Date: Thu, 23 Oct 2025 22:56:41 GMT From: Cy Schubert <cy@FreeBSD.org> To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-main@FreeBSD.org Subject: git: 6535e9308a26 - main - ipfilter: Plug ip_nat kernel information leak Message-ID: <202510232256.59NMufOn049899@gitrepo.freebsd.org>
index | next in thread | raw e-mail
The branch main has been updated by cy: URL: https://cgit.FreeBSD.org/src/commit/?id=6535e9308a26e17023831fe68fb71d2febf2a002 commit 6535e9308a26e17023831fe68fb71d2febf2a002 Author: Cy Schubert <cy@FreeBSD.org> AuthorDate: 2025-10-22 15:59:26 +0000 Commit: Cy Schubert <cy@FreeBSD.org> CommitDate: 2025-10-23 22:56:28 +0000 ipfilter: Plug ip_nat kernel information leak ipf_nat_getent() allocates a variable-sized nat_save_t buffer with KMALLOCS() (which does not zero memory) and then copies only a subset of fields into it before returning the object to userland using ipf_outobjsz(). Because the structure is not fully initialized on all paths, uninitialized kernel heap bytes can be copied back to user space, resulting in an information leak. We fix this by zeroing out the data structure immediately after allocation. Reported by: Ilja Van Sprundel <ivansprundel@ioactive.com> Reviewed by: emaste MFC after: 3 days Differential revision: https://reviews.freebsd.org/D53274 --- sys/netpfil/ipfilter/netinet/ip_nat.c | 1 + 1 file changed, 1 insertion(+) diff --git a/sys/netpfil/ipfilter/netinet/ip_nat.c b/sys/netpfil/ipfilter/netinet/ip_nat.c index 972511f43bd5..53c180cdfbca 100644 --- a/sys/netpfil/ipfilter/netinet/ip_nat.c +++ b/sys/netpfil/ipfilter/netinet/ip_nat.c @@ -1771,6 +1771,7 @@ ipf_nat_getent(ipf_main_softc_t *softc, caddr_t data, int getlock) IPFERROR(60029); return (ENOMEM); } + bzero(ipn, ipns.ipn_dsize); if (getlock) { READ_ENTER(&softc->ipf_nat);home | help
Want to link to this message? Use this
URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?202510232256.59NMufOn049899>