Page MenuHomeFreeBSD
Differential D27346

pf: Fix tag hashing
ClosedPublic
Actions

Authored by markj on Nov 23 2020, 10:10 PM.
Tags
None
Referenced Files
Unknown Object (File)
Mar 2 2024, 4:39 PM
Unknown Object (File)
Feb 19 2024, 10:09 PM
Unknown Object (File)
Jan 30 2024, 3:10 PM
Unknown Object (File)
Dec 20 2023, 8:06 AM
Unknown Object (File)
Sep 2 2023, 8:14 PM
Unknown Object (File)
Sep 2 2023, 8:08 PM
Unknown Object (File)
Aug 28 2023, 2:18 AM
Unknown Object (File)
Aug 28 2023, 2:08 AM
View All 12 Files
Subscribers
farrokhi
imp
kp
melifaro

Details

Reviewers
kp
Commits
rS367987: pf: Make tag hashing more robust
Summary

tagname2tag() hashes the tag name before truncating it to 63 characters.
tag_unref() removes the tag from the name hash by computing the hash
over the truncated name. Modify tagname2hashindex() to only hash over
the bytes that will actually be saved. I don't see any other problems
with permitting tag names longer than 63 characters, but maybe there's
some reason to prohibit them altogether.

Reported by: syzbot+a0988828aafb00de7d68@syzkaller.appspotmail.com

Test Plan

Tested using a syzkaller reproducer. pf regression tests pass.

Diff Detail

Repository
rS FreeBSD src repository - subversion
Lint
Lint Not Applicable
Unit
Tests Not Applicable

Event Timeline

markj created this revision.Nov 23 2020, 10:10 PM
Herald added subscribers: melifaro, farrokhi, imp. · View Herald TranscriptNov 23 2020, 10:10 PM
Harbormaster completed remote builds in B34991: Diff 79918.Nov 23 2020, 10:10 PM
markj requested review of this revision.Nov 23 2020, 10:10 PM
kp added a subscriber: kp.Nov 23 2020, 10:13 PM

Do you have a pointer to the syzcaller reproducer for this issue? I'd like to add a test.

markj edited the test plan for this revision. (Show Details)Nov 23 2020, 10:13 PM
markj added a reviewer: kp.
In D27346#610754, @kp wrote:

Do you have a pointer to the syzcaller reproducer for this issue? I'd like to add a test.

It's here: https://syzkaller.appspot.com/bug?id=dd302de76ce71516f929e4504daa4010f033cd9c

kp accepted this revision.Nov 24 2020, 10:05 AM

Looks good to me.

I have a test case for it in D27350

This revision is now accepted and ready to land.Nov 24 2020, 10:05 AM
markj added a comment.Nov 24 2020, 2:12 PM

Looking at this again with fresh eyes, I think the real problem is that none of the pf ioctls verify that strings embedded in parameter structures are nul-terminated.

kp added a comment.Nov 24 2020, 3:06 PM
In D27346#610905, @markj wrote:

Looking at this again with fresh eyes, I think the real problem is that none of the pf ioctls verify that strings embedded in parameter structures are nul-terminated.

Yeah, we should do what we already do for pr->anchor (in DIOCADDRULE) and explicitly zero-terminate it. This patch still makes sense though, even if we explicitly zero-terminate in the ioctl handler already. If only for robustness if we happen to forget a path.

This is all made that much harder by the fact that pf shares its internal data structures with the world via its ioctl interface. I've got in-progress work to separate that out, and that gives us a logical place (i.e. the function that translates ioctl data structures into pf kernel data structures) to do this sort of thing.
The struct pf_rule code is going to be the last I get round to doing, because it's so central and uses and is used by a number of other structures that also need to be changed.

markj added a comment.Nov 24 2020, 3:46 PM
In D27346#610905, @markj wrote:

Looking at this again with fresh eyes, I think the real problem is that none of the pf ioctls verify that strings embedded in parameter structures are nul-terminated.

In D27346#610916, @kp wrote:
In D27346#610905, @markj wrote:

Looking at this again with fresh eyes, I think the real problem is that none of the pf ioctls verify that strings embedded in parameter structures are nul-terminated.

Yeah, we should do what we already do for pr->anchor (in DIOCADDRULE) and explicitly zero-terminate it. This patch still makes sense though, even if we explicitly zero-terminate in the ioctl handler already. If only for robustness if we happen to forget a path.

Fair enough. I'll note in the commit message that this is something of a workaround.

This is all made that much harder by the fact that pf shares its internal data structures with the world via its ioctl interface. I've got in-progress work to separate that out, and that gives us a logical place (i.e. the function that translates ioctl data structures into pf kernel data structures) to do this sort of thing.
The struct pf_rule code is going to be the last I get round to doing, because it's so central and uses and is used by a number of other structures that also need to be changed.

I started trying to do this myself, but wasn't sure about the best approach. I started adding explicit checks for nul-termination rather than doing nul-termination in the ioctl handlers, but that doesn't make sense for out-parameters, and I can't easily see whether a given string field is an out-parameter or not. If you've got plans in this area I'm happy to leave it to you. :)

Closed by commit rS367987: pf: Make tag hashing more robust (authored by markj). · Explain WhyNov 24 2020, 4:19 PM
This revision was automatically updated to reflect the committed changes.
markj added a commit: rS367987: pf: Make tag hashing more robust.

Revision Contents
Changeset List

PathSize
head/
sys/
netpfil/
pf/
4 lines

Diff 79934

View Options

head/sys/netpfil/pf/pf_ioctl.c

Loading...