Differential D53274

ipfilter: Plug ip_nat kernel information leak
ClosedPublic
Actions

Authored by cy on Oct 22 2025, 11:26 PM.

Tags

None

Referenced Files

	Unknown Object (File)
	Mon, Dec 1, 2:43 AM

	Unknown Object (File)
	Thu, Nov 27, 6:05 PM

	Unknown Object (File)
	Sun, Nov 23, 8:19 PM

	Unknown Object (File)
	Sat, Nov 22, 5:36 AM

	Unknown Object (File)
	Sat, Nov 22, 1:44 AM

	Unknown Object (File)
	Thu, Nov 20, 12:25 PM

	Unknown Object (File)
	Tue, Nov 18, 1:04 PM

	Unknown Object (File)
	Nov 4 2025, 5:00 PM

View All 34 Files

Subscribers

vegeta_tuxpowered.net

Details

Reviewers

emaste
markj

Commits

rG4260de80f05d: ipfilter: Plug ip_nat kernel information leak
rGd78f36183a26: ipfilter: Plug ip_nat kernel information leak
rGd3b0843d2cec: ipfilter: Plug ip_nat kernel information leak
rG6535e9308a26: ipfilter: Plug ip_nat kernel information leak

Summary

ipf_nat_getent() allocates a variable-sized nat_save_t buffer with
KMALLOCS() (which does not zero memory) and then copies only a subset
of fields into it before returning the object to userland using
ipf_outobjsz(). Because the structure is not fully initialized on all
paths, uninitialized kernel heap bytes can be copied back to user space,
resulting in an information leak.

We fix this by zeroing out the data structure immediately after
allocation.

Reported by: Ilja Van Sprundel <ivansprundel@ioactive.com>
MFC after: 1 day

Diff Detail

Repository

rG FreeBSD src repository

Lint

Lint Skipped

Unit

Tests Skipped

Build Status

Buildable 68048
Build 64931: arc lint + arc unit

Event Timeline

cy created this revision.Oct 22 2025, 11:26 PM

Herald added subscribers: vegeta_tuxpowered.net, glebius, melifaro, imp. · View Herald TranscriptOct 22 2025, 11:26 PM

cy requested review of this revision.Oct 22 2025, 11:26 PM

Harbormaster completed remote builds in B68014: Diff 164812.Oct 22 2025, 11:26 PM

emaste accepted this revision.Oct 22 2025, 11:57 PM

This revision is now accepted and ready to land.Oct 22 2025, 11:57 PM

markj added inline comments.Oct 23 2025, 1:14 PM

sys/netpfil/ipfilter/netinet/ip_nat.c
1770	This should be done after the null check.

cy added inline comments.Oct 23 2025, 3:17 PM

sys/netpfil/ipfilter/netinet/ip_nat.c
1770	Geez. Stupid. Teaches me to rush through things.

cy retitled this revision from ipfilter: Plug kernel information leak to ipfilter: Plug ip_nat kernel information leak.Oct 23 2025, 3:21 PM

Fix stupid mistake.

This revision now requires review to proceed.Oct 23 2025, 3:22 PM

Harbormaster completed remote builds in B68048: Diff 164884.Oct 23 2025, 3:22 PM

markj accepted this revision.Oct 23 2025, 3:35 PM

This revision is now accepted and ready to land.Oct 23 2025, 3:35 PM

emaste accepted this revision.Oct 23 2025, 3:57 PM

Closed by commit rG6535e9308a26: ipfilter: Plug ip_nat kernel information leak (authored by cy). · Explain WhyOct 23 2025, 10:57 PM

This revision was automatically updated to reflect the committed changes.

cy added a commit: rG6535e9308a26: ipfilter: Plug ip_nat kernel information leak.

cy added a commit: rGd3b0843d2cec: ipfilter: Plug ip_nat kernel information leak.Oct 26 2025, 3:14 AM

cy added a commit: rGd78f36183a26: ipfilter: Plug ip_nat kernel information leak.

cy added a commit: rG4260de80f05d: ipfilter: Plug ip_nat kernel information leak.

Revision Contents
Changeset List

Path

Size

sys/

netpfil/

ipfilter/

netinet/

1 line

Diff 164884

sys/netpfil/ipfilter/netinet/ip_nat.c

Loading...