From nobody Sun Oct 26 03:15:01 2025
X-Original-To: dev-commits-src-all@mlmmj.nyi.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
	by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4cvMFd35lXz6Dmq2;
	Sun, 26 Oct 2025 03:15:01 +0000 (UTC)
	(envelope-from git@FreeBSD.org)
Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256
	 client-signature RSA-PSS (4096 bits) client-digest SHA256)
	(Client CN "mxrelay.nyi.freebsd.org", Issuer "R12" (verified OK))
	by mx1.freebsd.org (Postfix) with ESMTPS id 4cvMFd1g49z3QYc;
	Sun, 26 Oct 2025 03:15:01 +0000 (UTC)
	(envelope-from git@FreeBSD.org)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim;
	t=1761448501;
	h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
	 to:to:cc:mime-version:mime-version:content-type:content-type:
	 content-transfer-encoding:content-transfer-encoding;
	bh=AVgCSToChHm40BRGEr7OI1TkxyO/XFxvpP9+zDcDJpo=;
	b=BtEXgdrTAJ66umTfmxnwjRiezZ+asvDawW3Ozm3ZCXtsMRfbYnXwO7ZkqnKSns3rFHxqxX
	MbiBAPv46FOgIqWTj7/fg9v9zWLlcz7Xi0O3Q93e14IVR55yFZoYkwE5HXVJNjorKVV1Du
	hKlOkBh/IbDimthDGMlsjZJHutBRi117jAmnXvmw7xB9MmbfcgvDtP9db1TB5jl1kGlJ8F
	aZK3ZTW6FoW6Tw+8ujx+8uvTWk/B1dmRkFH0GaTByKckf0phGk/Po/NDgyDUnAudG0Ht7Q
	Q5Fz/wF1r8UZDKVes0JhHedJJ36iz8TwDaF2VqpOGAXnAptxKfs5bKxaM2QeyA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org;
	s=dkim; t=1761448501;
	h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
	 to:to:cc:mime-version:mime-version:content-type:content-type:
	 content-transfer-encoding:content-transfer-encoding;
	bh=AVgCSToChHm40BRGEr7OI1TkxyO/XFxvpP9+zDcDJpo=;
	b=LF7E/Au+lRahWLkOw79sG6yDDAO0AC1WSQQtELJzVVnXmA37mcGuOG1VnAAU3igjs7GczG
	9IUFPKaicYwnJIa3IVDasBsmVbCZ5Klz7KR0TcKbWVwbzn16gozA7L8v61X6qdAZCakQcl
	P8/wsUdyXYgqqZUXE7o6y+nqeWgUMhxA13Qur58dDw4L+Ajb8Aqi67Ny2E9GTFIg8SSYC0
	GDqKKlu9RUhl+/EED/OTT+znjIHuwZN73/05qXSWkHf6+UEcA5U2WVqw5cCq5XY9h/bVni
	jgp9GCJNIY4IvVIxXy6NKFnuyVPtI81A/hShqcyrcMeFbbaLK0YGL6HONJL2dg==
ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1761448501; a=rsa-sha256; cv=none;
	b=FYo9tS1g6FGmrsR5FlgsVrQLxxurFEMFWhdGthvyFxDp1Yq+f3waTR7W5HHorUK9/VR7TI
	r2sJfUqcwyoIynehxpvw3mgoqv5DPw2jQqWPx5FtbsQyTMux3RC0hsN84wYMZMmCV+Qx9R
	SCDC6/CvwHABf27BR9nUTRISeQ3PqTMmhgLjH3OLyZmEJCK4dwv9X/uLTePZK2MkQzxRq0
	qbTdKOMashtYw8F4jzof0KakJ0QNfItZBP71SBwEFajndwEFiIvInQ2ECQd+abWqMj969C
	bOj3h7H30Pk+noeLx8/UGZVtrGiwdducnIhlR7i+9zoqyLXl//5UJ5ntSorngA==
ARC-Authentication-Results: i=1;
	mx1.freebsd.org;
	none
Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256)
	(Client did not present a certificate)
	by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 4cvMFd14D3zsx;
	Sun, 26 Oct 2025 03:15:01 +0000 (UTC)
	(envelope-from git@FreeBSD.org)
Received: from gitrepo.freebsd.org ([127.0.1.44])
	by gitrepo.freebsd.org (8.18.1/8.18.1) with ESMTP id 59Q3F1jh063735;
	Sun, 26 Oct 2025 03:15:01 GMT
	(envelope-from git@gitrepo.freebsd.org)
Received: (from git@localhost)
	by gitrepo.freebsd.org (8.18.1/8.18.1/Submit) id 59Q3F1Ki063732;
	Sun, 26 Oct 2025 03:15:01 GMT
	(envelope-from git)
Date: Sun, 26 Oct 2025 03:15:01 GMT
Message-Id: <202510260315.59Q3F1Ki063732@gitrepo.freebsd.org>
To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org,
        dev-commits-src-branches@FreeBSD.org
From: Cy Schubert <cy@FreeBSD.org>
Subject: git: d78f36183a26 - stable/14 - ipfilter: Plug ip_nat
  kernel information leak
List-Id: Commit messages for all branches of the src repository <dev-commits-src-all.freebsd.org>
List-Archive: https://lists.freebsd.org/archives/dev-commits-src-all
List-Help: <mailto:dev-commits-src-all+help@freebsd.org>
List-Post: <mailto:dev-commits-src-all@freebsd.org>
List-Subscribe: <mailto:dev-commits-src-all+subscribe@freebsd.org>
List-Unsubscribe: <mailto:dev-commits-src-all+unsubscribe@freebsd.org>
X-BeenThere: dev-commits-src-all@freebsd.org
Sender: owner-dev-commits-src-all@FreeBSD.org
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: 8bit
X-Git-Committer: cy
X-Git-Repository: src
X-Git-Refname: refs/heads/stable/14
X-Git-Reftype: branch
X-Git-Commit: d78f36183a26e2652228c2f7e673ad1b58b3770a
Auto-Submitted: auto-generated

The branch stable/14 has been updated by cy:

URL: https://cgit.FreeBSD.org/src/commit/?id=d78f36183a26e2652228c2f7e673ad1b58b3770a

commit d78f36183a26e2652228c2f7e673ad1b58b3770a
Author:     Cy Schubert <cy@FreeBSD.org>
AuthorDate: 2025-10-22 15:59:26 +0000
Commit:     Cy Schubert <cy@FreeBSD.org>
CommitDate: 2025-10-26 03:14:51 +0000

    ipfilter: Plug ip_nat kernel information leak
    
    ipf_nat_getent() allocates a variable-sized nat_save_t buffer with
    KMALLOCS() (which does not zero memory) and then copies only a subset
    of fields into it before returning the object to userland using
    ipf_outobjsz(). Because the structure is not fully initialized on all
    paths, uninitialized kernel heap bytes can be copied back to user space,
    resulting in an information leak.
    
    We fix this by zeroing out the data structure immediately after
    allocation.
    
    Reported by:            Ilja Van Sprundel <ivansprundel@ioactive.com>
    Reviewed by:            emaste
    Differential revision:  https://reviews.freebsd.org/D53274
    
    (cherry picked from commit 6535e9308a26e17023831fe68fb71d2febf2a002)
---
 sys/netpfil/ipfilter/netinet/ip_nat.c | 1 +
 1 file changed, 1 insertion(+)

diff --git a/sys/netpfil/ipfilter/netinet/ip_nat.c b/sys/netpfil/ipfilter/netinet/ip_nat.c
index 290af20e4765..3f8f3c2a342c 100644
--- a/sys/netpfil/ipfilter/netinet/ip_nat.c
+++ b/sys/netpfil/ipfilter/netinet/ip_nat.c
@@ -1775,6 +1775,7 @@ ipf_nat_getent(ipf_main_softc_t *softc, caddr_t data, int getlock)
 		IPFERROR(60029);
 		return (ENOMEM);
 	}
+	bzero(ipn, ipns.ipn_dsize);
 
 	if (getlock) {
 		READ_ENTER(&softc->ipf_nat);