From owner-freebsd-net@freebsd.org Tue Nov 10 16:59:15 2020 Return-Path: Delivered-To: freebsd-net@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id 067D34360DD for ; Tue, 10 Nov 2020 16:59:15 +0000 (UTC) (envelope-from zarychtam@plan-b.pwste.edu.pl) Received: from plan-b.pwste.edu.pl (plan-b.pwste.edu.pl [IPv6:2001:678:618::40]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "plan-b.pwste.edu.pl", Issuer "Let's Encrypt Authority X3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4CVvGT3RqZz4dnB for ; Tue, 10 Nov 2020 16:59:13 +0000 (UTC) (envelope-from zarychtam@plan-b.pwste.edu.pl) Received: from fomalhaut.potoki.eu ([IPv6:2001:470:71:d47:1813:62ef:e1f3:6f77]) (authenticated bits=0) by plan-b.pwste.edu.pl (8.16.1/8.16.1) with ESMTPSA id 0AAGx3UN074533 (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128 verify=NO) for ; Tue, 10 Nov 2020 17:59:04 +0100 (CET) (envelope-from zarychtam@plan-b.pwste.edu.pl) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=plan-b.pwste.edu.pl; s=plan-b-mailer; t=1605027544; bh=dGfHj9ObUuNyHrk7mABgB1GnO24wQVMO0L5eipcy7HA=; h=To:References:From:Subject:Date:In-Reply-To; b=y4kAgxxJOnZ0aj660bkGvF0P10vnrPRWDpJUS9WQiG8lGsXJTGvSokFnzBEdXcIUw 95GQwsVNtOBqg0MMWCvWRC5gWAGFNto77AZb3aB4fxxBynf+/gl7Y/xJ43CUzkmQ5/ igCZomeKf2UOeWG3Ush+RW0nF/ePX8TzJ3F5aNtzLIQm/g8fsJPi86WYNLnfylIp6W ySzAergt29OJI0G3eQc8uftciJOaJQ6KRwhAt/scQ1Rk8dgUj2Fi2bd2bot3UW3xqw nmynN6w/p3c4Pw15KboMhADRi7rAs+a6lr3m3DseEvvx7ATjMS8L8sKjrv0UuGrsWX MgeYQRDfeRa5w== X-Authentication-Warning: plan-b.pwste.edu.pl: Host [IPv6:2001:470:71:d47:1813:62ef:e1f3:6f77] claimed to be fomalhaut.potoki.eu To: freebsd-net@freebsd.org References: <0d6f3bc8-d727-892b-be8e-947c9dfddc24@m00nbsd.net> <5142321603916685@mail.yandex.ru> <3581301603916797@mail.yandex.ru> From: Marek Zarychta Subject: Re: remote use-after-free in icmp6 Message-ID: <84b8f8d0-9add-159a-a119-f602ed873c9a@plan-b.pwste.edu.pl> Date: Tue, 10 Nov 2020 17:59:02 +0100 User-Agent: Mozilla/5.0 (X11; FreeBSD amd64; rv:78.0) Gecko/20100101 Thunderbird/78.4.0 MIME-Version: 1.0 In-Reply-To: Content-Type: text/plain; charset=utf-8; format=flowed Content-Transfer-Encoding: quoted-printable Content-Language: en-US X-Rspamd-Queue-Id: 4CVvGT3RqZz4dnB X-Spamd-Bar: --- Authentication-Results: mx1.freebsd.org; dkim=pass header.d=plan-b.pwste.edu.pl header.s=plan-b-mailer header.b=y4kAgxxJ; dmarc=pass (policy=none) header.from=plan-b.pwste.edu.pl; spf=none (mx1.freebsd.org: domain of zarychtam@plan-b.pwste.edu.pl has no SPF policy when checking 2001:678:618::40) smtp.mailfrom=zarychtam@plan-b.pwste.edu.pl X-Spamd-Result: default: False [-3.79 / 15.00]; RCVD_VIA_SMTP_AUTH(0.00)[]; HAS_XAW(0.00)[]; TO_DN_NONE(0.00)[]; DKIM_TRACE(0.00)[plan-b.pwste.edu.pl:+]; DMARC_POLICY_ALLOW(-0.50)[plan-b.pwste.edu.pl,none]; NEURAL_HAM_SHORT(-0.99)[-0.987]; FROM_EQ_ENVFROM(0.00)[]; MIME_TRACE(0.00)[0:+]; RBL_DBL_DONT_QUERY_IPS(0.00)[2001:678:618::40:from]; ASN(0.00)[asn:206006, ipnet:2001:678:618::/48, country:PL]; MID_RHS_MATCH_FROM(0.00)[]; ARC_NA(0.00)[]; R_DKIM_ALLOW(-0.20)[plan-b.pwste.edu.pl:s=plan-b-mailer]; FROM_HAS_DN(0.00)[]; DWL_DNSWL_MED(-2.00)[pwste.edu.pl:dkim]; TO_MATCH_ENVRCPT_ALL(0.00)[]; NEURAL_HAM_LONG(-1.00)[-1.000]; MIME_GOOD(-0.10)[text/plain]; PREVIOUSLY_DELIVERED(0.00)[freebsd-net@freebsd.org]; NEURAL_SPAM_MEDIUM(1.00)[1.000]; RCPT_COUNT_ONE(0.00)[1]; SPAMHAUS_ZRD(0.00)[2001:678:618::40:from:127.0.2.255]; R_SPF_NA(0.00)[no SPF record]; RCVD_COUNT_TWO(0.00)[2]; RCVD_TLS_ALL(0.00)[]; MAILMAN_DEST(0.00)[freebsd-net] X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.34 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 10 Nov 2020 16:59:15 -0000 W dniu 05.11.2020 o=C2=A001:41, mike tancsa pisze: > Hi, > > =C2=A0=C2=A0=C2=A0 Is this an issue in HEAD only ? Or is it something = that needs to be > MFC'd ? > > =C2=A0=C2=A0=C2=A0 ---Mike It has been MFCed to 12-STABLE with r367402[1]. What about 11-STABLE users? Should they be worried about missing MFC as=20 well or ignore the issue as non-exploitable on their systems? [1]=20 https://lists.freebsd.org/pipermail/svn-src-all/2020-November/204977.html= --=20 Marek Zarychta > > On 10/28/2020 4:27 PM, Alexander V. Chernikov wrote: >> 28.10.2020, 20:25, "Alexander V. Chernikov" : >>> 28.10.2020, 18:34, "Maxime Villard" : >>>> In icmp6_notify_error(), 'finaldst' points to data within an mbuf, b= ut when >>>> iterating over the next IPv6 options the kernel can free that mbuf, = meaning >>>> the dereferences of 'finaldst' hit a freed buffer. >> [sorry for reposting, plaintext this time] >>> Fixed in r367114, thanks for reporting! >>>> Note that this is triggerable without specific conditions, over just= ICMPv6. >>>> >>>> Maxime >>>> _______________________________________________ >>>> freebsd-net@freebsd.org mailing list >>>> https://lists.freebsd.org/mailman/listinfo/freebsd-net >>>> To unsubscribe, send any mail to "freebsd-net-unsubscribe@freebsd.or= g" >> _______________________________________________ >> freebsd-net@freebsd.org mailing list >> https://lists.freebsd.org/mailman/listinfo/freebsd-net >> To unsubscribe, send any mail to "freebsd-net-unsubscribe@freebsd.org"= >> > _______________________________________________ > freebsd-net@freebsd.org mailing list > https://lists.freebsd.org/mailman/listinfo/freebsd-net > To unsubscribe, send any mail to "freebsd-net-unsubscribe@freebsd.org" >