Page MenuHomeFreeBSD

Fix possible use after free due to deletion security policy
ClosedPublic

Authored by ae on Apr 18 2015, 5:11 PM.
Tags
None
Referenced Files
Unknown Object (File)
Wed, Jan 8, 4:15 AM
Unknown Object (File)
Nov 25 2024, 3:14 PM
Unknown Object (File)
Nov 16 2024, 5:53 AM
Unknown Object (File)
Nov 1 2024, 5:27 PM
Unknown Object (File)
Oct 22 2024, 1:55 PM
Unknown Object (File)
Oct 7 2024, 1:10 AM
Unknown Object (File)
Oct 5 2024, 4:17 AM
Unknown Object (File)
Sep 28 2024, 9:12 PM
Subscribers

Details

Reviewers
ae
Group Reviewers
network
Summary
When IPSec takes mbuf for processing, it passes it to the crypto(9)
subsystem via crypto_dispatch(). Then crypto(9) subsystem via callback
calls ipsec_process_done(). In the time when we are processing mbuf
in the crypto(9) subsystem, user can delete security policy. This
leads to freeing ipsec requests and when crypto(9) system will call
callback function, it will do access to already freed memory.

To protect from this we will keep reference to used security
policy until crypto(9) subsystem finishes the work. And then it will
release reference to security policy.

Now we don't release reference to SP after calling ipsec[46]_process_packet().
But when it returns error, we should release reference to SP, because
no requests were queued to crypto(9).

Diff Detail

Repository
rS FreeBSD src repository - subversion
Lint
No Lint Coverage
Unit
No Test Coverage

Event Timeline

ae retitled this revision from to Fix possible use after free due to deletion security policy.
ae updated this object.
ae edited the test plan for this revision. (Show Details)
ae added a reviewer: network.

Take additional reference to SP when we handle bundled SA.

I should note, that currently IPSec+crypto(9) does deferred processing only for crypto drivers without CRYPTOCAP_F_SYNC capability. This means that described problem only can be triggered with via_padlock.

We should take additional reference to SP before processing bundled SA,
because it can be handled synchronously and last reference will be freed
in callback function before we return back.

ae added a reviewer: ae.
This revision is now accepted and ready to land.Apr 27 2015, 1:00 AM

Committed in r282046.