git: 2ebb4779c40a - stable/13 - ipfilter: Plug ip_htable kernel information leak
- Go to: [ bottom of page ] [ top of archives ] [ this month ]
Date: Sun, 26 Oct 2025 03:15:28 UTC
The branch stable/13 has been updated by cy:
URL: https://cgit.FreeBSD.org/src/commit/?id=2ebb4779c40afbaf4a0bf0b6d5364758b4c24bad
commit 2ebb4779c40afbaf4a0bf0b6d5364758b4c24bad
Author: Cy Schubert <cy@FreeBSD.org>
AuthorDate: 2025-10-22 16:29:03 +0000
Commit: Cy Schubert <cy@FreeBSD.org>
CommitDate: 2025-10-26 03:15:13 +0000
ipfilter: Plug ip_htable kernel information leak
ipf_htable_stats_get() constructs an iphtstat_t on the stack and only
initializes select fields before copying the entire structure to
userland. The trailing padding array iphs_pad[16] is never initialized,
so ~128 bytes of uninitialized kernel stack memory can be leaked to user
space on each call. This is a classic information disclosure
vulnerability that can reveal pointers and other sensitive data.
We fix this by zeroing out the data structure prior to use.
Reported by: Ilja Van Sprundel <ivansprundel@ioactive.com>
Reviewed by: emaste
Differential revision: https://reviews.freebsd.org/D53275
(cherry picked from commit 0d589ecbc7aa916537fd21c0344919491cfcb293)
---
sys/netpfil/ipfilter/netinet/ip_htable.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/sys/netpfil/ipfilter/netinet/ip_htable.c b/sys/netpfil/ipfilter/netinet/ip_htable.c
index b47a1aa2d795..b56909a02bc3 100644
--- a/sys/netpfil/ipfilter/netinet/ip_htable.c
+++ b/sys/netpfil/ipfilter/netinet/ip_htable.c
@@ -235,6 +235,8 @@ ipf_htable_stats_get(ipf_main_softc_t *softc, void *arg, iplookupop_t *op)
return (EINVAL);
}
+ bzero(&stats, sizeof(stats));
+
stats.iphs_tables = softh->ipf_htables[op->iplo_unit + 1];
stats.iphs_numtables = softh->ipf_nhtables[op->iplo_unit + 1];
stats.iphs_numnodes = softh->ipf_nhtnodes[op->iplo_unit + 1];