kgess-mirror/freebsd-src
1
0
Fork 0
mirror of https://git.freebsd.org/src.git synced 2026-01-16 23:02:24 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 2

ipfilter: Plug ip_htable kernel information leak

Browse source 
ipf_htable_stats_get() constructs an iphtstat_t on the stack and only
initializes select fields before copying the entire structure to
userland. The trailing padding array iphs_pad[16] is never initialized,
so ~128 bytes of uninitialized kernel stack memory can be leaked to user
space on each call. This is a classic information disclosure
vulnerability that can reveal pointers and other sensitive data.

We fix this by zeroing out the data structure prior to use.

Reported by:		Ilja Van Sprundel <ivansprundel@ioactive.com>
Reviewed by:		emaste
MFC after:		3 days
Differential revision:	https://reviews.freebsd.org/D53275
This commit is contained in:
Cy Schubert 2025-10-22 09:29:03 -07:00
parent 6535e9308a
commit 0d589ecbc7
1 changed files with 2 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

2
sys/netpfil/ipfilter/netinet/ip_htable.c
View file

@ -230,6 +230,8 @@ ipf_htable_stats_get(ipf_main_softc_t *softc, void *arg, iplookupop_t *op)
return (EINVAL);
}
bzero(&stats, sizeof(stats));
stats.iphs_tables = softh->ipf_htables[op->iplo_unit + 1];
stats.iphs_numtables = softh->ipf_nhtables[op->iplo_unit + 1];
stats.iphs_numnodes = softh->ipf_nhtnodes[op->iplo_unit + 1];