Created attachment 237765 [details] trigger NULL dereference in kernel LibAlias's SctpAlias() In sys/netinet/libalias/alias_sctp.c, if SctpAlias()'s call to sctp_PktParser() returns SN_PARSE_ERROR_CHHL, and the IP_MF bit is set, then SctpAlias() ignores the error. However, sctp_PktParser() doesn't always set assoc in this situation, in which case SctpAlias() passes the NULL assoc to ProcessSctpMsg(), which tries to dereference it. Here's a demo, via netgraph's ng_nat: # cc ng50a.c -lnetgraph # ./a.out panic: Fatal page fault at 0xffffffc0004fbf7e: 0x00000000000018 panic() at panic+0x2a page_fault_handler() at page_fault_handler+0x1d6 do_trap_supervisor() at do_trap_supervisor+0x74 cpu_exception_handler_supervisor() at cpu_exception_handler_supervisor+0x70 --- exception 13, tval = 0x18 ProcessSctpMsg() at ProcessSctpMsg+0xc SctpAlias() at SctpAlias+0x158 LibAliasOutLocked() at LibAliasOutLocked+0x176 LibAliasOut() at LibAliasOut+0x42 ng_nat_rcvdata() at ng_nat_rcvdata+0x220 ng_apply_item() at ng_apply_item+0x130 ng_snd_item() at ng_snd_item+0x1bc ngd_send() at ngd_send+0xf8 sosend_generic() at sosend_generic+0x384 sosend() at sosend+0x68 kern_sendit() at kern_sendit+0x170 sendit() at sendit+0x9c sys_sendto() at sys_sendto+0x40 syscallenter() at syscallenter+0xec ecall_handler() at ecall_handler+0x18 do_trap_user() at do_trap_user+0xf6 cpu_exception_handler_user() at cpu_exception_handler_user+0x72 --- syscall (133, FreeBSD ELF64, sys_sendto)
Can you describe how to reproduce the issue?
(In reply to Michael Tuexen from comment #1) Did the program I attached not do the trick?
Will try. I missed that program since I wasn't expecting a single program as a reproducer. I have to experience with netgraph. Will look into it.
A commit in branch main references this bug: URL: https://cgit.FreeBSD.org/src/commit/?id=9a714376212ec1685fdc4cf254f2136a07ae6d2c commit 9a714376212ec1685fdc4cf254f2136a07ae6d2c Author: Michael Tuexen <tuexen@FreeBSD.org> AuthorDate: 2022-11-15 20:05:02 +0000 Commit: Michael Tuexen <tuexen@FreeBSD.org> CommitDate: 2022-11-15 20:05:02 +0000 libalias: improve handling of invalid SCTP packets In case of a paritial chunk only pretend the result is OK if the packet is not the last fragment and there is a valid association. PR: 267476 MFC after: 3 days sys/netinet/libalias/alias_sctp.c | 11 +++++++---- 1 file changed, 7 insertions(+), 4 deletions(-)
A commit in branch stable/13 references this bug: URL: https://cgit.FreeBSD.org/src/commit/?id=39844782bf1e648fa85eec40484af4d221d45fa8 commit 39844782bf1e648fa85eec40484af4d221d45fa8 Author: Michael Tuexen <tuexen@FreeBSD.org> AuthorDate: 2022-11-15 20:05:02 +0000 Commit: Michael Tuexen <tuexen@FreeBSD.org> CommitDate: 2023-02-02 00:01:43 +0000 libalias: improve handling of invalid SCTP packets In case of a paritial chunk only pretend the result is OK if the packet is not the last fragment and there is a valid association. PR: 267476 (cherry picked from commit 9a714376212ec1685fdc4cf254f2136a07ae6d2c) sys/netinet/libalias/alias_sctp.c | 11 +++++++---- 1 file changed, 7 insertions(+), 4 deletions(-)
A commit in branch stable/12 references this bug: URL: https://cgit.FreeBSD.org/src/commit/?id=6dc94f4ba1a5b0f17c3adda317eac31d3146eccf commit 6dc94f4ba1a5b0f17c3adda317eac31d3146eccf Author: Michael Tuexen <tuexen@FreeBSD.org> AuthorDate: 2022-11-15 20:05:02 +0000 Commit: Michael Tuexen <tuexen@FreeBSD.org> CommitDate: 2023-06-25 19:42:28 +0000 libalias: improve handling of invalid SCTP packets In case of a paritial chunk only pretend the result is OK if the packet is not the last fragment and there is a valid association. PR: 267476 (cherry picked from commit 9a714376212ec1685fdc4cf254f2136a07ae6d2c) sys/netinet/libalias/alias_sctp.c | 11 +++++++---- 1 file changed, 7 insertions(+), 4 deletions(-)