Page MenuHomeFreeBSD
Differential D53275

ipfilter: Plug ip_htable kernel information leak
ClosedPublic
Actions

Authored by cy on Oct 22 2025, 11:26 PM.
Tags
None
Referenced Files
F152491293: D53275.id164813.diff
Wed, Apr 15, 7:23 AM
Unknown Object (File)
Sun, Apr 12, 7:45 AM
Unknown Object (File)
Tue, Apr 7, 6:42 AM
Unknown Object (File)
Sat, Mar 21, 6:38 PM
Unknown Object (File)
Sat, Mar 21, 11:59 AM
Unknown Object (File)
Sat, Mar 21, 3:48 AM
Unknown Object (File)
Mar 14 2026, 7:29 PM
Unknown Object (File)
Mar 8 2026, 9:05 PM
View All 40 Files
Subscribers
glebius
imp
melifaro
vegeta_tuxpowered.net

Details

Reviewers
emaste
markj
Commits
rG2ebb4779c40a: ipfilter: Plug ip_htable kernel information leak
rGe190f21c98ae: ipfilter: Plug ip_htable kernel information leak
rGfcdc47e20959: ipfilter: Plug ip_htable kernel information leak
rG0d589ecbc7aa: ipfilter: Plug ip_htable kernel information leak
Summary

ipf_htable_stats_get() constructs an iphtstat_t on the stack and only
initializes select fields before copying the entire structure to
userland. The trailing padding array iphs_pad[16] is never initialized,
so ~128 bytes of uninitialized kernel stack memory can be leaked to user
space on each call. This is a classic information disclosure
vulnerability that can reveal pointers and other sensitive data.

We fix this by zeroing out the data structure prior to use.

Reported by: Ilja Van Sprundel <ivansprundel@ioactive.com>
MFC after: 1 day

Diff Detail

Repository
rG FreeBSD src repository
Lint
Lint Not Applicable
Unit
Tests Not Applicable

Event Timeline

cy created this revision.Oct 22 2025, 11:26 PM
Herald added subscribers: vegeta_tuxpowered.net, glebius, melifaro, imp. · View Herald TranscriptOct 22 2025, 11:26 PM
cy requested review of this revision.Oct 22 2025, 11:26 PM
Harbormaster completed remote builds in B68015: Diff 164813.Oct 22 2025, 11:26 PM
emaste accepted this revision.Oct 22 2025, 11:55 PM
This revision is now accepted and ready to land.Oct 22 2025, 11:55 PM
markj accepted this revision.Oct 23 2025, 1:13 PM

If you haven't tried testing ipf with the GENERIC-KMSAN kernel config, I suggest it: it'll automatically catch bugs of this kind. kmsan.9 has some details.

cy retitled this revision from ipfilter: Plug kernel information leak to ipfilter: Plug ip_htable kernel information leak.Oct 23 2025, 3:21 PM
cy added a comment.Oct 23 2025, 6:22 PM
In D53275#1217300, @markj wrote:

If you haven't tried testing ipf with the GENERIC-KMSAN kernel config, I suggest it: it'll automatically catch bugs of this kind. kmsan.9 has some details.

I'm half way through creating patches. The reviews I've submitted have been fixed to build. I'll build a KMSAN kernel for the testbed and try the patches I do have here this afternoon.

Closed by commit rG0d589ecbc7aa: ipfilter: Plug ip_htable kernel information leak (authored by cy). · Explain WhyOct 23 2025, 10:57 PM
This revision was automatically updated to reflect the committed changes.
cy added a commit: rG0d589ecbc7aa: ipfilter: Plug ip_htable kernel information leak.
cy added a commit: rGfcdc47e20959: ipfilter: Plug ip_htable kernel information leak.Oct 26 2025, 3:14 AM
cy added a commit: rGe190f21c98ae: ipfilter: Plug ip_htable kernel information leak.
cy added a commit: rG2ebb4779c40a: ipfilter: Plug ip_htable kernel information leak.

Revision Contents
Changeset List

PathSize
sys/
netpfil/
ipfilter/
netinet/
2 lines

Diff 164913

View Options

sys/netpfil/ipfilter/netinet/ip_htable.c

Loading...