From owner-svn-src-all@freebsd.org Fri Dec 2 06:16:00 2016 Return-Path: Delivered-To: svn-src-all@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id C7A12C5EF25; Fri, 2 Dec 2016 06:16:00 +0000 (UTC) (envelope-from marcel@FreeBSD.org) Received: from repo.freebsd.org (repo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:0]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 9736E1873; Fri, 2 Dec 2016 06:16:00 +0000 (UTC) (envelope-from marcel@FreeBSD.org) Received: from repo.freebsd.org ([127.0.1.37]) by repo.freebsd.org (8.15.2/8.15.2) with ESMTP id uB26Fxem049432; Fri, 2 Dec 2016 06:15:59 GMT (envelope-from marcel@FreeBSD.org) Received: (from marcel@localhost) by repo.freebsd.org (8.15.2/8.15.2/Submit) id uB26Fxs1049431; Fri, 2 Dec 2016 06:15:59 GMT (envelope-from marcel@FreeBSD.org) Message-Id: <201612020615.uB26Fxs1049431@repo.freebsd.org> X-Authentication-Warning: repo.freebsd.org: marcel set sender to marcel@FreeBSD.org using -f From: Marcel Moolenaar Date: Fri, 2 Dec 2016 06:15:59 +0000 (UTC) To: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-head@freebsd.org Subject: svn commit: r309394 - head/sys/netpfil/pf X-SVN-Group: head MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-BeenThere: svn-src-all@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: "SVN commit messages for the entire src tree \(except for " user" and " projects" \)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 02 Dec 2016 06:16:00 -0000 Author: marcel Date: Fri Dec 2 06:15:59 2016 New Revision: 309394 URL: https://svnweb.freebsd.org/changeset/base/309394 Log: Fix use-after-free bugs in pfsync(4) Use after free happens for state that is deleted. The reference count is what prevents the state from being freed. When the state is dequeued, the reference count is dropped and the memory freed. We can't dereference the next pointer or re-queue the state. MFC after: 1 week Differential Revision: https://reviews.freebsd.org/D8671 Modified: head/sys/netpfil/pf/if_pfsync.c Modified: head/sys/netpfil/pf/if_pfsync.c ============================================================================== --- head/sys/netpfil/pf/if_pfsync.c Fri Dec 2 06:07:27 2016 (r309393) +++ head/sys/netpfil/pf/if_pfsync.c Fri Dec 2 06:15:59 2016 (r309394) @@ -1509,7 +1509,7 @@ pfsync_sendout(int schedswi) struct ip *ip; struct pfsync_header *ph; struct pfsync_subheader *subh; - struct pf_state *st; + struct pf_state *st, *st_next; struct pfsync_upd_req_item *ur; int offset; int q, count = 0; @@ -1559,7 +1559,7 @@ pfsync_sendout(int schedswi) offset += sizeof(*subh); count = 0; - TAILQ_FOREACH(st, &sc->sc_qs[q], sync_list) { + TAILQ_FOREACH_SAFE(st, &sc->sc_qs[q], sync_list, st_next) { KASSERT(st->sync_state == q, ("%s: st->sync_state == q", __func__)); @@ -1931,6 +1931,8 @@ pfsync_delete_state(struct pf_state *st) if (sc->sc_len == PFSYNC_MINPKT) callout_reset(&sc->sc_tmo, 1 * hz, pfsync_timeout, V_pfsyncif); + pf_ref_state(st); + switch (st->sync_state) { case PFSYNC_S_INS: /* We never got to tell the world so just forget about it. */ @@ -1950,6 +1952,9 @@ pfsync_delete_state(struct pf_state *st) default: panic("%s: unexpected sync state %d", __func__, st->sync_state); } + + pf_release_state(st); + PFSYNC_UNLOCK(sc); }