pfsync: Avoid zeroing the state export union
ClosedPublic
Actions

Authored by markj on Dec 10 2025, 3:34 PM.

Details

Reviewers

kp
vegeta_tuxpowered.net

Group Reviewers

cheri

Commits

rGb87f70f695f1: pfsync: Avoid zeroing the state export union
rG0eb81bd89dcb: pfsync: Avoid zeroing the state export union
rG796abca7e281: pfsync: Avoid zeroing the state export union

Summary

pfsync_state_export() takes a pointer to a union that is in reality a
pointer to one of the three state formats (1301, 1400, 1500), and zeros
the union. The three formats do not have the same size, so zeroing is
wrong when the format isn't that which has the largest size.

Refactor a bit so that the zeroing happens at the layer where we know
which format we're dealing with.

Reported by: CHERI

Diff Detail

Repository

rG FreeBSD src repository

Lint

Lint Not Applicable

Unit

Tests Not Applicable

Event Timeline

markj created this revision.Dec 10 2025, 3:34 PM

Herald added subscribers: vegeta_tuxpowered.net, glebius, melifaro and 3 others. · View Herald TranscriptDec 10 2025, 3:34 PM

markj requested review of this revision.Dec 10 2025, 3:34 PM

Herald added a reviewer: cheri. · View Herald TranscriptDec 10 2025, 3:34 PM

Harbormaster completed remote builds in B69161: Diff 167818.Dec 10 2025, 3:34 PM

jrtc27 added a subscriber: jrtc27.Dec 10 2025, 4:17 PM

jrtc27 added inline comments.

sys/netpfil/pf/pf_ioctl.c
5802	These dereferences are still UB as far as I know, if you're dereferencing a union it must be a pointer to that actual union (with maybe some exceptions based on the layouts of all members?). Perhaps it doesn't trip up CHERI subobject bounds enforcement, but it's still dodgy...

jrtc27 added inline comments.Dec 10 2025, 4:21 PM

sys/netpfil/pf/pf_ioctl.c
5802	(The way you're supposed to do this is have a struct type that is the same as the common prefix, and use that as the type to dereference, then cast to the more specialised types when known to deal with their specific members)

kp added a reviewer: vegeta_tuxpowered.net.Dec 10 2025, 4:21 PM

markj added inline comments.Dec 10 2025, 5:12 PM

sys/netpfil/pf/pf_ioctl.c
5802	Yes, though that's somewhat less severe a bug. These structures are visible to userspace so it'd be a bit painful to factor out common fields into a separate struct without breaking builds. I wonder if it'd be acceptable to use a macro to copy common fields, and just get rid of the common pfsync_state_export()?

jrtc27 added inline comments.Dec 10 2025, 5:14 PM

sys/netpfil/pf/pf_ioctl.c
5802	You don't actually need to use that common structs in the specific structs. There's a carve-out so: struct foo_header { A a; B b; C c; } struct foo_1 { A a; B b; C c; D d; } struct foo_2 { A a; B b; C c; E e; } let you treat foo_1 and foo_2 as a foo_header.