Date: Sun, 26 Oct 2025 03:15:01 GMT From: Cy Schubert <cy@FreeBSD.org> To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-branches@FreeBSD.org Subject: git: d78f36183a26 - stable/14 - ipfilter: Plug ip_nat kernel information leak Message-ID: <202510260315.59Q3F1Ki063732@gitrepo.freebsd.org>
index | next in thread | raw e-mail
The branch stable/14 has been updated by cy: URL: https://cgit.FreeBSD.org/src/commit/?id=d78f36183a26e2652228c2f7e673ad1b58b3770a commit d78f36183a26e2652228c2f7e673ad1b58b3770a Author: Cy Schubert <cy@FreeBSD.org> AuthorDate: 2025-10-22 15:59:26 +0000 Commit: Cy Schubert <cy@FreeBSD.org> CommitDate: 2025-10-26 03:14:51 +0000 ipfilter: Plug ip_nat kernel information leak ipf_nat_getent() allocates a variable-sized nat_save_t buffer with KMALLOCS() (which does not zero memory) and then copies only a subset of fields into it before returning the object to userland using ipf_outobjsz(). Because the structure is not fully initialized on all paths, uninitialized kernel heap bytes can be copied back to user space, resulting in an information leak. We fix this by zeroing out the data structure immediately after allocation. Reported by: Ilja Van Sprundel <ivansprundel@ioactive.com> Reviewed by: emaste Differential revision: https://reviews.freebsd.org/D53274 (cherry picked from commit 6535e9308a26e17023831fe68fb71d2febf2a002) --- sys/netpfil/ipfilter/netinet/ip_nat.c | 1 + 1 file changed, 1 insertion(+) diff --git a/sys/netpfil/ipfilter/netinet/ip_nat.c b/sys/netpfil/ipfilter/netinet/ip_nat.c index 290af20e4765..3f8f3c2a342c 100644 --- a/sys/netpfil/ipfilter/netinet/ip_nat.c +++ b/sys/netpfil/ipfilter/netinet/ip_nat.c @@ -1775,6 +1775,7 @@ ipf_nat_getent(ipf_main_softc_t *softc, caddr_t data, int getlock) IPFERROR(60029); return (ENOMEM); } + bzero(ipn, ipns.ipn_dsize); if (getlock) { READ_ENTER(&softc->ipf_nat);help
Want to link to this message? Use this
URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?202510260315.59Q3F1Ki063732>