Differential D53274

ipfilter: Plug ip_nat kernel information leak
ClosedPublic
Actions

Authored by cy on Wed, Oct 22, 11:26 PM.

Tags

None

Referenced Files

	F133244583: D53274.id164884.diff
	Fri, Oct 24, 6:44 AM

	F133239013: D53274.diff
	Fri, Oct 24, 5:51 AM

	F133235838: D53274.id164912.diff
	Fri, Oct 24, 5:12 AM

	F133219229: D53274.diff
	Fri, Oct 24, 2:02 AM

	F133214222: D53274.id164884.diff
	Fri, Oct 24, 1:10 AM

	F133194410: D53274.id164812.diff
	Thu, Oct 23, 8:49 PM

	F133162241: D53274.id.diff
	Thu, Oct 23, 1:18 PM

	F133154279: D53274.id164812.diff
	Thu, Oct 23, 11:24 AM

View All 9 Files

Subscribers

vegeta_tuxpowered.net

Details

Reviewers

emaste
markj

Commits

rG6535e9308a26: ipfilter: Plug ip_nat kernel information leak

Summary

ipf_nat_getent() allocates a variable-sized nat_save_t buffer with
KMALLOCS() (which does not zero memory) and then copies only a subset
of fields into it before returning the object to userland using
ipf_outobjsz(). Because the structure is not fully initialized on all
paths, uninitialized kernel heap bytes can be copied back to user space,
resulting in an information leak.

We fix this by zeroing out the data structure immediately after
allocation.

Reported by: Ilja Van Sprundel <ivansprundel@ioactive.com>
MFC after: 1 day

Diff Detail

Repository

rG FreeBSD src repository

Lint

Lint Not Applicable

Unit

Tests Not Applicable

Event Timeline

cy created this revision.Wed, Oct 22, 11:26 PM

Herald added subscribers: vegeta_tuxpowered.net, glebius, melifaro, imp. · View Herald TranscriptWed, Oct 22, 11:26 PM

cy requested review of this revision.Wed, Oct 22, 11:26 PM

Harbormaster completed remote builds in B68014: Diff 164812.Wed, Oct 22, 11:26 PM

emaste accepted this revision.Wed, Oct 22, 11:57 PM

This revision is now accepted and ready to land.Wed, Oct 22, 11:57 PM

markj added inline comments.Thu, Oct 23, 1:14 PM

sys/netpfil/ipfilter/netinet/ip_nat.c
1770	This should be done after the null check.

cy added inline comments.Thu, Oct 23, 3:17 PM

sys/netpfil/ipfilter/netinet/ip_nat.c
1770	Geez. Stupid. Teaches me to rush through things.

cy retitled this revision from ipfilter: Plug kernel information leak to ipfilter: Plug ip_nat kernel information leak.Thu, Oct 23, 3:21 PM

Fix stupid mistake.

This revision now requires review to proceed.Thu, Oct 23, 3:22 PM

Harbormaster completed remote builds in B68048: Diff 164884.Thu, Oct 23, 3:22 PM

markj accepted this revision.Thu, Oct 23, 3:35 PM

This revision is now accepted and ready to land.Thu, Oct 23, 3:35 PM

emaste accepted this revision.Thu, Oct 23, 3:57 PM

Closed by commit rG6535e9308a26: ipfilter: Plug ip_nat kernel information leak (authored by cy). · Explain WhyThu, Oct 23, 10:57 PM

This revision was automatically updated to reflect the committed changes.

cy added a commit: rG6535e9308a26: ipfilter: Plug ip_nat kernel information leak.

Revision Contents
Changeset List

Path

Size

sys/

netpfil/

ipfilter/

netinet/

1 line

Diff 164912

sys/netpfil/ipfilter/netinet/ip_nat.c

Loading...