From owner-svn-src-all@freebsd.org Fri Apr 14 04:11:21 2017 Return-Path: Delivered-To: svn-src-all@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 8A541D38042; Fri, 14 Apr 2017 04:11:21 +0000 (UTC) (envelope-from cy.schubert@komquats.com) Received: from smtp-out-so.shaw.ca (smtp-out-so.shaw.ca [64.59.136.139]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "Client", Issuer "CA" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id 41617767; Fri, 14 Apr 2017 04:11:20 +0000 (UTC) (envelope-from cy.schubert@komquats.com) Received: from spqr.komquats.com ([96.50.22.10]) by shaw.ca with SMTP id ysV2cyvQ1C3JIysV3c8uUc; Thu, 13 Apr 2017 22:06:22 -0600 X-Authority-Analysis: v=2.2 cv=XbT59Mx5 c=1 sm=1 tr=0 a=jvE2nwUzI0ECrNeyr98KWA==:117 a=jvE2nwUzI0ECrNeyr98KWA==:17 a=kj9zAlcOel0A:10 a=AzvcPWV-tVgA:10 a=6I5d2MoRAAAA:8 a=YxBL1-UpAAAA:8 a=xWCwz7DcOcEKQ8ft5MQA:9 a=CjuIK1q_8ugA:10 a=IjZwj45LgO3ly-622nXo:22 a=Ia-lj3WSrqcvXOmTRaiG:22 Received: from slippy.cwsent.com (slippy8 [10.2.2.6]) by spqr.komquats.com (Postfix) with ESMTPS id 0CBFE2124; Thu, 13 Apr 2017 21:06:20 -0700 (PDT) Received: from slippy (localhost [127.0.0.1]) by slippy.cwsent.com (8.15.2/8.15.2) with ESMTP id v3E46JOb017269; Thu, 13 Apr 2017 21:06:19 -0700 (PDT) (envelope-from Cy.Schubert@cschubert.com) Message-Id: <201704140406.v3E46JOb017269@slippy.cwsent.com> X-Mailer: exmh version 2.8.0 04/21/2012 with nmh-1.6 Reply-to: Cy Schubert From: Cy Schubert X-os: FreeBSD X-Sender: cy@cwsent.com X-URL: http://www.cschubert.com/ To: Cy Schubert cc: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-head@freebsd.org Subject: Re: svn commit: r316809 - head/sys/contrib/ipfilter/netinet In-Reply-To: Message from Cy Schubert of "Fri, 14 Apr 2017 03:54:36 -0000." <201704140354.v3E3sawZ005932@repo.freebsd.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Date: Thu, 13 Apr 2017 21:06:19 -0700 X-CMAE-Envelope: MS4wfHppKTTm7OjMT1D+bGn27TSyxJBRd9efzprQQmGtxN5j4QgXETI8J5jPf8+zpmId+k2rYU9ePcmV1CigwDQ2sibdRk7BOW24RAv1DxRxxqAE+/ai5+GL fOYF4JZufQWePkjYvDwKQYWJvYnFX5m0CZX0cZv2v6IJJopReVRuyPcxHl2GWKAqF4RwCm63xd/XvxWxLMsZVqjtQlUsF7WiG8i91ek21WzztPLnJo7P6KGo k4IIKr1WoGM0laxblEQnYrCQEJmBtX+1n/i8jmQ4MXkGwf3pDDBfx2x/IvdAKRiK X-BeenThere: svn-src-all@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: "SVN commit messages for the entire src tree \(except for " user" and " projects" \)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 14 Apr 2017 04:11:21 -0000 In message <201704140354.v3E3sawZ005932@repo.freebsd.org>, Cy Schubert writes: > Author: cy > Date: Fri Apr 14 03:54:36 2017 > New Revision: 316809 > URL: https://svnweb.freebsd.org/changeset/base/316809 > > Log: > Fix a use after free panic in ipfilter's fragment processing. > Memory is malloc'd, then a search for a match in the fragment table > is made and if the fragment matches, the wrong fragment table is > freed, causing a use after free panic. This commit fixes this. > > A symptom of the problem is a kernel page fault in bcopy() called by > ipf_frag_lookup() at line 715 in ip_frag.c. Another symptom is a > kernel page fault in ipf_frag_delete() when called by ipf_frag_expire() > via ipf_slowtimer(). > > MFC after: 1 week > > Modified: > head/sys/contrib/ipfilter/netinet/ip_frag.c > > Modified: head/sys/contrib/ipfilter/netinet/ip_frag.c > ============================================================================= > = > --- head/sys/contrib/ipfilter/netinet/ip_frag.c Fri Apr 14 03:23:03 201 > 7 (r316808) > +++ head/sys/contrib/ipfilter/netinet/ip_frag.c Fri Apr 14 03:54:36 201 > 7 (r316809) > @@ -474,7 +474,7 @@ ipfr_frag_new(softc, softf, fin, pass, t > IPFR_CMPSZ)) { > RWLOCK_EXIT(lock); > FBUMPD(ifs_exists); > - KFREE(fra); > + KFREE(fran); > return NULL; > } > > It's surprising how few people/sites have encountered this panic. I only encounter this problem on the ShawOpen network anywhere in Edmonton, AB, Canada. However all other networks, including ShawOpen networks in other cities in Canada don't pass fragments that cause this panic, which by looking at the code should happen frequently. There is a similar panic, with a sometimes similar backtrace to the panics I experiences in FreeBSD, documented in NetBSD-7. -- Cheers, Cy Schubert FreeBSD UNIX: Web: http://www.FreeBSD.org The need of the many outweighs the greed of the few.