pf: Improve input validation
ClosedPublic
Actions

Authored by kp on Apr 22 2020, 7:12 PM.

Details

Reviewers

melifaro

Group Reviewers

network

Commits

rS360344: pf: Improve input validation

Summary

If we pass an anchor name which doesn't exist pfr_table_count() returns
-1, which leads to an overflow in mallocarray() and thus a panic.

Explicitly check that pfr_table_count() does not return an error.

Reported-by: syzbot+bd09d55d897d63d5f4f4@syzkaller.appspotmail.com

Lint

Lint Passed

Unit

No Test Coverage

Build Status

Buildable 30670
Build 28405: arc lint + arc unit

kp created this revision.Apr 22 2020, 7:12 PM

LGTM, please see minor comments in the diff

sys/netpfil/pf/pf_ioctl.c
3058	I'm curious: it looks like `pfr_get_tstats()` uses totally separate routine to clear the statistics. Would it potentially make sense to use read lock to get the stats first and then clear the stats under wlock if the flag is specified?
3060	I'm wondering what will happen when n equals 0? Do `mallocarray()` always return NULL?

This revision is now accepted and ready to land.Apr 22 2020, 8:41 PM

kp added inline comments.Apr 23 2020, 8:01 AM

sys/netpfil/pf/pf_ioctl.c
3058	That would break the atomicity of the read+clear operation. We'd risk missing matches that happen between reading the stats and clearing them.
3060	That becomes a malloc(0, ...), so I believe we still allocate something, possibly rounded up to the smallest uma bucket size.