Date: Wed, 8 Jul 2020 20:11:40 +0000 (UTC) From: Gordon Tetlow <gordon@FreeBSD.org> To: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-releng@freebsd.org Subject: svn commit: r363026 - in releng: 11.3/sys/netinet6 11.4/sys/netinet6 12.1/sys/netinet6 Message-ID: <202007082011.068KBejP029378@repo.freebsd.org>
next in thread | raw e-mail | index | archive | help
Author: gordon Date: Wed Jul 8 20:11:40 2020 New Revision: 363026 URL: https://svnweb.freebsd.org/changeset/base/363026 Log: Fix IPv6 socket option race condition and use after free. Approved by: so Security: FreeBSD-SA-20:20.ipv6 Security: CVE-2020-7457 Modified: releng/11.3/sys/netinet6/ip6_output.c releng/11.4/sys/netinet6/ip6_output.c releng/12.1/sys/netinet6/ip6_output.c Modified: releng/11.3/sys/netinet6/ip6_output.c ============================================================================== --- releng/11.3/sys/netinet6/ip6_output.c Wed Jul 8 20:08:05 2020 (r363025) +++ releng/11.3/sys/netinet6/ip6_output.c Wed Jul 8 20:11:40 2020 (r363026) @@ -1498,8 +1498,10 @@ ip6_ctloutput(struct socket *so, struct sockopt *sopt) error = soopt_mcopyin(sopt, m); /* XXX */ if (error != 0) break; + INP_WLOCK(in6p); error = ip6_pcbopts(&in6p->in6p_outputopts, m, so, sopt); + INP_WUNLOCK(in6p); m_freem(m); /* XXX */ break; } @@ -2244,8 +2246,11 @@ ip6_pcbopts(struct ip6_pktopts **pktopt, struct mbuf * printf("ip6_pcbopts: all specified options are cleared.\n"); #endif ip6_clearpktopts(opt, -1); - } else - opt = malloc(sizeof(*opt), M_IP6OPT, M_WAITOK); + } else { + opt = malloc(sizeof(*opt), M_IP6OPT, M_NOWAIT); + if (opt == NULL) + return (ENOMEM); + } *pktopt = NULL; if (!m || m->m_len == 0) { Modified: releng/11.4/sys/netinet6/ip6_output.c ============================================================================== --- releng/11.4/sys/netinet6/ip6_output.c Wed Jul 8 20:08:05 2020 (r363025) +++ releng/11.4/sys/netinet6/ip6_output.c Wed Jul 8 20:11:40 2020 (r363026) @@ -1514,8 +1514,10 @@ ip6_ctloutput(struct socket *so, struct sockopt *sopt) error = soopt_mcopyin(sopt, m); /* XXX */ if (error != 0) break; + INP_WLOCK(in6p); error = ip6_pcbopts(&in6p->in6p_outputopts, m, so, sopt); + INP_WUNLOCK(in6p); m_freem(m); /* XXX */ break; } @@ -2260,8 +2262,11 @@ ip6_pcbopts(struct ip6_pktopts **pktopt, struct mbuf * printf("ip6_pcbopts: all specified options are cleared.\n"); #endif ip6_clearpktopts(opt, -1); - } else - opt = malloc(sizeof(*opt), M_IP6OPT, M_WAITOK); + } else { + opt = malloc(sizeof(*opt), M_IP6OPT, M_NOWAIT); + if (opt == NULL) + return (ENOMEM); + } *pktopt = NULL; if (!m || m->m_len == 0) { Modified: releng/12.1/sys/netinet6/ip6_output.c ============================================================================== --- releng/12.1/sys/netinet6/ip6_output.c Wed Jul 8 20:08:05 2020 (r363025) +++ releng/12.1/sys/netinet6/ip6_output.c Wed Jul 8 20:11:40 2020 (r363026) @@ -1544,8 +1544,10 @@ ip6_ctloutput(struct socket *so, struct sockopt *sopt) error = soopt_mcopyin(sopt, m); /* XXX */ if (error != 0) break; + INP_WLOCK(in6p); error = ip6_pcbopts(&in6p->in6p_outputopts, m, so, sopt); + INP_WUNLOCK(in6p); m_freem(m); /* XXX */ break; } @@ -2305,8 +2307,11 @@ ip6_pcbopts(struct ip6_pktopts **pktopt, struct mbuf * printf("ip6_pcbopts: all specified options are cleared.\n"); #endif ip6_clearpktopts(opt, -1); - } else - opt = malloc(sizeof(*opt), M_IP6OPT, M_WAITOK); + } else { + opt = malloc(sizeof(*opt), M_IP6OPT, M_NOWAIT); + if (opt == NULL) + return (ENOMEM); + } *pktopt = NULL; if (!m || m->m_len == 0) {
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?202007082011.068KBejP029378>