From nobody Sun Dec 14 03:34:40 2025 X-Original-To: net@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4dTTMj2gyzz6Kckj for ; Sun, 14 Dec 2025 03:34:41 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R12" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4dTTMj0t81z3lH1 for ; Sun, 14 Dec 2025 03:34:41 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1765683281; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=lwD6ogmtTocI8bo5IIHifEmZB2x/PuE1I7vAhl6955Y=; b=RIF200DjjXeoDZumrEJIBYP7Zpgy68VpvQRduF/pBCN6A6M+6QRjg6re3mLKWrqL8orsj5 Vvqbjdby9fbLyLEIurJr8KPg8vNZadMQ3W5R8fTLbYE1fe3b1f03u66bwNc10mUWNZnjWE qIqGsrs/q1Ox9HX344IBE+LC9utPH5voot4jJFzr+9PuZmSijjaLfR5UAjuu+aUtMEw1gq /ayyy2gQDbJgHKMOF5OK082HXM+rX9zjNZRQaVGU9f82xCWRvz0XgPd+atX95ZkAD3jeU/ NfAAYTP6bxv2a3Oi/0KPTpTNqjbop45FilMVvPbuarkL+pa0xfwPY/8LPhvQ3Q== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1765683281; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=lwD6ogmtTocI8bo5IIHifEmZB2x/PuE1I7vAhl6955Y=; b=CNJ6mDO7W/YbwgOUw/99SHtjEc1jeqrpOO3i0VV+BkD385ehWVhtTIi2M1G2pyTMRmUxD4 6MB9ansKPjuHVyhrgba7lNeZMDpfuEwK1b5IF5/4iHkPsFnRdRq0MNiwwv6fc0P2lniG+3 LMfB+jJQETSM+QtBRAaFQ5OP4sszfX3o4HVEExneLTZJdhyeBDXW3EB2fhEDtAvDw/AOBM 3+Y36tqFvbRU81Fxa1uLqGUo9tJi2jup9bhMNk1gcYWDqU3stAd5ylHRLpWLqt9PsBZMX/ jukHhQwOpMnbaO/MwMdtwJj1CKoeiQXCozx/pg/Mk3L2UgEnQmHmhDcCOs7ayQ== ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1765683281; a=rsa-sha256; cv=none; b=rlfW67G2WEm0D0si0R6WPXMzT++X5dG16hfbzpdqkQFVSk1PWfywmWzO4Crd1m4kJzi7Wl miFvoCI8d9TxIctQrewr3arOU9Qx2UNnE5KIpUvWoVdXhCm+Lxy+VJKZNj6aT/ywS8vQN3 tiwL87soNkC7TNsQGuSMkhHlMezLQ5zSDNL4nhTfx0fLcHi9LVr3zww+T49wO5C78x++MR 36BbCzQZEbxaM/Ydz2NDuoEhSwzmW2pxaroOQCab529dM2Tnx57pBad31DgeGrrAsgPthP Iy0jmyajpqaomRqXHYtNF+UpMq9VRjyBrHuxqSLKrUIf/MoWDtA6rGryoaQyFg== ARC-Authentication-Results: i=1; mx1.freebsd.org; none Received: from kenobi.freebsd.org (kenobi.freebsd.org [IPv6:2610:1c1:1:606c::50:1d]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 4dTTMj0CCKz2CJ for ; Sun, 14 Dec 2025 03:34:41 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from kenobi.freebsd.org ([127.0.1.5]) by kenobi.freebsd.org (8.15.2/8.15.2) with ESMTP id 5BE3YeU6008273 for ; Sun, 14 Dec 2025 03:34:40 GMT (envelope-from bugzilla-noreply@freebsd.org) Received: (from www@localhost) by kenobi.freebsd.org (8.15.2/8.15.2/Submit) id 5BE3YeEL008272 for net@FreeBSD.org; Sun, 14 Dec 2025 03:34:40 GMT (envelope-from bugzilla-noreply@freebsd.org) X-Authentication-Warning: kenobi.freebsd.org: www set sender to bugzilla-noreply@freebsd.org using -f From: bugzilla-noreply@freebsd.org To: net@FreeBSD.org Subject: [Bug 289017] [lagg] A time-of-check to time-of-use (TOCTOU) race exists in the Link Aggregation (LAGG) network subsystem Date: Sun, 14 Dec 2025 03:34:40 +0000 X-Bugzilla-Reason: AssignedTo X-Bugzilla-Type: changed X-Bugzilla-Watch-Reason: None X-Bugzilla-Product: Base System X-Bugzilla-Component: kern X-Bugzilla-Version: 14.3-RELEASE X-Bugzilla-Keywords: X-Bugzilla-Severity: Affects Only Me X-Bugzilla-Who: chenqiuji666@gmail.com X-Bugzilla-Status: New X-Bugzilla-Resolution: X-Bugzilla-Priority: --- X-Bugzilla-Assigned-To: net@FreeBSD.org X-Bugzilla-Flags: X-Bugzilla-Changed-Fields: Message-ID: In-Reply-To: References: Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="UTF-8" X-Bugzilla-URL: https://bugs.freebsd.org/bugzilla/ Auto-Submitted: auto-generated List-Id: Networking and TCP/IP with FreeBSD List-Archive: https://lists.freebsd.org/archives/freebsd-net List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-freebsd-net@FreeBSD.org MIME-Version: 1.0 https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D289017 --- Comment #2 from Qiu-ji Chen --- (In reply to Zhenlei Huang from comment #1) Thank you for the response. I have successfully verified this TOCTOU issue dynamically, moving beyond t= he initial static analysis. To reproduce the race condition reliably, I set up a QEMU environment with a custom FreeBSD 14.3 kernel. I injected a busy loop (DELAY) in lagg_transmit_ethernet specifically between the protocol check (sc_proto != =3D NONE) and the function pointer call (lagg_proto_start). I then developed a multi-threaded PoC where one thread repeatedly toggles the lagg protocol via SIOCSLAGG while multiple victim threads flood the interface with packets. This setup successfully triggered a Kernel Panic (Fatal trap 12: page fault with instruction pointer 0x0), proving that the protocol can indeed be swit= ched to NONE after the check passes but before usage. Panic Log: Fatal trap 12: page fault while in kernel mode cpuid =3D 1; apic id =3D 01 fault virtual address =3D 0x0 fault code =3D supervisor read instruction, page not present instruction pointer =3D 0x20:0x0 stack pointer =3D 0x28:0xfffffe0068ff2948 frame pointer =3D 0x28:0xfffffe0068ff2970 code segment =3D base 0x0, limit 0xfffff, type 0x1b =3D DPL 0, pres 1, long 1, def32 0, gran 1 processor eflags =3D interrupt enabled, IOPL =3D 0 current process =3D 873 (poc) rdi: fffff8000360a200 rsi: fffff800043c8700 rdx: 0000000000000000 rcx: 000000000000005a r8: fffffe000937c060 r9: fffff800043c8760 rax: 0000000000000000 rbx: fffff80003663000 rbp: fffffe0068ff2970 r10: 00000000000000a0 r11: fffff800046f2740 r12: 000000000000000e r13: 0000000000000008 r14: fffffe0068ff2ac0 r15: fffff80003663000 trap number =3D 12 panic: page fault cpuid =3D 1 time =3D 1765682403 KDB: stack backtrace: #0 0xffffffff80ba8f1d at kdb_backtrace+0x5d #1 0xffffffff80b5aa11 at vpanic+0x161 #2 0xffffffff80b5a8a3 at panic+0x43 #3 0xffffffff8104dbfa at trap_pfault+0x3da #4 0xffffffff81023dd8 at calltrap+0x8 #5 0xffffffff80c85a50 at ether_output+0x6b0 #6 0xffffffff80d21998 at ip_output+0x13a8 #7 0xffffffff80d52c40 at udp_send+0xb60 #8 0xffffffff80c0145c at sosend_dgram+0x31c #9 0xffffffff80c0242f at sousrsend+0x5f #10 0xffffffff80c0aec0 at kern_sendit+0x1c0 #11 0xffffffff80c0b1f2 at sendit+0x1b2 #12 0xffffffff80c0b02d at sys_sendto+0x4d #13 0xffffffff8104e547 at amd64_syscall+0x117 #14 0xffffffff810246eb at fast_syscall_common+0xf8 Uptime: 1m13s Automatic reboot in 15 seconds - press a key on the console to abort --> Press a key on the console to reboot, --> or switch off the system now. I verified that this vulnerable logic also persists in 15.0. While I plan to attempt a reproduction without artificial delays using pure concurrency to further demonstrate the impact, I believe the current result with the widen= ed window definitively proves the bug's existence and mechanism. I suggest prioritizing a fix for this race condition. --=20 You are receiving this mail because: You are the assignee for the bug.=