Page MenuHomeFreeBSD

if_stf: KASAN fix
ClosedPublic

Authored by kp on Nov 30 2021, 4:46 PM.
Tags
None
Referenced Files
Unknown Object (File)
Mon, Jan 20, 8:48 PM
Unknown Object (File)
Fri, Jan 10, 10:51 PM
Unknown Object (File)
Dec 20 2024, 3:37 PM
Unknown Object (File)
Nov 26 2024, 11:06 AM
Unknown Object (File)
Nov 26 2024, 11:05 AM
Unknown Object (File)
Nov 26 2024, 11:05 AM
Unknown Object (File)
Nov 26 2024, 11:05 AM
Unknown Object (File)
Nov 26 2024, 10:34 AM

Details

Reviewers
markj
Group Reviewers
network
pfsense
Commits
rG439da7f06dce: if_stf: KASAN fix
Summary

In in_stf_input() we grabbed a pointer to the IPv4 header and later did
an m_pullup() before we look at the IPv6 header. However, m_pullup()
could rearrange the mbuf chain and potentially invalidate the pointer to
the IPv4 header.

Avoid this issue by copying the IP header rather than getting a pointer
to it.

While here also ensure we've done an m_pullup() for the IPv4 header.

Reported by: markj, Jenkins (KASAN job)
MFC after: 1 week
Sponsored by: Rubicon Communications, LLC ("Netgate")

Diff Detail

Repository
rS FreeBSD src repository - subversion
Lint
Lint Passed
Unit
No Test Coverage
Build Status
Buildable 43055
Build 39943: arc lint + arc unit

Event Timeline

kp requested review of this revision.Nov 30 2021, 4:46 PM
markj added inline comments.
sys/net/if_stf.c
755

This could be m_copydata(m, 0, sizeof(*ip), &ip).

Also the check below implies that we could have sc == NULL, so it's not safe to dereference ifp yet. Using m_copydata() would fix that problem too.

sys/net/if_stf.c
755

... that assumes though that the packet is at least 20 bytes long. I'm not sure if there's something guaranteeing that.

The stf tests pass for me with KASAN+this change. Thanks!

This revision is now accepted and ready to land.Nov 30 2021, 5:21 PM
This revision was automatically updated to reflect the committed changes.