git: e190f21c98ae - stable/14 - ipfilter: Plug ip_htable kernel information leak
- Go to: [ bottom of page ] [ top of archives ] [ this month ]
Date: Sun, 26 Oct 2025 03:14:59 UTC
The branch stable/14 has been updated by cy:
URL: https://cgit.FreeBSD.org/src/commit/?id=e190f21c98aeee4e284147eb43f8d446d585c0db
commit e190f21c98aeee4e284147eb43f8d446d585c0db
Author: Cy Schubert <cy@FreeBSD.org>
AuthorDate: 2025-10-22 16:29:03 +0000
Commit: Cy Schubert <cy@FreeBSD.org>
CommitDate: 2025-10-26 03:14:51 +0000
ipfilter: Plug ip_htable kernel information leak
ipf_htable_stats_get() constructs an iphtstat_t on the stack and only
initializes select fields before copying the entire structure to
userland. The trailing padding array iphs_pad[16] is never initialized,
so ~128 bytes of uninitialized kernel stack memory can be leaked to user
space on each call. This is a classic information disclosure
vulnerability that can reveal pointers and other sensitive data.
We fix this by zeroing out the data structure prior to use.
Reported by: Ilja Van Sprundel <ivansprundel@ioactive.com>
Reviewed by: emaste
Differential revision: https://reviews.freebsd.org/D53275
(cherry picked from commit 0d589ecbc7aa916537fd21c0344919491cfcb293)
---
sys/netpfil/ipfilter/netinet/ip_htable.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/sys/netpfil/ipfilter/netinet/ip_htable.c b/sys/netpfil/ipfilter/netinet/ip_htable.c
index 1907aa0f9f5f..be5b71d9f6d4 100644
--- a/sys/netpfil/ipfilter/netinet/ip_htable.c
+++ b/sys/netpfil/ipfilter/netinet/ip_htable.c
@@ -233,6 +233,8 @@ ipf_htable_stats_get(ipf_main_softc_t *softc, void *arg, iplookupop_t *op)
return (EINVAL);
}
+ bzero(&stats, sizeof(stats));
+
stats.iphs_tables = softh->ipf_htables[op->iplo_unit + 1];
stats.iphs_numtables = softh->ipf_nhtables[op->iplo_unit + 1];
stats.iphs_numnodes = softh->ipf_nhtnodes[op->iplo_unit + 1];