Page MenuHomeFreeBSD

Fix handling of Hop-by-Hop options over the loopback interface
ClosedPublic

Authored by tuexen on Sep 15 2019, 2:37 PM.
Tags
None
Referenced Files
Unknown Object (File)
Thu, Oct 9, 3:38 AM
Unknown Object (File)
Sat, Oct 4, 8:51 AM
Unknown Object (File)
Sep 11 2025, 10:11 PM
Unknown Object (File)
Sep 4 2025, 1:26 AM
Unknown Object (File)
Aug 27 2025, 1:57 PM
Unknown Object (File)
Aug 24 2025, 10:39 AM
Unknown Object (File)
Aug 15 2025, 11:40 AM
Unknown Object (File)
Aug 15 2025, 9:31 AM
Subscribers

Details

Summary

When processing an incoming packet over the loopback interface which contains Hop-by-Hop options, the mbuf chain is potentially changed in ip6_hopopts_input(), called by ip6_input_hbh. This can happen, because of the the use of IP6_EXTHDR_CHECK, which might call m_pullup().
So provide the updated pointer back to the called of ip6_input_hbh() to avoid using a freed mbuf chain in`ip6_input()`.

This issue was found by running an instance of syzkaller.

Test Plan

Test with the reproducer generated by syzkaller:

.
Here is the issue: Fatal trap 9: general protection fault in ip6_input.

Diff Detail

Repository
rS FreeBSD src repository - subversion
Lint
Lint Not Applicable
Unit
Tests Not Applicable

Event Timeline

sys/netinet6/ip6_input.c
448 ↗(On Diff #62124)

Isn't it possible for m to be freed here too?

sys/netinet6/ip6_input.c
448 ↗(On Diff #62124)

I assumed that the kernel is compiled without the PULLDOWN_TEST test. So we are not hitting this code. Also IP6_EXTHDR_GET calls in some cases m_pulldown(), which does not destroy pointers to the data before the Hop-by-Hop options. In addition, ip6_hopopts_input() also made sure that the Hop-by-Hop options is in contiguous memory. So if it would be called, it shouldn't do anything. So in short, the answer to your question is "No", I think.

markj added inline comments.
sys/netinet6/ip6_input.c
448 ↗(On Diff #62124)

Thanks.

This revision is now accepted and ready to land.Sep 15 2019, 6:08 PM