Page MenuHomeFreeBSD
Differential D24539

pf: Improve input validation
ClosedPublic
Actions

Authored by kp on Apr 22 2020, 7:12 PM.
Tags
None
Referenced Files
Unknown Object (File)
Mon, Oct 13, 3:05 AM
Unknown Object (File)
Mon, Oct 13, 3:05 AM
Unknown Object (File)
Mon, Oct 13, 3:05 AM
Unknown Object (File)
Sun, Oct 12, 3:11 PM
Unknown Object (File)
Sat, Oct 11, 6:20 AM
Unknown Object (File)
Mon, Sep 29, 7:05 AM
Unknown Object (File)
Wed, Sep 24, 4:32 PM
Unknown Object (File)
Aug 30 2025, 8:10 PM
View All 81 Files
Subscribers
farrokhi
imp
melifaro

Details

Reviewers
melifaro
Group Reviewers
network
Commits
rS360344: pf: Improve input validation
Summary

If we pass an anchor name which doesn't exist pfr_table_count() returns
-1, which leads to an overflow in mallocarray() and thus a panic.

Explicitly check that pfr_table_count() does not return an error.

Reported-by: syzbot+bd09d55d897d63d5f4f4@syzkaller.appspotmail.com

Diff Detail

Repository
rS FreeBSD src repository - subversion
Lint
Lint Not Applicable
Unit
Tests Not Applicable

Event Timeline

kp created this revision.Apr 22 2020, 7:12 PM
Herald added subscribers: melifaro, farrokhi. · View Herald TranscriptApr 22 2020, 7:12 PM
Harbormaster completed remote builds in B30670: Diff 70889.Apr 22 2020, 7:12 PM
melifaro accepted this revision.Apr 22 2020, 8:41 PM

LGTM, please see minor comments in the diff

sys/netpfil/pf/pf_ioctl.c
3058 ↗(On Diff #70889)

I'm curious: it looks like pfr_get_tstats() uses totally separate routine to clear the statistics. Would it potentially make sense to use read lock to get the stats first and then clear the stats under wlock if the flag is specified?

3060 ↗(On Diff #70889)

I'm wondering what will happen when n equals 0?
Do mallocarray() always return NULL?

This revision is now accepted and ready to land.Apr 22 2020, 8:41 PM
kp added inline comments.Apr 23 2020, 8:01 AM
sys/netpfil/pf/pf_ioctl.c
3058 ↗(On Diff #70889)

That would break the atomicity of the read+clear operation. We'd risk missing matches that happen between reading the stats and clearing them.

3060 ↗(On Diff #70889)

That becomes a malloc(0, ...), so I believe we still allocate something, possibly rounded up to the smallest uma bucket size.

Closed by commit rS360344: pf: Improve input validation (authored by kp). · Explain WhyApr 26 2020, 4:16 PM
This revision was automatically updated to reflect the committed changes.
kp added a commit: rS360344: pf: Improve input validation.
Herald added a subscriber: imp. · View Herald TranscriptApr 26 2020, 4:16 PM

Revision Contents
Changeset List

PathSize
head/
sys/
netpfil/
pf/
33 lines

Diff 71008

View Options

head/sys/netpfil/pf/pf_ioctl.c

Loading...