Skip site navigation (1)Skip section navigation (2) 
Date:      Tue, 10 Nov 2020 17:59:02 +0100
From:      Marek Zarychta <zarychtam@plan-b.pwste.edu.pl>
To:        freebsd-net@freebsd.org
Subject:   Re: remote use-after-free in icmp6
Message-ID:  <84b8f8d0-9add-159a-a119-f602ed873c9a@plan-b.pwste.edu.pl>
In-Reply-To: <e3c0495f-4d68-6904-b5b5-a860d0ac1aee@sentex.net>
References:  <0d6f3bc8-d727-892b-be8e-947c9dfddc24@m00nbsd.net> <5142321603916685@mail.yandex.ru> <3581301603916797@mail.yandex.ru> <e3c0495f-4d68-6904-b5b5-a860d0ac1aee@sentex.net>
next in thread | previous in thread | raw e-mail | index | archive | help 
W dniu 05.11.2020 o=C2=A001:41, mike tancsa pisze:
> Hi,
>
>  =C2=A0=C2=A0=C2=A0 Is this an issue in HEAD only ? Or is it something =
that needs to be
> MFC'd ?
>
>  =C2=A0=C2=A0=C2=A0 ---Mike

It has been MFCed to 12-STABLE with r367402[1].

What about 11-STABLE users? Should they be worried about missing MFC as=20
well or ignore the issue as non-exploitable on their systems?

[1]=20
https://lists.freebsd.org/pipermail/svn-src-all/2020-November/204977.html=


--=20
Marek Zarychta

>
> On 10/28/2020 4:27 PM, Alexander V. Chernikov wrote:
>> 28.10.2020, 20:25, "Alexander V. Chernikov" <melifaro@ipfw.ru>:
>>> 28.10.2020, 18:34, "Maxime Villard" <max@m00nbsd.net>:
>>>> In icmp6_notify_error(), 'finaldst' points to data within an mbuf, b=
ut when
>>>> iterating over the next IPv6 options the kernel can free that mbuf, =
meaning
>>>> the dereferences of 'finaldst' hit a freed buffer.
>> [sorry for reposting, plaintext this time]
>>> Fixed in r367114, thanks for reporting!
>>>> Note that this is triggerable without specific conditions, over just=
 ICMPv6.
>>>>
>>>> Maxime
>>>> _______________________________________________
>>>> freebsd-net@freebsd.org mailing list
>>>> https://lists.freebsd.org/mailman/listinfo/freebsd-net
>>>> To unsubscribe, send any mail to "freebsd-net-unsubscribe@freebsd.or=
g"
>> _______________________________________________
>> freebsd-net@freebsd.org mailing list
>> https://lists.freebsd.org/mailman/listinfo/freebsd-net
>> To unsubscribe, send any mail to "freebsd-net-unsubscribe@freebsd.org"=

>>
> _______________________________________________
> freebsd-net@freebsd.org mailing list
> https://lists.freebsd.org/mailman/listinfo/freebsd-net
> To unsubscribe, send any mail to "freebsd-net-unsubscribe@freebsd.org"
>

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?84b8f8d0-9add-159a-a119-f602ed873c9a>