Created attachment 224927 [details] add new variables to avoid uaf. Bug File: sys/dev/cxgb/cxgb_sge.c In function get_packet, m is freed via m_freem() at line 2,775 in the case RSPQ_NSOP_NEOP. However, the freed m is used in m->m_len and m->m_pkthdr.len in printf(). This is a use after free bug and could print security-sensitive information. Alough it exist in debug mode, it is worthy to fix it. My patch uses "m_len = m->m_len" and "m_pkthdr_len = m->m_pkthdr.len" to avoid the uaf bug.
https://cgit.FreeBSD.org/src/commit/?id=16f8f89c5c1f324a15a7e0607f03f041a230a572
A commit in branch stable/13 references this bug: URL: https://cgit.FreeBSD.org/src/commit/?id=7a67b893e81e20c2d6f4e30ef6c304838f6cc0df commit 7a67b893e81e20c2d6f4e30ef6c304838f6cc0df Author: Mark Johnston <markj@FreeBSD.org> AuthorDate: 2021-05-26 14:02:19 +0000 Commit: Mark Johnston <markj@FreeBSD.org> CommitDate: 2021-06-02 13:34:07 +0000 cxgb: Avoid a read-after-free in get_packet() when cxgb_debug is on PR: 255863 MFC after: 1 week (cherry picked from commit 16f8f89c5c1f324a15a7e0607f03f041a230a572) sys/dev/cxgb/cxgb_sge.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-)
A commit in branch stable/12 references this bug: URL: https://cgit.FreeBSD.org/src/commit/?id=d88bd7d80ff2a318aa6dc3c710538f5ddc5a1a63 commit d88bd7d80ff2a318aa6dc3c710538f5ddc5a1a63 Author: Mark Johnston <markj@FreeBSD.org> AuthorDate: 2021-05-26 14:02:19 +0000 Commit: Mark Johnston <markj@FreeBSD.org> CommitDate: 2021-06-02 13:36:35 +0000 cxgb: Avoid a read-after-free in get_packet() when cxgb_debug is on PR: 255863 MFC after: 1 week (cherry picked from commit 16f8f89c5c1f324a15a7e0607f03f041a230a572) sys/dev/cxgb/cxgb_sge.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-)