From nobody Sun Oct 26 03:15:29 2025
X-Original-To: dev-commits-src-branches@mlmmj.nyi.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
	by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4cvMGB11cCz6DnDd;
	Sun, 26 Oct 2025 03:15:30 +0000 (UTC)
	(envelope-from git@FreeBSD.org)
Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256
	 client-signature RSA-PSS (4096 bits) client-digest SHA256)
	(Client CN "mxrelay.nyi.freebsd.org", Issuer "R12" (verified OK))
	by mx1.freebsd.org (Postfix) with ESMTPS id 4cvMG953HSz3RcR;
	Sun, 26 Oct 2025 03:15:29 +0000 (UTC)
	(envelope-from git@FreeBSD.org)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim;
	t=1761448529;
	h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
	 to:to:cc:mime-version:mime-version:content-type:content-type:
	 content-transfer-encoding:content-transfer-encoding;
	bh=lhoowzjQA5XSRsCgkYWsbbCsVmeU7YoRGP3md4yhauk=;
	b=Pt9S+qOg8vMxOuSOMUpKDxxkeYcoT2AhfFHygoTMSZ2RaoVTZDSBW86VjlVTL4kUWa5P9T
	RdYy/x+RlImvW4KW6KT4U7BNeQdgQDt2J4+YvSBhT25/AN5LyH0h+qHk6I2AI8seGLT9gE
	8/TDn2PdC5anYujqg4uNvluCDd0JjMHjZt27v6j7dCeDbcJtCj8Xq5z9it6olgFbHb8zfB
	PLyPNczw+/RQ2NUL+OqOjJjJ+BYuQaFSQ5Hkz4sdU6EFlf2OdkxL22RJa0A2k3/MFu1+km
	xyuJhgwMvV3w73cmsfIf/iyaumhkxs5ifYlIn8nZ7X4KobjgR3jGpr60dKMLBA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org;
	s=dkim; t=1761448529;
	h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
	 to:to:cc:mime-version:mime-version:content-type:content-type:
	 content-transfer-encoding:content-transfer-encoding;
	bh=lhoowzjQA5XSRsCgkYWsbbCsVmeU7YoRGP3md4yhauk=;
	b=YIShvgR/keZN9FYbBqwcIfpm7On3cSh1X8RYFRCIcwgUS2Q7PYgWYpHVU/yi0Aeviv7hi4
	cjR0qJccyL7JywWl0pU0Ot/uuvCHgFBWkIwli5xpupk1DfUI1P0Wk40+krEZZsksIek44j
	A/ByAYdwhR/0EPo3SNzAaje/B1Xsyh+fDaO1FhUmcIsZq2A5V5M4US5jqxEZCh9cFMDrPo
	K5K8vs54cdv6EUrz8gFhH2c+wiKAOAOgqmXRv+6QUHPXxxD2krSLDnJgU0E0eawlyTIHp7
	ltd1FasW359HYWQI1ac23GE0dSwPVAyr6cGSWMH+mF32Ro/6sVY96uFuVvWlMg==
ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1761448529; a=rsa-sha256; cv=none;
	b=Rij9DxD18LAz1S4xjn3QaMisEmt1MrU7eyVNGRvA5RRey5N6BJhUjgRui1Sd1m61D13QA2
	Q8i6oWSWz1eyISeKAah0/GKdR2D+lVkGetEyXhp9dXNlbs/smtmI0Xzisf/UkC5bZ4E+6n
	v93qEfuhUBXyFlqXIX2OsLTwFLjgINbrj4oq4v9IzcGNpiVM8IzDE3qxDX25qag32y6K2q
	buOpHhKbRRcGl3qzJ/Z6n4Itjuwii0QNxeQv4GDUJkNPGjX239ah6+tah9c9Ul4g/VGLLK
	IOahzRTwofS1QnyrrAHEQASP01IHubPir5HWt31L/J2t3mBGXJlssXENJWw4EQ==
ARC-Authentication-Results: i=1;
	mx1.freebsd.org;
	none
Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256)
	(Client did not present a certificate)
	by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 4cvMG94fWlz14p;
	Sun, 26 Oct 2025 03:15:29 +0000 (UTC)
	(envelope-from git@FreeBSD.org)
Received: from gitrepo.freebsd.org ([127.0.1.44])
	by gitrepo.freebsd.org (8.18.1/8.18.1) with ESMTP id 59Q3FTca064170;
	Sun, 26 Oct 2025 03:15:29 GMT
	(envelope-from git@gitrepo.freebsd.org)
Received: (from git@localhost)
	by gitrepo.freebsd.org (8.18.1/8.18.1/Submit) id 59Q3FT28064167;
	Sun, 26 Oct 2025 03:15:29 GMT
	(envelope-from git)
Date: Sun, 26 Oct 2025 03:15:29 GMT
Message-Id: <202510260315.59Q3FT28064167@gitrepo.freebsd.org>
To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org,
        dev-commits-src-branches@FreeBSD.org
From: Cy Schubert <cy@FreeBSD.org>
Subject: git: 4260de80f05d - stable/13 - ipfilter: Plug ip_nat
  kernel information leak
List-Id: Commits to the stable branches of the FreeBSD src repository <dev-commits-src-branches.freebsd.org>
List-Archive: https://lists.freebsd.org/archives/dev-commits-src-branches
List-Help: <mailto:dev-commits-src-branches+help@freebsd.org>
List-Post: <mailto:dev-commits-src-branches@freebsd.org>
List-Subscribe: <mailto:dev-commits-src-branches+subscribe@freebsd.org>
List-Unsubscribe: <mailto:dev-commits-src-branches+unsubscribe@freebsd.org>
X-BeenThere: dev-commits-src-branches@freebsd.org
Sender: owner-dev-commits-src-branches@FreeBSD.org
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: 8bit
X-Git-Committer: cy
X-Git-Repository: src
X-Git-Refname: refs/heads/stable/13
X-Git-Reftype: branch
X-Git-Commit: 4260de80f05d0e04d4f978f40ae2cfbddf9b47dd
Auto-Submitted: auto-generated

The branch stable/13 has been updated by cy:

URL: https://cgit.FreeBSD.org/src/commit/?id=4260de80f05d0e04d4f978f40ae2cfbddf9b47dd

commit 4260de80f05d0e04d4f978f40ae2cfbddf9b47dd
Author:     Cy Schubert <cy@FreeBSD.org>
AuthorDate: 2025-10-22 15:59:26 +0000
Commit:     Cy Schubert <cy@FreeBSD.org>
CommitDate: 2025-10-26 03:15:13 +0000

    ipfilter: Plug ip_nat kernel information leak
    
    ipf_nat_getent() allocates a variable-sized nat_save_t buffer with
    KMALLOCS() (which does not zero memory) and then copies only a subset
    of fields into it before returning the object to userland using
    ipf_outobjsz(). Because the structure is not fully initialized on all
    paths, uninitialized kernel heap bytes can be copied back to user space,
    resulting in an information leak.
    
    We fix this by zeroing out the data structure immediately after
    allocation.
    
    Reported by:            Ilja Van Sprundel <ivansprundel@ioactive.com>
    Reviewed by:            emaste
    Differential revision:  https://reviews.freebsd.org/D53274
    
    (cherry picked from commit 6535e9308a26e17023831fe68fb71d2febf2a002)
---
 sys/netpfil/ipfilter/netinet/ip_nat.c | 1 +
 1 file changed, 1 insertion(+)

diff --git a/sys/netpfil/ipfilter/netinet/ip_nat.c b/sys/netpfil/ipfilter/netinet/ip_nat.c
index 35b18575ac6f..8b343acf1211 100644
--- a/sys/netpfil/ipfilter/netinet/ip_nat.c
+++ b/sys/netpfil/ipfilter/netinet/ip_nat.c
@@ -1775,6 +1775,7 @@ ipf_nat_getent(ipf_main_softc_t *softc, caddr_t data, int getlock)
 		IPFERROR(60029);
 		return (ENOMEM);
 	}
+	bzero(ipn, ipns.ipn_dsize);
 
 	if (getlock) {
 		READ_ENTER(&softc->ipf_nat);