Date: Sun, 26 Oct 2025 03:15:29 GMT From: Cy Schubert <cy@FreeBSD.org> To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-branches@FreeBSD.org Subject: git: 4260de80f05d - stable/13 - ipfilter: Plug ip_nat kernel information leak Message-ID: <202510260315.59Q3FT28064167@gitrepo.freebsd.org>
index | next in thread | raw e-mail
The branch stable/13 has been updated by cy: URL: https://cgit.FreeBSD.org/src/commit/?id=4260de80f05d0e04d4f978f40ae2cfbddf9b47dd commit 4260de80f05d0e04d4f978f40ae2cfbddf9b47dd Author: Cy Schubert <cy@FreeBSD.org> AuthorDate: 2025-10-22 15:59:26 +0000 Commit: Cy Schubert <cy@FreeBSD.org> CommitDate: 2025-10-26 03:15:13 +0000 ipfilter: Plug ip_nat kernel information leak ipf_nat_getent() allocates a variable-sized nat_save_t buffer with KMALLOCS() (which does not zero memory) and then copies only a subset of fields into it before returning the object to userland using ipf_outobjsz(). Because the structure is not fully initialized on all paths, uninitialized kernel heap bytes can be copied back to user space, resulting in an information leak. We fix this by zeroing out the data structure immediately after allocation. Reported by: Ilja Van Sprundel <ivansprundel@ioactive.com> Reviewed by: emaste Differential revision: https://reviews.freebsd.org/D53274 (cherry picked from commit 6535e9308a26e17023831fe68fb71d2febf2a002) --- sys/netpfil/ipfilter/netinet/ip_nat.c | 1 + 1 file changed, 1 insertion(+) diff --git a/sys/netpfil/ipfilter/netinet/ip_nat.c b/sys/netpfil/ipfilter/netinet/ip_nat.c index 35b18575ac6f..8b343acf1211 100644 --- a/sys/netpfil/ipfilter/netinet/ip_nat.c +++ b/sys/netpfil/ipfilter/netinet/ip_nat.c @@ -1775,6 +1775,7 @@ ipf_nat_getent(ipf_main_softc_t *softc, caddr_t data, int getlock) IPFERROR(60029); return (ENOMEM); } + bzero(ipn, ipns.ipn_dsize); if (getlock) { READ_ENTER(&softc->ipf_nat);home | help
Want to link to this message? Use this
URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?202510260315.59Q3FT28064167>