Bug 238787 - IPv6 remote DoS (panic) vulnerability via m_pulldown() bug
Summary: IPv6 remote DoS (panic) vulnerability via m_pulldown() bug
Status: In Progress
Alias: None
Product: Base System
Classification: Unclassified
Component: kern (show other bugs)
Version: CURRENT
Hardware: Any Any
: Normal Affects Many People
Assignee: Jonathan T. Looney
URL:
Keywords: crash, security
Depends on:
Blocks:
 
Reported: 2019-06-24 11:51 UTC by crest
Modified: 2019-09-11 15:22 UTC (History)
8 users (show)

See Also:
koobs: mfc-stable11?
koobs: mfc-stable12?


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Comment 1 Mark Linimon freebsd_committer freebsd_triage 2019-06-24 11:56:34 UTC
Fix assignment.  Hadn't had enough caffeine yet.
Comment 2 Kubilay Kocak freebsd_committer freebsd_triage 2019-06-24 12:06:46 UTC
Could not find references for "reported to and publicly acknowledged by FreeBSD in 2006".

If any existing bug exists, please close this as a duplicate of that and retriage that one.
Comment 3 crest 2019-06-24 12:14:14 UTC
I haven't found an open PR with crashes in m_pulldown which is why I created a new PR instead of adding a comment to the existing report, but if the message was send to the security team and got dropped as the reddit post implies there might not be any publicly visible PR for it. Now that the report was posted in a public forum any further discussion should probably happen in the open as well.
Comment 5 Ed Maste freebsd_committer 2019-06-24 13:48:10 UTC
NetBSD bug report and analysis: http://gnats.netbsd.org/30098
Comment 7 commit-hook freebsd_committer 2019-08-09 05:20:00 UTC
A commit references this bug:

Author: jtl
Date: Fri Aug  9 05:19:00 UTC 2019
New revision: 350815
URL: https://svnweb.freebsd.org/changeset/base/350815

Log:
  In m_pulldown(), before trying to prepend bytes to the subsequent mbuf,
  ensure that the subsequent mbuf contains the remainder of the bytes
  the caller sought. If this is not the case, fall through to the code
  which gathers the bytes in a new mbuf.

  This fixes a bug where m_pulldown() could fail to gather all the desired
  bytes into consecutive memory.

  PR:		238787
  Reported by:	A reddit user
  Discussed with:	emaste
  Obtained from:	NetBSD
  MFC after:	3 days

Changes:
  head/sys/kern/uipc_mbuf2.c
Comment 8 Jonathan T. Looney freebsd_committer 2019-08-09 05:22:38 UTC
I was able to replicate the crash. The fix from NetBSD fixed the crash. After discussing it with emaste@, I committed the fix to head.
Comment 9 crest 2019-08-09 11:32:05 UTC
Why wasn't the reddit user named by his/her nickname as "TheGrandSchlonging"?
Comment 10 Ed Maste freebsd_committer 2019-08-09 12:03:00 UTC
Because they've said in the past
> nor do I want "TheGrandSchlonging" to appear in FreeBSD commit logs
Comment 11 Kubilay Kocak freebsd_committer freebsd_triage 2019-08-09 12:17:10 UTC
Assign to committer resolving (keep secteam CC'd)
Comment 12 commit-hook freebsd_committer 2019-08-10 00:01:29 UTC
A commit references this bug:

Author: jtl
Date: Sat Aug 10 00:01:26 UTC 2019
New revision: 350828
URL: https://svnweb.freebsd.org/changeset/base/350828

Log:
  MFC r350815:
    In m_pulldown(), before trying to prepend bytes to the subsequent mbuf,
    ensure that the subsequent mbuf contains the remainder of the bytes
    the caller sought. If this is not the case, fall through to the code
    which gathers the bytes in a new mbuf.

    This fixes a bug where m_pulldown() could fail to gather all the desired
    bytes into consecutive memory.

  PR:		238787
  Approved by:	so (emaste)

Changes:
_U  stable/12/
  stable/12/sys/kern/uipc_mbuf2.c
Comment 13 commit-hook freebsd_committer 2019-08-10 00:03:32 UTC
A commit references this bug:

Author: jtl
Date: Sat Aug 10 00:02:46 UTC 2019
New revision: 350829
URL: https://svnweb.freebsd.org/changeset/base/350829

Log:
  MFC r350815:
    In m_pulldown(), before trying to prepend bytes to the subsequent mbuf,
    ensure that the subsequent mbuf contains the remainder of the bytes
    the caller sought. If this is not the case, fall through to the code
    which gathers the bytes in a new mbuf.

    This fixes a bug where m_pulldown() could fail to gather all the desired
    bytes into consecutive memory.

  PR:		238787
  Approved by:	so (emaste)

Changes:
_U  stable/11/
  stable/11/sys/kern/uipc_mbuf2.c
Comment 14 Ed Maste freebsd_committer 2019-08-13 20:54:09 UTC
Original report can be found at http://web.archive.org/web/20091116125618/clem1.be/gimme/ipv6sec.pdf