From nobody Mon Dec 30 20:45:03 2024 X-Original-To: dev-commits-src-all@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4YMSlh32p9z5j0PK; Mon, 30 Dec 2024 20:45:04 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R11" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4YMSlg6Ldfz4J3R; Mon, 30 Dec 2024 20:45:03 +0000 (UTC) (envelope-from git@FreeBSD.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1735591503; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=O4gBMpNkXCVOFpXP9ClZ4wSMmrE4JD5XIrchtL7eJx4=; b=Tl8xfJ1sOWYdft2idh9XnY5qtwOaujQgEf7X3J/auoVj5Fd4ua/jd/jkkunT66CUgHwNvp y0OP4rnvYghM1Lj7TG90vFTCsO+vCuhFOwtRLuLhqpJuyx+6r7cjEG35OffEjr7CkEAPiD WcJwt74sWzS4Pz969HwnQsnJp0AH74qDaJD6nOV5AqzEKDoMIMPDvfY2yKXENnjcLO/Mv4 Mkm4035d4aSLmtLdkccWMmnQztdm6dbwZq6JfjnPfTA00s2rjm7xMJdNCd/bMojCor6Lur KzbA46pC9wOeWazsL828DAxqSDANKlLWJE8UQIBrrFdcX9cYcX12J3GM3qLMBw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1735591503; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=O4gBMpNkXCVOFpXP9ClZ4wSMmrE4JD5XIrchtL7eJx4=; b=dMrgUlyCZRMdl233lURchy/0Asw33Q/Ln1Pz4zB/cQp/7/jVd0zKb0eK2iqFK/S1Cysfnn JExkNcXrAZlfhvdEcfQzF6NSktkDZGWnxu5IgBJYLinsG0iP3bKCVFt9J5TnC5Oyh2mlio jptgmADMkMuGgBXlYgT6KZ8GQDe6cA+rb75rA+jCpyq7vYhHNxjtMrl968zMMGVzmfliGT Tcwl+Sb+gj92kifd8Rd5rgNIfSsjiys1OvbiWX7qUfbaQvLviVYN1vzQJYUlu98KiArvnd qfMAfDO3JcfDIOYYH46pBmYY5Aw10WulODDmcFhIJvlIecQJt1zAMOLZ3G8gFQ== ARC-Authentication-Results: i=1; mx1.freebsd.org; none ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1735591503; a=rsa-sha256; cv=none; b=RpXBlylXEVvoULXWeWv/mtQu22pzcHgjBoD02oU8PkH0tvWEAwNZTjzpfvQ7I3c7uuoGOf pjCcESKMS72GhgcneTKsn1b+2CtJxSBrqnxFl4Ba3qDXbh9prW++TK34HHQIjwYcmymPJg LEpN1DtONgpKBJw9H9DJ2nUCNwR9ODUeFj9rNaGcA5o7VlccdU0Btl7cK46ugN0qhv9o/v 2sU54eZ/AUnsgaFQYnDapWlKkCKLKv3nTzYAZE9QAiFCF2tf0pc4snuaHak+d30pPzfdsR gg5AQlOfcpfWVeTnisZrpN+ZT1s1x7m9lmF+72fPtaSij0wqDj7duaUrr8IOUA== Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 4YMSlg5yqVz18MT; Mon, 30 Dec 2024 20:45:03 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from gitrepo.freebsd.org ([127.0.1.44]) by gitrepo.freebsd.org (8.18.1/8.18.1) with ESMTP id 4BUKj3wW020569; Mon, 30 Dec 2024 20:45:03 GMT (envelope-from git@gitrepo.freebsd.org) Received: (from git@localhost) by gitrepo.freebsd.org (8.18.1/8.18.1/Submit) id 4BUKj3Bt020566; Mon, 30 Dec 2024 20:45:03 GMT (envelope-from git) Date: Mon, 30 Dec 2024 20:45:03 GMT Message-Id: <202412302045.4BUKj3Bt020566@gitrepo.freebsd.org> To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-branches@FreeBSD.org From: Kristof Provost Subject: git: 0fd06bd44aa0 - stable/14 - pf: fix double free in pf_state_key_attach() List-Id: Commit messages for all branches of the src repository List-Archive: https://lists.freebsd.org/archives/dev-commits-src-all List-Help: List-Post: List-Subscribe: List-Unsubscribe: X-BeenThere: dev-commits-src-all@freebsd.org Sender: owner-dev-commits-src-all@FreeBSD.org MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit X-Git-Committer: kp X-Git-Repository: src X-Git-Refname: refs/heads/stable/14 X-Git-Reftype: branch X-Git-Commit: 0fd06bd44aa04b4105608ba2bc5fc9d93d0ac056 Auto-Submitted: auto-generated The branch stable/14 has been updated by kp: URL: https://cgit.FreeBSD.org/src/commit/?id=0fd06bd44aa04b4105608ba2bc5fc9d93d0ac056 commit 0fd06bd44aa04b4105608ba2bc5fc9d93d0ac056 Author: Kristof Provost AuthorDate: 2024-12-11 22:27:21 +0000 Commit: Kristof Provost CommitDate: 2024-12-30 20:42:57 +0000 pf: fix double free in pf_state_key_attach() In 371bd29d4b we fixed a state key leak, but unintentionally introduced a double free. We pass through the relevant code twice, first for PF_SK_WIRE, then for PF_SK_STACK. If we fail to attach on the second pass we have a more complex cleanup job, handled by pf_detach_state(). We must only free the state keys manually on the first pass, on the second one pf_detach_state() takes care of everything. Tested by: yds Fixes: 371bd29d4b22257a7e92e1e711cca3d94cfbd00d MFC after: 2 weeks Sponsored by: Rubicon Communications, LLC ("Netgate") (cherry picked from commit 01eb1261443dddcb50a3a278f1278fffdfb0d36e) --- sys/netpfil/pf/pf.c | 10 ++++++---- 1 file changed, 6 insertions(+), 4 deletions(-) diff --git a/sys/netpfil/pf/pf.c b/sys/netpfil/pf/pf.c index 53c4fcb492da..163eb2cedc27 100644 --- a/sys/netpfil/pf/pf.c +++ b/sys/netpfil/pf/pf.c @@ -1345,11 +1345,13 @@ keyattach: s->timeout = PFTM_UNLINKED; PF_HASHROW_UNLOCK(ih); KEYS_UNLOCK(); - uma_zfree(V_pf_state_key_z, skw); - if (skw != sks) - uma_zfree(V_pf_state_key_z, sks); - if (idx == PF_SK_STACK) + if (idx == PF_SK_WIRE) { + uma_zfree(V_pf_state_key_z, skw); + if (skw != sks) + uma_zfree(V_pf_state_key_z, sks); + } else { pf_detach_state(s); + } return (EEXIST); /* collision! */ } }