Bug 238787

Summary: IPv6 remote DoS (panic) vulnerability via m_pulldown() bug
Product: Base System Reporter: crest
Component: kernAssignee: Jonathan T. Looney <jtl>
Status: Closed FIXED    
Severity: Affects Many People CC: bz, chris, emaste, gnn, jtl, koobs, secteam, sigsys
Priority: Normal Keywords: crash, security
Version: CURRENTFlags: koobs: mfc-stable12+
koobs: mfc-stable11+
Hardware: Any   
OS: Any   
See Also: https://gnats.netbsd.org/30098

Comment 1 Mark Linimon freebsd_committer freebsd_triage 2019-06-24 11:56:34 UTC
Fix assignment.  Hadn't had enough caffeine yet.
Comment 2 Kubilay Kocak freebsd_committer freebsd_triage 2019-06-24 12:06:46 UTC
Could not find references for "reported to and publicly acknowledged by FreeBSD in 2006".

If any existing bug exists, please close this as a duplicate of that and retriage that one.
Comment 3 crest 2019-06-24 12:14:14 UTC
I haven't found an open PR with crashes in m_pulldown which is why I created a new PR instead of adding a comment to the existing report, but if the message was send to the security team and got dropped as the reddit post implies there might not be any publicly visible PR for it. Now that the report was posted in a public forum any further discussion should probably happen in the open as well.
Comment 5 Ed Maste freebsd_committer freebsd_triage 2019-06-24 13:48:10 UTC
NetBSD bug report and analysis: http://gnats.netbsd.org/30098
Comment 7 commit-hook freebsd_committer freebsd_triage 2019-08-09 05:20:00 UTC
A commit references this bug:

Author: jtl
Date: Fri Aug  9 05:19:00 UTC 2019
New revision: 350815
URL: https://svnweb.freebsd.org/changeset/base/350815

Log:
  In m_pulldown(), before trying to prepend bytes to the subsequent mbuf,
  ensure that the subsequent mbuf contains the remainder of the bytes
  the caller sought. If this is not the case, fall through to the code
  which gathers the bytes in a new mbuf.

  This fixes a bug where m_pulldown() could fail to gather all the desired
  bytes into consecutive memory.

  PR:		238787
  Reported by:	A reddit user
  Discussed with:	emaste
  Obtained from:	NetBSD
  MFC after:	3 days

Changes:
  head/sys/kern/uipc_mbuf2.c
Comment 8 Jonathan T. Looney freebsd_committer freebsd_triage 2019-08-09 05:22:38 UTC
I was able to replicate the crash. The fix from NetBSD fixed the crash. After discussing it with emaste@, I committed the fix to head.
Comment 9 crest 2019-08-09 11:32:05 UTC
Why wasn't the reddit user named by his/her nickname as "TheGrandSchlonging"?
Comment 10 Ed Maste freebsd_committer freebsd_triage 2019-08-09 12:03:00 UTC
Because they've said in the past
> nor do I want "TheGrandSchlonging" to appear in FreeBSD commit logs
Comment 11 Kubilay Kocak freebsd_committer freebsd_triage 2019-08-09 12:17:10 UTC
Assign to committer resolving (keep secteam CC'd)
Comment 12 commit-hook freebsd_committer freebsd_triage 2019-08-10 00:01:29 UTC
A commit references this bug:

Author: jtl
Date: Sat Aug 10 00:01:26 UTC 2019
New revision: 350828
URL: https://svnweb.freebsd.org/changeset/base/350828

Log:
  MFC r350815:
    In m_pulldown(), before trying to prepend bytes to the subsequent mbuf,
    ensure that the subsequent mbuf contains the remainder of the bytes
    the caller sought. If this is not the case, fall through to the code
    which gathers the bytes in a new mbuf.

    This fixes a bug where m_pulldown() could fail to gather all the desired
    bytes into consecutive memory.

  PR:		238787
  Approved by:	so (emaste)

Changes:
_U  stable/12/
  stable/12/sys/kern/uipc_mbuf2.c
Comment 13 commit-hook freebsd_committer freebsd_triage 2019-08-10 00:03:32 UTC
A commit references this bug:

Author: jtl
Date: Sat Aug 10 00:02:46 UTC 2019
New revision: 350829
URL: https://svnweb.freebsd.org/changeset/base/350829

Log:
  MFC r350815:
    In m_pulldown(), before trying to prepend bytes to the subsequent mbuf,
    ensure that the subsequent mbuf contains the remainder of the bytes
    the caller sought. If this is not the case, fall through to the code
    which gathers the bytes in a new mbuf.

    This fixes a bug where m_pulldown() could fail to gather all the desired
    bytes into consecutive memory.

  PR:		238787
  Approved by:	so (emaste)

Changes:
_U  stable/11/
  stable/11/sys/kern/uipc_mbuf2.c
Comment 14 Ed Maste freebsd_committer freebsd_triage 2019-08-13 20:54:09 UTC
Original report can be found at http://web.archive.org/web/20091116125618/clem1.be/gimme/ipv6sec.pdf
Comment 15 Bjoern A. Zeeb freebsd_committer freebsd_triage 2019-11-12 22:19:03 UTC
This was published as FreeBSD-SA-19:22.mbuf and with that I assume can be closed.
Comment 16 Kubilay Kocak freebsd_committer freebsd_triage 2019-11-13 01:49:54 UTC
^Triage: Track merge status