From owner-svn-src-all@FreeBSD.ORG Tue Oct 20 21:36:57 2009 Return-Path: Delivered-To: svn-src-all@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 9CD7A1065695; Tue, 20 Oct 2009 21:36:57 +0000 (UTC) (envelope-from qingli@FreeBSD.org) Received: from svn.freebsd.org (svn.freebsd.org [IPv6:2001:4f8:fff6::2c]) by mx1.freebsd.org (Postfix) with ESMTP id 70A958FC0C; Tue, 20 Oct 2009 21:36:57 +0000 (UTC) Received: from svn.freebsd.org (localhost [127.0.0.1]) by svn.freebsd.org (8.14.3/8.14.3) with ESMTP id n9KLavpX079251; Tue, 20 Oct 2009 21:36:57 GMT (envelope-from qingli@svn.freebsd.org) Received: (from qingli@localhost) by svn.freebsd.org (8.14.3/8.14.3/Submit) id n9KLavvx079249; Tue, 20 Oct 2009 21:36:57 GMT (envelope-from qingli@svn.freebsd.org) Message-Id: <200910202136.n9KLavvx079249@svn.freebsd.org> From: Qing Li Date: Tue, 20 Oct 2009 21:36:57 +0000 (UTC) To: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-stable@freebsd.org, svn-src-stable-8@freebsd.org X-SVN-Group: stable-8 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Cc: Subject: svn commit: r198308 - in stable/8/sys: . amd64/include/xen cddl/contrib/opensolaris contrib/dev/acpica contrib/pf dev/xen/xenpci netinet X-BeenThere: svn-src-all@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "SVN commit messages for the entire src tree \(except for " user" and " projects" \)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 20 Oct 2009 21:36:57 -0000 Author: qingli Date: Tue Oct 20 21:36:56 2009 New Revision: 198308 URL: http://svn.freebsd.org/changeset/base/198308 Log: MFC 198301 In the ARP callout timer expiration function, the current time_second is compared against the entry expiration time value (that was set based on time_second) to check if the current time is larger than the set expiration time. Due to the +/- timer granularity value, the comparison returns false, causing the alternative code to be executed. The alternative code path freed the memory without removing that entry from the table list, causing a use-after-free bug. Reviewed by: discussed with kmacy Approved by: re Verified by: rnoland, yongari Modified: stable/8/sys/ (props changed) stable/8/sys/amd64/include/xen/ (props changed) stable/8/sys/cddl/contrib/opensolaris/ (props changed) stable/8/sys/contrib/dev/acpica/ (props changed) stable/8/sys/contrib/pf/ (props changed) stable/8/sys/dev/xen/xenpci/ (props changed) stable/8/sys/netinet/if_ether.c Modified: stable/8/sys/netinet/if_ether.c ============================================================================== --- stable/8/sys/netinet/if_ether.c Tue Oct 20 21:29:46 2009 (r198307) +++ stable/8/sys/netinet/if_ether.c Tue Oct 20 21:36:56 2009 (r198308) @@ -168,17 +168,17 @@ arptimer(void *arg) ifp = lle->lle_tbl->llt_ifp; IF_AFDATA_LOCK(ifp); LLE_WLOCK(lle); - if (((lle->la_flags & LLE_DELETED) - || (time_second >= lle->la_expire)) - && (!callout_pending(&lle->la_timer) && - callout_active(&lle->la_timer))) + if ((!callout_pending(&lle->la_timer) && + callout_active(&lle->la_timer))) { (void) llentry_free(lle); + } +#ifdef DIAGNOSTICS else { - /* - * Still valid, just drop our reference - */ - LLE_FREE_LOCKED(lle); + struct sockaddr *l3addr = L3_ADDR(lle); + log(LOG_INFO, "arptimer issue: %p, IPv4 address: \"%s\"\n", lle, + inet_ntoa(((const struct sockaddr_in *)l3addr)->sin_addr)); } +#endif IF_AFDATA_UNLOCK(ifp); } @@ -365,7 +365,7 @@ retry: if (renew) { LLE_ADDREF(la); - la->la_expire = time_second; + la->la_expire = time_second + V_arpt_down; callout_reset(&la->la_timer, hz * V_arpt_down, arptimer, la); la->la_asked++; LLE_WUNLOCK(la);