Summary: | IPv6 remote DoS (panic) vulnerability via m_pulldown() bug | ||
---|---|---|---|
Product: | Base System | Reporter: | crest |
Component: | kern | Assignee: | Jonathan T. Looney <jtl> |
Status: | Closed FIXED | ||
Severity: | Affects Many People | CC: | bz, chris, emaste, gnn, jtl, koobs, secteam, sigsys |
Priority: | Normal | Keywords: | crash, security |
Version: | CURRENT | Flags: | koobs:
mfc-stable12+
koobs: mfc-stable11+ |
Hardware: | Any | ||
OS: | Any | ||
See Also: | https://gnats.netbsd.org/30098 |
Description
crest
2019-06-24 11:51:47 UTC
Fix assignment. Hadn't had enough caffeine yet. Could not find references for "reported to and publicly acknowledged by FreeBSD in 2006". If any existing bug exists, please close this as a duplicate of that and retriage that one. I haven't found an open PR with crashes in m_pulldown which is why I created a new PR instead of adding a comment to the existing report, but if the message was send to the security team and got dropped as the reddit post implies there might not be any publicly visible PR for it. Now that the report was posted in a public forum any further discussion should probably happen in the open as well. NetBSD bug report and analysis: http://gnats.netbsd.org/30098 NetBSD change: https://github.com/NetBSD/src/commit/1f94be1791b90c41bfadc9b0aa0621df55213659 XNU change: https://github.com/apple/darwin-xnu/commit/5bbb823c13f3ab1ab58878f96b35433a29882676 A commit references this bug: Author: jtl Date: Fri Aug 9 05:19:00 UTC 2019 New revision: 350815 URL: https://svnweb.freebsd.org/changeset/base/350815 Log: In m_pulldown(), before trying to prepend bytes to the subsequent mbuf, ensure that the subsequent mbuf contains the remainder of the bytes the caller sought. If this is not the case, fall through to the code which gathers the bytes in a new mbuf. This fixes a bug where m_pulldown() could fail to gather all the desired bytes into consecutive memory. PR: 238787 Reported by: A reddit user Discussed with: emaste Obtained from: NetBSD MFC after: 3 days Changes: head/sys/kern/uipc_mbuf2.c I was able to replicate the crash. The fix from NetBSD fixed the crash. After discussing it with emaste@, I committed the fix to head. Why wasn't the reddit user named by his/her nickname as "TheGrandSchlonging"? Because they've said in the past
> nor do I want "TheGrandSchlonging" to appear in FreeBSD commit logs
Assign to committer resolving (keep secteam CC'd) A commit references this bug: Author: jtl Date: Sat Aug 10 00:01:26 UTC 2019 New revision: 350828 URL: https://svnweb.freebsd.org/changeset/base/350828 Log: MFC r350815: In m_pulldown(), before trying to prepend bytes to the subsequent mbuf, ensure that the subsequent mbuf contains the remainder of the bytes the caller sought. If this is not the case, fall through to the code which gathers the bytes in a new mbuf. This fixes a bug where m_pulldown() could fail to gather all the desired bytes into consecutive memory. PR: 238787 Approved by: so (emaste) Changes: _U stable/12/ stable/12/sys/kern/uipc_mbuf2.c A commit references this bug: Author: jtl Date: Sat Aug 10 00:02:46 UTC 2019 New revision: 350829 URL: https://svnweb.freebsd.org/changeset/base/350829 Log: MFC r350815: In m_pulldown(), before trying to prepend bytes to the subsequent mbuf, ensure that the subsequent mbuf contains the remainder of the bytes the caller sought. If this is not the case, fall through to the code which gathers the bytes in a new mbuf. This fixes a bug where m_pulldown() could fail to gather all the desired bytes into consecutive memory. PR: 238787 Approved by: so (emaste) Changes: _U stable/11/ stable/11/sys/kern/uipc_mbuf2.c Original report can be found at http://web.archive.org/web/20091116125618/clem1.be/gimme/ipv6sec.pdf This was published as FreeBSD-SA-19:22.mbuf and with that I assume can be closed. ^Triage: Track merge status |