Date: Fri, 14 May 2021 12:22:02 +0000 From: bugzilla-noreply@freebsd.org To: bugs@FreeBSD.org Subject: [Bug 255871] [PATCH] net: Fix a use after free in update_rtm_from_rc Message-ID: <bug-255871-227@https.bugs.freebsd.org/bugzilla/>
next in thread | raw e-mail | index | archive | help
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D255871 Bug ID: 255871 Summary: [PATCH] net: Fix a use after free in update_rtm_from_rc Product: Base System Version: CURRENT Hardware: Any OS: Any Status: New Severity: Affects Many People Priority: --- Component: kern Assignee: bugs@FreeBSD.org Reporter: lylgood@foxmail.com Created attachment 224935 --> https://bugs.freebsd.org/bugzilla/attachment.cgi?id=3D224935&action= =3Dedit assigning the new allocated *prtm to rtm Bug File: sys/net/rtsock.c In function update_rtm_from_rc, *prtm is assigned to rtm at line 946 and the *prtm is freed by callee update_rtm_from_info() via free(orig_rtm, M_TEMP). And then *prim was assigned with a new allocated rtm in this callee.=20 But now, the rtm in the caller still points to a freed memory object. The f= reed memory object is used later by rtm->rtm_flags, rtm->rtm_rmx and rtm->rtm_rmx.rmx_weight... The root of this uaf bug is reassignment of *prim in callee does not change= the value of outside rtm. My patch fixs this error by assigning the new allocat= ed *prtm to rtm. --=20 You are receiving this mail because: You are the assignee for the bug.=
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?bug-255871-227>