Re: git: a37e0e6de652 - main - pf: fix more syncookie memory leaks

From: Kubilay Kocak <koobs_at_FreeBSD.org>
Date: Fri, 03 Jun 2022 01:36:00 UTC
On 3/06/2022 4:18 am, Kristof Provost wrote:
> The branch main has been updated by kp:
> 
> URL: https://cgit.FreeBSD.org/src/commit/?id=a37e0e6de6527a7eaddea8e28f5e4b3427fba1a4
> 
> commit a37e0e6de6527a7eaddea8e28f5e4b3427fba1a4
> Author:     Franco Fichtner <franco@opnsense.org>
> AuthorDate: 2022-06-02 16:27:43 +0000
> Commit:     Kristof Provost <kp@FreeBSD.org>
> CommitDate: 2022-06-02 18:17:25 +0000
> 
>      pf: fix more syncookie memory leaks
>      
>      Allocate memory for packed nvlists in M_NVLIST, as nvlist_pack() does
>      this as well, and we use the same variable interchangable with the
>      memory we allocate. When we free it we can end up freeing from the wrong
>      zone, leaking memory.
>      
>      Reviewed by:    kp
>      Differential Revision:  https://reviews.freebsd.org/D35385

Hi Kristof,

Are stable{13,12} affected or only introduced in main?

> ---
>   sys/netpfil/pf/pf_ioctl.c      | 20 ++++++++++----------
>   sys/netpfil/pf/pf_syncookies.c |  6 +++---
>   2 files changed, 13 insertions(+), 13 deletions(-)
> 
> diff --git a/sys/netpfil/pf/pf_ioctl.c b/sys/netpfil/pf/pf_ioctl.c
> index 745b9b69060b..1ccbbd3814ac 100644
> --- a/sys/netpfil/pf/pf_ioctl.c
> +++ b/sys/netpfil/pf/pf_ioctl.c
> @@ -2722,7 +2722,7 @@ DIOCGETETHRULES_error:
>   		if (nv->len > pf_ioctl_maxcount)
>   			ERROUT(ENOMEM);
>   
> -		nvlpacked = malloc(nv->len, M_TEMP, M_WAITOK);
> +		nvlpacked = malloc(nv->len, M_NVLIST, M_WAITOK);
>   		if (nvlpacked == NULL)
>   			ERROUT(ENOMEM);
>   
> @@ -2763,7 +2763,7 @@ DIOCGETETHRULES_error:
>   
>   		nvlist_destroy(nvl);
>   		nvl = NULL;
> -		free(nvlpacked, M_TEMP);
> +		free(nvlpacked, M_NVLIST);
>   		nvlpacked = NULL;
>   
>   		rule = TAILQ_FIRST(rs->active.rules);
> @@ -2803,7 +2803,7 @@ DIOCGETETHRULES_error:
>   
>   #undef ERROUT
>   DIOCGETETHRULE_error:
> -		free(nvlpacked, M_TEMP);
> +		free(nvlpacked, M_NVLIST);
>   		nvlist_destroy(nvl);
>   		break;
>   	}
> @@ -2819,7 +2819,7 @@ DIOCGETETHRULE_error:
>   
>   #define ERROUT(x)	ERROUT_IOCTL(DIOCADDETHRULE_error, x)
>   
> -		nvlpacked = malloc(nv->len, M_TEMP, M_WAITOK);
> +		nvlpacked = malloc(nv->len, M_NVLIST, M_WAITOK);
>   		if (nvlpacked == NULL)
>   			ERROUT(ENOMEM);
>   
> @@ -2922,7 +2922,7 @@ DIOCGETETHRULE_error:
>   #undef ERROUT
>   DIOCADDETHRULE_error:
>   		nvlist_destroy(nvl);
> -		free(nvlpacked, M_TEMP);
> +		free(nvlpacked, M_NVLIST);
>   		break;
>   	}
>   
> @@ -3117,7 +3117,7 @@ DIOCGETETHRULESET_error:
>   		if (nv->len > pf_ioctl_maxcount)
>   			ERROUT(ENOMEM);
>   
> -		nvlpacked = malloc(nv->len, M_TEMP, M_WAITOK);
> +		nvlpacked = malloc(nv->len, M_NVLIST, M_WAITOK);
>   		error = copyin(nv->data, nvlpacked, nv->len);
>   		if (error)
>   			ERROUT(error);
> @@ -3156,13 +3156,13 @@ DIOCGETETHRULESET_error:
>   		    anchor_call, td);
>   
>   		nvlist_destroy(nvl);
> -		free(nvlpacked, M_TEMP);
> +		free(nvlpacked, M_NVLIST);
>   		break;
>   #undef ERROUT
>   DIOCADDRULENV_error:
>   		pf_krule_free(rule);
>   		nvlist_destroy(nvl);
> -		free(nvlpacked, M_TEMP);
> +		free(nvlpacked, M_NVLIST);
>   
>   		break;
>   	}
> @@ -6018,7 +6018,7 @@ pf_keepcounters(struct pfioc_nv *nv)
>   	if (nv->len > pf_ioctl_maxcount)
>   		ERROUT(ENOMEM);
>   
> -	nvlpacked = malloc(nv->len, M_TEMP, M_WAITOK);
> +	nvlpacked = malloc(nv->len, M_NVLIST, M_WAITOK);
>   	if (nvlpacked == NULL)
>   		ERROUT(ENOMEM);
>   
> @@ -6037,7 +6037,7 @@ pf_keepcounters(struct pfioc_nv *nv)
>   
>   on_error:
>   	nvlist_destroy(nvl);
> -	free(nvlpacked, M_TEMP);
> +	free(nvlpacked, M_NVLIST);
>   	return (error);
>   }
>   
> diff --git a/sys/netpfil/pf/pf_syncookies.c b/sys/netpfil/pf/pf_syncookies.c
> index 5230502be30c..6a375411d8ea 100644
> --- a/sys/netpfil/pf/pf_syncookies.c
> +++ b/sys/netpfil/pf/pf_syncookies.c
> @@ -171,7 +171,7 @@ pf_get_syncookies(struct pfioc_nv *nv)
>   #undef ERROUT
>   errout:
>   	nvlist_destroy(nvl);
> -	free(nvlpacked, M_TEMP);
> +	free(nvlpacked, M_NVLIST);
>   
>   	return (error);
>   }
> @@ -191,7 +191,7 @@ pf_set_syncookies(struct pfioc_nv *nv)
>   	if (nv->len > pf_ioctl_maxcount)
>   		return (ENOMEM);
>   
> -	nvlpacked = malloc(nv->len, M_TEMP, M_WAITOK);
> +	nvlpacked = malloc(nv->len, M_NVLIST, M_WAITOK);
>   	if (nvlpacked == NULL)
>   		return (ENOMEM);
>   
> @@ -232,7 +232,7 @@ pf_set_syncookies(struct pfioc_nv *nv)
>   #undef ERROUT
>   errout:
>   	nvlist_destroy(nvl);
> -	free(nvlpacked, M_TEMP);
> +	free(nvlpacked, M_NVLIST);
>   
>   	return (error);
>   }
>