comments.
sys/netinet6/ip6_input.c
448 ↗(On Diff #62124)

Thanks.

This revision is now accepted and ready to land.Sep 15 2019, 6:08 PM
Closed by commit rS352511: When processing an incoming IPv6 packet over the loopback interface which (authored by tuexen). · Explain WhySep 19 2019, 10:22 AM
This revision was automatically updated to reflect the committed changes.
tuexen added a commit: rS352511: When processing an incoming IPv6 packet over the loopback interface which.
tuexen added a commit: rS352672: MFC r352511:.Sep 25 2019, 10:39 AM
tuexen added a commit: rS353038: MFS r352672:.Oct 3 2019, 11:21 AM
tuexen added a commit: rS360733: MFC r352511: Improve IPv6 handling over the loopback interface.May 7 2020, 1:29 AM
Herald added a subscriber: melifaro. · View Herald TranscriptMay 7 2020, 1:29 AM

Revision Contents
Changeset List

PathSize
head/
sys/
netinet6/
10 lines

Diff 62302

View Options

head/sys/netinet6/ip6_input.c

Loading...