https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=295218
Bug ID: 295218
Summary: problem with pf_nl.c's nested_table_parser
Product: Base System
Version: CURRENT
Hardware: Any
OS: Any
Status: New
Severity: Affects Some People
Priority: ---
Component: kern
Assignee: [email protected]
Reporter: [email protected]
User code can cause the kernel pf netlink code to write beyond the
bounds of stack-allocated objects due to the way that pf_nl.c's
nested_table_parser is used. nested_table_parser is willing to let
user-supplied netlink commands cause writes to
pfioc_table.pfrio_flags:
#define _OUT(_field) offsetof(struct pfioc_table, _field)
static const struct nlattr_parser nla_p_table[] = {
...,
{ .type = PF_T_FLAGS, .off = _OUT(pfrio_flags), .cb = nlattr_get_uint32 },
};
...
NL_DECLARE_ATTR_PARSER(nested_table_parser, nla_p_table);
But then nested_table_parser is used in contexts where the target
is not a pfioc_table, for example in table_astats_parser:
#define _OUT(_field) offsetof(struct nl_parsed_table_astats, _field)
static const struct nlattr_parser nla_p_table_astats[] = {
{ .type = PF_TAS_TABLE, .off = _OUT(table), .arg = &nested_table_parser, .cb
= nlattr_get_nested },
};
NL_DECLARE_PARSER(table_astats_parser, struct genlmsghdr, nlf_p_empty,
nla_p_table_astats);
In this example, pf_handle_table_get_astats() parses into a
struct nl_parsed_table_astats. This struct has size 1068,
but the nested_table_parser is willing to write "pfrio_flags"
at offset 1096. This writes somewhere bad on the stack.
One possible fix is that nla_p_table should be used only in
table_parser, and not also in nested_table_parser; instead, a separate
nlattr_parser should be declared for nested_table_parser, omitting the
PF_T_FLAGS.
--
You are receiving this mail because:
You are the assignee for the bug.
