From owner-freebsd-net@freebsd.org Wed Oct 28 18:34:41 2020 Return-Path: Delivered-To: freebsd-net@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id 7837344D74D for ; Wed, 28 Oct 2020 18:34:41 +0000 (UTC) (envelope-from max@m00nbsd.net) Received: from 2.mo52.mail-out.ovh.net (2.mo52.mail-out.ovh.net [178.33.105.233]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 4CLy0c5Mplz4Rh8 for ; Wed, 28 Oct 2020 18:34:40 +0000 (UTC) (envelope-from max@m00nbsd.net) Received: from mxplan6.mail.ovh.net (unknown [10.108.4.92]) by mo52.mail-out.ovh.net (Postfix) with ESMTPS id 5732F200F7A for ; Wed, 28 Oct 2020 19:34:38 +0100 (CET) Received: from m00nbsd.net (37.59.142.106) by DAG3EX2.mxp6.local (172.16.2.22) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2044.4; Wed, 28 Oct 2020 19:34:37 +0100 From: Maxime Villard Subject: remote use-after-free in icmp6 To: Message-ID: <0d6f3bc8-d727-892b-be8e-947c9dfddc24@m00nbsd.net> Date: Wed, 28 Oct 2020 19:34:34 +0100 MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8"; format=flowed Content-Language: en-US Content-Transfer-Encoding: 7bit X-Originating-IP: [37.59.142.106] X-ClientProxiedBy: DAG7EX2.mxp6.local (172.16.2.62) To DAG3EX2.mxp6.local (172.16.2.22) X-Ovh-Tracer-GUID: 7d2b91e1-77e0-4ef4-9eb5-f2febeef2abf X-Ovh-Tracer-Id: 13383853669348675351 X-VR-SPAMSTATE: OK X-VR-SPAMSCORE: 0 X-VR-SPAMCAUSE: gggruggvucftvghtrhhoucdtuddrgedujedrledugdduuddvucetufdoteggodetrfdotffvucfrrhhofhhilhgvmecuqfggjfdpvefjgfevmfevgfenuceurghilhhouhhtmecuhedttdenucenucfjughrpefhuffvkfffgggtgfhisehtjeertddttdejnecuhfhrohhmpeforgigihhmvgcugghilhhlrghrugcuoehmrgigsehmtddtnhgsshgurdhnvghtqeenucggtffrrghtthgvrhhnpeejtedvtdevgeevuddtheevgeduudeufffhfedtkeffkedtvdduueefiedufedvvdenucfkpheptddrtddrtddrtddpfeejrdehledrudegvddruddtieenucevlhhushhtvghrufhiiigvpedtnecurfgrrhgrmhepmhhouggvpehsmhhtphdqohhuthdphhgvlhhopehmgihplhgrnheirdhmrghilhdrohhvhhdrnhgvthdpihhnvghtpedtrddtrddtrddtpdhmrghilhhfrhhomhepmhgrgiesmhdttdhnsghsugdrnhgvthdprhgtphhtthhopehfrhgvvggsshguqdhnvghtsehfrhgvvggsshgurdhorhhg X-Rspamd-Queue-Id: 4CLy0c5Mplz4Rh8 X-Spamd-Bar: -- Authentication-Results: mx1.freebsd.org; dkim=none; dmarc=none; spf=pass (mx1.freebsd.org: domain of max@m00nbsd.net designates 178.33.105.233 as permitted sender) smtp.mailfrom=max@m00nbsd.net X-Spamd-Result: default: False [-2.76 / 15.00]; MID_RHS_MATCH_FROM(0.00)[]; ARC_NA(0.00)[]; HAS_XOIP(0.00)[]; FROM_HAS_DN(0.00)[]; RWL_MAILSPIKE_GOOD(0.00)[178.33.105.233:from]; FREEFALL_USER(0.00)[max]; TO_MATCH_ENVRCPT_ALL(0.00)[]; MIME_GOOD(-0.10)[text/plain]; PREVIOUSLY_DELIVERED(0.00)[freebsd-net@freebsd.org]; TO_DN_NONE(0.00)[]; RCPT_COUNT_ONE(0.00)[1]; NEURAL_HAM_LONG(-1.02)[-1.019]; RCVD_COUNT_THREE(0.00)[3]; DMARC_NA(0.00)[m00nbsd.net]; R_SPF_ALLOW(-0.20)[+ptr:mail-out.ovh.net]; NEURAL_HAM_SHORT(-0.43)[-0.433]; RCVD_IN_DNSWL_NONE(0.00)[178.33.105.233:from]; NEURAL_HAM_MEDIUM(-1.01)[-1.006]; FROM_EQ_ENVFROM(0.00)[]; R_DKIM_NA(0.00)[]; MIME_TRACE(0.00)[0:+]; ASN(0.00)[asn:16276, ipnet:178.32.0.0/15, country:FR]; RCVD_TLS_LAST(0.00)[]; MAILMAN_DEST(0.00)[freebsd-net] X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.33 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 28 Oct 2020 18:34:41 -0000 In icmp6_notify_error(), 'finaldst' points to data within an mbuf, but when iterating over the next IPv6 options the kernel can free that mbuf, meaning the dereferences of 'finaldst' hit a freed buffer. Note that this is triggerable without specific conditions, over just ICMPv6. Maxime