git: 4260de80f05d - stable/13 - ipfilter: Plug ip_nat kernel information leak
- Go to: [ bottom of page ] [ top of archives ] [ this month ]
Date: Sun, 26 Oct 2025 03:15:29 UTC
The branch stable/13 has been updated by cy:
URL: https://cgit.FreeBSD.org/src/commit/?id=4260de80f05d0e04d4f978f40ae2cfbddf9b47dd
commit 4260de80f05d0e04d4f978f40ae2cfbddf9b47dd
Author: Cy Schubert <cy@FreeBSD.org>
AuthorDate: 2025-10-22 15:59:26 +0000
Commit: Cy Schubert <cy@FreeBSD.org>
CommitDate: 2025-10-26 03:15:13 +0000
ipfilter: Plug ip_nat kernel information leak
ipf_nat_getent() allocates a variable-sized nat_save_t buffer with
KMALLOCS() (which does not zero memory) and then copies only a subset
of fields into it before returning the object to userland using
ipf_outobjsz(). Because the structure is not fully initialized on all
paths, uninitialized kernel heap bytes can be copied back to user space,
resulting in an information leak.
We fix this by zeroing out the data structure immediately after
allocation.
Reported by: Ilja Van Sprundel <ivansprundel@ioactive.com>
Reviewed by: emaste
Differential revision: https://reviews.freebsd.org/D53274
(cherry picked from commit 6535e9308a26e17023831fe68fb71d2febf2a002)
---
sys/netpfil/ipfilter/netinet/ip_nat.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/sys/netpfil/ipfilter/netinet/ip_nat.c b/sys/netpfil/ipfilter/netinet/ip_nat.c
index 35b18575ac6f..8b343acf1211 100644
--- a/sys/netpfil/ipfilter/netinet/ip_nat.c
+++ b/sys/netpfil/ipfilter/netinet/ip_nat.c
@@ -1775,6 +1775,7 @@ ipf_nat_getent(ipf_main_softc_t *softc, caddr_t data, int getlock)
IPFERROR(60029);
return (ENOMEM);
}
+ bzero(ipn, ipns.ipn_dsize);
if (getlock) {
READ_ENTER(&softc->ipf_nat);