git: fcdc47e20959 - stable/15 - ipfilter: Plug ip_htable kernel information leak
- Go to: [ bottom of page ] [ top of archives ] [ this month ]
Date: Sun, 26 Oct 2025 03:14:38 UTC
The branch stable/15 has been updated by cy:
URL: https://cgit.FreeBSD.org/src/commit/?id=fcdc47e209590800020c958a966f258d8af143b1
commit fcdc47e209590800020c958a966f258d8af143b1
Author: Cy Schubert <cy@FreeBSD.org>
AuthorDate: 2025-10-22 16:29:03 +0000
Commit: Cy Schubert <cy@FreeBSD.org>
CommitDate: 2025-10-26 03:14:08 +0000
ipfilter: Plug ip_htable kernel information leak
ipf_htable_stats_get() constructs an iphtstat_t on the stack and only
initializes select fields before copying the entire structure to
userland. The trailing padding array iphs_pad[16] is never initialized,
so ~128 bytes of uninitialized kernel stack memory can be leaked to user
space on each call. This is a classic information disclosure
vulnerability that can reveal pointers and other sensitive data.
We fix this by zeroing out the data structure prior to use.
Reported by: Ilja Van Sprundel <ivansprundel@ioactive.com>
Reviewed by: emaste
Differential revision: https://reviews.freebsd.org/D53275
(cherry picked from commit 0d589ecbc7aa916537fd21c0344919491cfcb293)
---
sys/netpfil/ipfilter/netinet/ip_htable.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/sys/netpfil/ipfilter/netinet/ip_htable.c b/sys/netpfil/ipfilter/netinet/ip_htable.c
index 91b375f80db1..3f765cfab947 100644
--- a/sys/netpfil/ipfilter/netinet/ip_htable.c
+++ b/sys/netpfil/ipfilter/netinet/ip_htable.c
@@ -230,6 +230,8 @@ ipf_htable_stats_get(ipf_main_softc_t *softc, void *arg, iplookupop_t *op)
return (EINVAL);
}
+ bzero(&stats, sizeof(stats));
+
stats.iphs_tables = softh->ipf_htables[op->iplo_unit + 1];
stats.iphs_numtables = softh->ipf_nhtables[op->iplo_unit + 1];
stats.iphs_numnodes = softh->ipf_nhtnodes[op->iplo_unit + 1];