Date: Fri, 14 May 2021 10:11:06 +0000 From: bugzilla-noreply@freebsd.org To: bugs@FreeBSD.org Subject: [Bug 255863] [PATCH] dev/cxgb: Fix a use after free in get_packet Message-ID: <bug-255863-227@https.bugs.freebsd.org/bugzilla/>
index | next in thread | raw e-mail
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=255863 Bug ID: 255863 Summary: [PATCH] dev/cxgb: Fix a use after free in get_packet Product: Base System Version: CURRENT Hardware: Any OS: Any Status: New Severity: Affects Only Me Priority: --- Component: kern Assignee: bugs@FreeBSD.org Reporter: lylgood@foxmail.com Created attachment 224927 --> https://bugs.freebsd.org/bugzilla/attachment.cgi?id=224927&action=edit add new variables to avoid uaf. Bug File: sys/dev/cxgb/cxgb_sge.c In function get_packet, m is freed via m_freem() at line 2,775 in the case RSPQ_NSOP_NEOP. However, the freed m is used in m->m_len and m->m_pkthdr.len in printf(). This is a use after free bug and could print security-sensitive information. Alough it exist in debug mode, it is worthy to fix it. My patch uses "m_len = m->m_len" and "m_pkthdr_len = m->m_pkthdr.len" to avoid the uaf bug. -- You are receiving this mail because: You are the assignee for the bug.home | help
Want to link to this message? Use this
URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?bug-255863-227>