Bug 255871 - net/rtsock: Fix a use after free in update_rtm_from_rc
Summary: net/rtsock: Fix a use after free in update_rtm_from_rc
Status: Closed FIXED
Alias: None
Product: Base System
Classification: Unclassified
Component: kern (show other bugs)
Version: CURRENT
Hardware: Any Any
: --- Affects Many People
Assignee: Alexander V. Chernikov
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2021-05-14 12:22 UTC by lylgood
Modified: 2021-06-16 14:36 UTC (History)
3 users (show)

See Also:
koobs: mfc-stable13+
koobs: mfc-stable12?
koobs: mfc-stable11?

Attachments
assigning the new allocated *prtm to rtm (468 bytes, patch)
2021-05-14 12:22 UTC, lylgood 		no flags Details | Diff
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description lylgood 2021-05-14 12:22:02 UTC 
Created attachment 224935 [details]
assigning the new allocated *prtm to rtm

Bug File: sys/net/rtsock.c

In function update_rtm_from_rc, *prtm is assigned to rtm at line 946 and the *prtm is freed by callee update_rtm_from_info() via free(orig_rtm, M_TEMP).
And then *prim was assigned with a new allocated rtm in this callee. 

But now, the rtm in the caller still points to a freed memory object. The freed memory object is used later by rtm->rtm_flags, rtm->rtm_rmx and rtm->rtm_rmx.rmx_weight...

The root of this uaf bug is reassignment of *prim in callee does not change the value of outside rtm. My patch fixs this error by assigning the new allocated *prtm to rtm.
Comment 1 commit-hook freebsd_committer freebsd_triage 2021-05-14 16:11:20 UTC 
A commit in branch main references this bug:

URL: https://cgit.FreeBSD.org/src/commit/?id=76cfc6fa0d819e7caca86c8299947cea1af9d6bc

commit 76cfc6fa0d819e7caca86c8299947cea1af9d6bc
Author:     Alexander V. Chernikov <melifaro@FreeBSD.org>
AuthorDate: 2021-05-14 16:03:08 +0000
Commit:     Alexander V. Chernikov <melifaro@FreeBSD.org>
CommitDate: 2021-05-14 16:06:41 +0000

    Fix a use after free in update_rtm_from_rc().

    update_rtm_from_rc() calls update_rtm_from_info() internally.
    The latter one may update provided prtm pointer with a new rtm.
    Reassign rtm from prtm afeter calling update_rtm_from_info() to
     avoid touching the freed rtm.

    PR:             255871
    Submitted by:   lylgood@foxmail.com
    MFC after:      3 days

 sys/net/rtsock.c | 1 +
 1 file changed, 1 insertion(+)
Comment 2 commit-hook freebsd_committer freebsd_triage 2021-05-30 10:31:23 UTC 
A commit in branch stable/13 references this bug:

URL: https://cgit.FreeBSD.org/src/commit/?id=d40def01a4f4fed65329f4a74792cad3134eeb29

commit d40def01a4f4fed65329f4a74792cad3134eeb29
Author:     Alexander V. Chernikov <melifaro@FreeBSD.org>
AuthorDate: 2021-05-14 16:03:08 +0000
Commit:     Alexander V. Chernikov <melifaro@FreeBSD.org>
CommitDate: 2021-05-30 10:30:53 +0000

    Fix a use after free in update_rtm_from_rc().

    update_rtm_from_rc() calls update_rtm_from_info() internally.
    The latter one may update provided prtm pointer with a new rtm.
    Reassign rtm from prtm afeter calling update_rtm_from_info() to
     avoid touching the freed rtm.

    PR:             255871
    Submitted by:   lylgood@foxmail.com

 sys/net/rtsock.c | 1 +
 1 file changed, 1 insertion(+)