ipsec: plug use-after-free of SAH
AbandonedPublic
Actions

Authored by mjg on Sep 9 2022, 8:11 PM.

Tags

None

Referenced Files

	F82200521: D36510.diff
	Fri, Apr 26, 10:25 AM

	F82181737: D36510.id110399.diff
	Fri, Apr 26, 6:11 AM

	F82181706: D36510.id.diff
	Fri, Apr 26, 6:11 AM

	Unknown Object (File)
	Thu, Apr 25, 10:12 PM

	Unknown Object (File)
	Mon, Apr 22, 9:10 AM

	Unknown Object (File)
	Sat, Apr 6, 12:30 PM

	Unknown Object (File)
	Jan 15 2024, 5:21 AM

	Unknown Object (File)
	Dec 22 2023, 10:32 PM

View All 16 Files

Subscribers

glebius

melifaro

Details

Reviewers

Group Reviewers

network

Summary

Change refcounting scheme to a more idiomatic approach: every
secasvar object keeps a ref to SAH which is only released when
the object goes away.

Plugs panics of the form:
panic: esp_input_cb: Unexpected address family: 0 saidx=0xfffffd001832a330

I validated this is the issue by neglecting to actually free anything on stock kernel and instead poisoning address family with a dedicated value, which did start showing up.

Diff Detail

Lint

Lint Skipped

Unit

Tests Skipped

Event Timeline

mjg created this revision.Sep 9 2022, 8:11 PM

Herald added subscribers: glebius, melifaro. · View Herald TranscriptSep 9 2022, 8:11 PM

mjg requested review of this revision.Sep 9 2022, 8:11 PM

mjg added a reviewer: network.Sep 15 2022, 11:22 PM

mjg edited the summary of this revision. (Show Details)

I'll try to read the patch more carefully this weekend.

sys/netipsec/key.c
1371	The comment become stale.
5282	another stale comment.

mjg abandoned this revision.Mar 12 2024, 10:33 PM

Revision Contents
Changeset List

Path

Size

sys/

netipsec/

key.c

17 lines

Diff 110399

View Options

ipsec: plug use-after-free of SAHAbandonedPublicActions