From nobody Fri Jan 17 16:02:15 2025 X-Original-To: dev-commits-src-all@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4YZPd34mqKz5l7xH; Fri, 17 Jan 2025 16:02:15 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R11" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4YZPd31T24z47GR; Fri, 17 Jan 2025 16:02:15 +0000 (UTC) (envelope-from git@FreeBSD.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1737129735; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=l4PgFEaSb4y1oYwc/YjAlYUTihe9PQ9kX9S0skApkXQ=; b=c7begsevFqh4R2xtU9VgK7BehBAAXpmDkN2QHUI/vbHn3uhf6+u4YgFiAirYTT3pLYBnw1 xc+9+hJ706yZxai0C9FumBkshNCdkP5gCQkuAtPAH4/axFS6YD38GLsY1uzE9vxrM2Dmwn YUsi+BSSu1V+q2AZnNp1mLa5hRPE3Jo3DOGskRq9F1nawuwYig1yyJpDsXkIUWjlolPsTA 1hZ9l0XC2+Wt5UGnUlKd0CumscnFQAfmdXA2yOtpJwif2y3Tkd5qjVYZj5mv5g7P1b0D0r tGMcJuD5c8idrECLI7duAmqQIMbVGhenfRhWH4eCfXmNsQIzGBH+ZBTmHy8uqA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1737129735; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=l4PgFEaSb4y1oYwc/YjAlYUTihe9PQ9kX9S0skApkXQ=; b=eBnnwBin7UIVcQzfPh0Ay/qpuA20ZFhXQr+0jxLI3f92YTUVeXXqDvgXQj9GcOOFxXvzfc IXt/QMwWotxxNdHhCvxzwGgDXsDbwAZ4d7H2nk+EwqCFsViUeeUray63xIf9EqwqPU/vuZ PIotMlywlgKDzq+rqK3U9varbBAJYY7eRQplAT+ArYLMrz03VscDTptbKlXhFGNeSYJbnl nCEtSiE4YdlC0b6sBARHEBOT5mt0CIn0ZnS1sticT21p3eDko74bvprJ67VsXN/I9unWGd it7hit0HArUdcjhjf1YZPstSl8G7YsgDgiM/0sPGV6xvA2fnxdRsj93kADpp1A== ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1737129735; a=rsa-sha256; cv=none; b=AYp8buWKj306t5btmm/RMbbQRA/Vh5n1aGcSCywpK5JJE4nMvE46s2q2PQ49Apsmy6J3bC Bpr0kvd3gmMzMiBIS8LW1j+3s5+zfprBL8qfS+iGKKecASHWrfrgUnVHsUs0pe8EBYw/rS ZUuLtzg4nCClvVlZU2v47bp50Up4DmSkYHsduwBg+OS8tzGneO8mglPCet/ccvonth3WxU 5hW16z//TeC6lLUHT3E1V780VloxmWLcligFCkkMMPuhRP/VlnohLFI/YcNm0eO2W4i2/s nfIHGSwncu7UgyU3kpqCQe53FsJoahm1BuxBs/+Z+26jxxfMGN5tNi7HaOTP0Q== ARC-Authentication-Results: i=1; mx1.freebsd.org; none Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 4YZPd310qzz95h; Fri, 17 Jan 2025 16:02:15 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from gitrepo.freebsd.org ([127.0.1.44]) by gitrepo.freebsd.org (8.18.1/8.18.1) with ESMTP id 50HG2F7s065794; Fri, 17 Jan 2025 16:02:15 GMT (envelope-from git@gitrepo.freebsd.org) Received: (from git@localhost) by gitrepo.freebsd.org (8.18.1/8.18.1/Submit) id 50HG2FlB065791; Fri, 17 Jan 2025 16:02:15 GMT (envelope-from git) Date: Fri, 17 Jan 2025 16:02:15 GMT Message-Id: <202501171602.50HG2FlB065791@gitrepo.freebsd.org> To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-main@FreeBSD.org From: Kristof Provost Subject: git: 7f846fc0e7ce - main - pf tests: reproduce use-after-free in fragment reassembly List-Id: Commit messages for all branches of the src repository List-Archive: https://lists.freebsd.org/archives/dev-commits-src-all List-Help: List-Post: List-Subscribe: List-Unsubscribe: X-BeenThere: dev-commits-src-all@freebsd.org Sender: owner-dev-commits-src-all@FreeBSD.org MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit X-Git-Committer: kp X-Git-Repository: src X-Git-Refname: refs/heads/main X-Git-Reftype: branch X-Git-Commit: 7f846fc0e7ce30c80e3265c957a138d7192af397 Auto-Submitted: auto-generated The branch main has been updated by kp: URL: https://cgit.FreeBSD.org/src/commit/?id=7f846fc0e7ce30c80e3265c957a138d7192af397 commit 7f846fc0e7ce30c80e3265c957a138d7192af397 Author: Kristof Provost AuthorDate: 2025-01-06 10:48:40 +0000 Commit: Kristof Provost CommitDate: 2025-01-17 16:00:41 +0000 pf tests: reproduce use-after-free in fragment reassembly Produce an IPv6 packet that's longer than 65535 bytes so it'll get dropped in pf_reassemble6(). This can then causes pf_normalize_ip6() to return an error, which led pf_setup_pdesc() to fail to update *m0, eventually ending up with pf_scrub() attempting to modify *m0 (now different from pd->m), a freed mbuf. This does depend on pf_join_fragment()'s call to m_cat() freeing the relevant mbuf rather than adding it to the chain. Accomplish this by ensuring there's sufficient free space, by having dummymbuf re-allocate larger mbufs for our fragments. PR: 283705 Reported by: Yichen Chai , Zhuo Ying Jiang Li Sponsored by: Rubicon Communications, LLC ("Netgate") --- tests/sys/netpfil/pf/frag6.py | 40 ++++++++++++++++++++++++++++++++++++++-- 1 file changed, 38 insertions(+), 2 deletions(-) diff --git a/tests/sys/netpfil/pf/frag6.py b/tests/sys/netpfil/pf/frag6.py index f54381fba8cb..f274fc28a3bf 100644 --- a/tests/sys/netpfil/pf/frag6.py +++ b/tests/sys/netpfil/pf/frag6.py @@ -2,6 +2,7 @@ import pytest import logging import threading import time +import random logging.getLogger("scapy").setLevel(logging.CRITICAL) from atf_python.sys.net.tools import ToolsHelper from atf_python.sys.net.vnet import VnetTestTemplate @@ -19,7 +20,7 @@ class DelayedSend(threading.Thread): sp.send(self._packet) class TestFrag6(VnetTestTemplate): - REQUIRED_MODULES = ["pf"] + REQUIRED_MODULES = ["pf", "dummymbuf"] TOPOLOGY = { "vnet1": {"ifaces": ["if1"]}, "vnet2": {"ifaces": ["if1"]}, @@ -27,12 +28,15 @@ class TestFrag6(VnetTestTemplate): } def vnet2_handler(self, vnet): + ifname = vnet.iface_alias_map["if1"].name ToolsHelper.print_output("/sbin/pfctl -e") ToolsHelper.pf_rules([ - "scrub fragment reassemble", + "scrub fragment reassemble min-ttl 10", "pass", "block in inet6 proto icmp6 icmp6-type echoreq", ]) + ToolsHelper.print_output("/sbin/pfilctl link -i dummymbuf:inet6 inet6") + ToolsHelper.print_output("/sbin/sysctl net.dummymbuf.rules=\"inet6 in %s enlarge 3000;\"" % ifname) def check_ping_reply(self, packet): print(packet) @@ -59,6 +63,38 @@ class TestFrag6(VnetTestTemplate): for p in packets: assert not p.getlayer(sp.ICMPv6EchoReply) + @pytest.mark.require_user("root") + def test_overlong(self): + "Test overly long fragmented packet" + + # Import in the correct vnet, so at to not confuse Scapy + import scapy.all as sp + + curr = 0 + pkts = [] + + frag_id = random.randint(0,0xffffffff) + gran = 1200 + + i = 0 + while curr <= 65535: + ipv61 = sp.IPv6(src="2001:db8::1", dst="2001:db8::2") + more = True + g = gran + if curr + gran > 65535: + more = False + g = 65530 - curr + if i == 0: + pkt = ipv61 / sp.IPv6ExtHdrHopByHop(options=[sp.PadN(optlen=2), sp.Pad1()]) / \ + sp.IPv6ExtHdrFragment(id = frag_id, offset = curr // 8, m = more) / bytes([i] * g) + else: + pkt = ipv61 / sp.IPv6ExtHdrFragment(id = frag_id, offset = curr // 8, m = more) / bytes([i] * g) + pkts.append(pkt) + curr += gran + i += 1 + + sp.send(pkts, inter = 0.1) + class TestFrag6_Overlap(VnetTestTemplate): REQUIRED_MODULES = ["pf"] TOPOLOGY = {