Page MenuHomeFreeBSD

Fix handling of Hop-by-Hop options over the loopback interface
ClosedPublic

Authored by tuexen on Sep 15 2019, 2:37 PM.

Details

Summary

When processing an incoming packet over the loopback interface which contains Hop-by-Hop options, the mbuf chain is potentially changed in ip6_hopopts_input(), called by ip6_input_hbh. This can happen, because of the the use of IP6_EXTHDR_CHECK, which might call m_pullup().
So provide the updated pointer back to the called of ip6_input_hbh() to avoid using a freed mbuf chain in`ip6_input()`.

This issue was found by running an instance of syzkaller.

Test Plan

Test with the reproducer generated by syzkaller:

.
Here is the issue: Fatal trap 9: general protection fault in ip6_input.

Diff Detail

Repository
rS FreeBSD src repository - subversion
Lint
Automatic diff as part of commit; lint not applicable.
Unit
Automatic diff as part of commit; unit tests not applicable.

Event Timeline

sys/netinet6/ip6_input.c
448 ↗(On Diff #62124)

Isn't it possible for m to be freed here too?

sys/netinet6/ip6_input.c
448 ↗(On Diff #62124)

I assumed that the kernel is compiled without the PULLDOWN_TEST test. So we are not hitting this code. Also IP6_EXTHDR_GET calls in some cases m_pulldown(), which does not destroy pointers to the data before the Hop-by-Hop options. In addition, ip6_hopopts_input() also made sure that the Hop-by-Hop options is in contiguous memory. So if it would be called, it shouldn't do anything. So in short, the answer to your question is "No", I think.

markj added inline comments.
sys/netinet6/ip6_input.c
448 ↗(On Diff #62124)

Thanks.

This revision is now accepted and ready to land.Sep 15 2019, 6:08 PM