Page MenuHomeFreeBSD

pf: Improve input validation
ClosedPublic

Authored by kp on Apr 22 2020, 7:12 PM.
Tags
None
Referenced Files
F131798557: D24539.diff
Sat, Oct 11, 6:20 AM
Unknown Object (File)
Mon, Sep 29, 7:05 AM
Unknown Object (File)
Wed, Sep 24, 4:32 PM
Unknown Object (File)
Aug 30 2025, 8:10 PM
Unknown Object (File)
Aug 15 2025, 2:18 AM
Unknown Object (File)
Aug 4 2025, 9:12 PM
Unknown Object (File)
Jul 22 2025, 1:13 PM
Unknown Object (File)
Jun 25 2025, 4:56 PM

Details

Reviewers
melifaro
Group Reviewers
network
Commits
rS360344: pf: Improve input validation
Summary

If we pass an anchor name which doesn't exist pfr_table_count() returns
-1, which leads to an overflow in mallocarray() and thus a panic.

Explicitly check that pfr_table_count() does not return an error.

Reported-by: syzbot+bd09d55d897d63d5f4f4@syzkaller.appspotmail.com

Diff Detail

Repository
rS FreeBSD src repository - subversion
Lint
Lint Not Applicable
Unit
Tests Not Applicable

Event Timeline

LGTM, please see minor comments in the diff

sys/netpfil/pf/pf_ioctl.c
3058 ↗(On Diff #70889)

I'm curious: it looks like pfr_get_tstats() uses totally separate routine to clear the statistics. Would it potentially make sense to use read lock to get the stats first and then clear the stats under wlock if the flag is specified?

3060 ↗(On Diff #70889)

I'm wondering what will happen when n equals 0?
Do mallocarray() always return NULL?

This revision is now accepted and ready to land.Apr 22 2020, 8:41 PM
sys/netpfil/pf/pf_ioctl.c
3058 ↗(On Diff #70889)

That would break the atomicity of the read+clear operation. We'd risk missing matches that happen between reading the stats and clearing them.

3060 ↗(On Diff #70889)

That becomes a malloc(0, ...), so I believe we still allocate something, possibly rounded up to the smallest uma bucket size.

This revision was automatically updated to reflect the committed changes.