Page MenuHomeFreeBSD
Differential D53275

ipfilter: Plug ip_htable kernel information leak
ClosedPublic
Actions

Authored by cy on Wed, Oct 22, 11:26 PM.
Tags
None
Referenced Files
Unknown Object (File)
Fri, Oct 24, 10:31 PM
Unknown Object (File)
Fri, Oct 24, 5:48 PM
Unknown Object (File)
Fri, Oct 24, 5:48 PM
Unknown Object (File)
Fri, Oct 24, 5:48 PM
Unknown Object (File)
Fri, Oct 24, 9:28 AM
Unknown Object (File)
Thu, Oct 23, 3:51 PM
Unknown Object (File)
Thu, Oct 23, 3:47 PM
Unknown Object (File)
Thu, Oct 23, 11:25 AM
View All 11 Files
Subscribers
glebius
imp
melifaro
vegeta_tuxpowered.net

Details

Reviewers
emaste
markj
Commits
rG2ebb4779c40a: ipfilter: Plug ip_htable kernel information leak
rGe190f21c98ae: ipfilter: Plug ip_htable kernel information leak
rGfcdc47e20959: ipfilter: Plug ip_htable kernel information leak
rG0d589ecbc7aa: ipfilter: Plug ip_htable kernel information leak
Summary

ipf_htable_stats_get() constructs an iphtstat_t on the stack and only
initializes select fields before copying the entire structure to
userland. The trailing padding array iphs_pad[16] is never initialized,
so ~128 bytes of uninitialized kernel stack memory can be leaked to user
space on each call. This is a classic information disclosure
vulnerability that can reveal pointers and other sensitive data.

We fix this by zeroing out the data structure prior to use.

Reported by: Ilja Van Sprundel <ivansprundel@ioactive.com>
MFC after: 1 day

Diff Detail

Repository
rG FreeBSD src repository
Lint
Lint Not Applicable
Unit
Tests Not Applicable

Event Timeline

cy created this revision.Wed, Oct 22, 11:26 PM
Herald added subscribers: vegeta_tuxpowered.net, glebius, melifaro, imp. · View Herald TranscriptWed, Oct 22, 11:26 PM
cy requested review of this revision.Wed, Oct 22, 11:26 PM
Harbormaster completed remote builds in B68015: Diff 164813.Wed, Oct 22, 11:26 PM
emaste accepted this revision.Wed, Oct 22, 11:55 PM
This revision is now accepted and ready to land.Wed, Oct 22, 11:55 PM
markj accepted this revision.Thu, Oct 23, 1:13 PM

If you haven't tried testing ipf with the GENERIC-KMSAN kernel config, I suggest it: it'll automatically catch bugs of this kind. kmsan.9 has some details.

cy retitled this revision from ipfilter: Plug kernel information leak to ipfilter: Plug ip_htable kernel information leak.Thu, Oct 23, 3:21 PM
cy added a comment.Thu, Oct 23, 6:22 PM
In D53275#1217300, @markj wrote:

If you haven't tried testing ipf with the GENERIC-KMSAN kernel config, I suggest it: it'll automatically catch bugs of this kind. kmsan.9 has some details.

I'm half way through creating patches. The reviews I've submitted have been fixed to build. I'll build a KMSAN kernel for the testbed and try the patches I do have here this afternoon.

Closed by commit rG0d589ecbc7aa: ipfilter: Plug ip_htable kernel information leak (authored by cy). · Explain WhyThu, Oct 23, 10:57 PM
This revision was automatically updated to reflect the committed changes.
cy added a commit: rG0d589ecbc7aa: ipfilter: Plug ip_htable kernel information leak.
cy added a commit: rGfcdc47e20959: ipfilter: Plug ip_htable kernel information leak.Sun, Oct 26, 3:14 AM
cy added a commit: rGe190f21c98ae: ipfilter: Plug ip_htable kernel information leak.
cy added a commit: rG2ebb4779c40a: ipfilter: Plug ip_htable kernel information leak.

Revision Contents
Changeset List

PathSize
sys/
netpfil/
ipfilter/
netinet/
2 lines

Diff 164913

View Options

sys/netpfil/ipfilter/netinet/ip_htable.c

Loading...