From owner-freebsd-net@freebsd.org Wed Oct 28 20:27:25 2020 Return-Path: Delivered-To: freebsd-net@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id 9D68244F83D for ; Wed, 28 Oct 2020 20:27:25 +0000 (UTC) (envelope-from melifaro@ipfw.ru) Received: from forward501o.mail.yandex.net (forward501o.mail.yandex.net [IPv6:2a02:6b8:0:1a2d::611]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 4CM0Vh5b3Fz4Xkx for ; Wed, 28 Oct 2020 20:27:24 +0000 (UTC) (envelope-from melifaro@ipfw.ru) Received: from mxback10j.mail.yandex.net (mxback10j.mail.yandex.net [IPv6:2a02:6b8:0:1619::113]) by forward501o.mail.yandex.net (Yandex) with ESMTP id 0F9971E801BD; Wed, 28 Oct 2020 23:27:23 +0300 (MSK) Received: from localhost (localhost [::1]) by mxback10j.mail.yandex.net (mxback/Yandex) with ESMTP id KIV89y2hCq-RMZCHk7E; Wed, 28 Oct 2020 23:27:22 +0300 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ipfw.ru; s=mail; t=1603916842; bh=zsHLVdbUMh/j21hkrRX+5WzyitrJudFNWOiWCeIcsdU=; h=References:Date:Message-Id:Subject:In-Reply-To:To:From; b=FOcohC1v0IwG2TkrRvfIhrOSRX8ZhAQQcFGYrazvp4l1AleQo8aRY0MKX8Zi8QOvr iY+G3SBBE+VEf1rDPscCaZ0kbvyPEq2fGINYfE4qUKseaD5Aw2FtERPpeUpy9Eewlq mjnqCPOe/ne0ZjsQkiLGqbVDoQ49mKw0KngJA8pA= Received: by sas1-229a7e5e75ed.qloud-c.yandex.net with HTTP; Wed, 28 Oct 2020 23:27:22 +0300 From: Alexander V. Chernikov To: Maxime Villard , "freebsd-net@freebsd.org" In-Reply-To: <5142321603916685@mail.yandex.ru> References: <0d6f3bc8-d727-892b-be8e-947c9dfddc24@m00nbsd.net> <5142321603916685@mail.yandex.ru> Subject: Re: remote use-after-free in icmp6 MIME-Version: 1.0 X-Mailer: Yamail [ http://yandex.ru ] 5.0 Date: Wed, 28 Oct 2020 20:27:22 +0000 Message-Id: <3581301603916797@mail.yandex.ru> Content-Transfer-Encoding: 7bit Content-Type: text/plain X-Rspamd-Queue-Id: 4CM0Vh5b3Fz4Xkx X-Spamd-Bar: --- Authentication-Results: mx1.freebsd.org; dkim=pass header.d=ipfw.ru header.s=mail header.b=FOcohC1v; dmarc=none; spf=pass (mx1.freebsd.org: domain of melifaro@ipfw.ru designates 2a02:6b8:0:1a2d::611 as permitted sender) smtp.mailfrom=melifaro@ipfw.ru X-Spamd-Result: default: False [-3.11 / 15.00]; ARC_NA(0.00)[]; TO_DN_EQ_ADDR_SOME(0.00)[]; R_DKIM_ALLOW(-0.20)[ipfw.ru:s=mail]; FREEFALL_USER(0.00)[melifaro]; FROM_HAS_DN(0.00)[]; TO_DN_SOME(0.00)[]; R_SPF_ALLOW(-0.20)[+ip6:2a02:6b8:0:1000::/52:c]; NEURAL_HAM_LONG(-0.99)[-0.994]; MIME_GOOD(-0.10)[text/plain]; DMARC_NA(0.00)[ipfw.ru]; NEURAL_HAM_MEDIUM(-1.06)[-1.060]; RCVD_COUNT_THREE(0.00)[3]; TO_MATCH_ENVRCPT_SOME(0.00)[]; DKIM_TRACE(0.00)[ipfw.ru:+]; RCPT_COUNT_TWO(0.00)[2]; NEURAL_HAM_SHORT(-0.56)[-0.562]; FROM_EQ_ENVFROM(0.00)[]; MIME_TRACE(0.00)[0:+]; RCVD_TLS_LAST(0.00)[]; ASN(0.00)[asn:13238, ipnet:2a02:6b8::/32, country:RU]; MAILMAN_DEST(0.00)[freebsd-net] X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.33 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 28 Oct 2020 20:27:25 -0000 28.10.2020, 20:25, "Alexander V. Chernikov" : > 28.10.2020, 18:34, "Maxime Villard" : >> In icmp6_notify_error(), 'finaldst' points to data within an mbuf, but when >> iterating over the next IPv6 options the kernel can free that mbuf, meaning >> the dereferences of 'finaldst' hit a freed buffer. [sorry for reposting, plaintext this time] > Fixed in r367114, thanks for reporting! >> Note that this is triggerable without specific conditions, over just ICMPv6. >> >> Maxime >> _______________________________________________ >> freebsd-net@freebsd.org mailing list >> https://lists.freebsd.org/mailman/listinfo/freebsd-net >> To unsubscribe, send any mail to "freebsd-net-unsubscribe@freebsd.org"