From nobody Mon Dec 30 20:45:02 2024 X-Original-To: dev-commits-src-all@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4YMSlf4WFkz5j04j; Mon, 30 Dec 2024 20:45:02 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R11" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4YMSlf3SX8z4J6v; Mon, 30 Dec 2024 20:45:02 +0000 (UTC) (envelope-from git@FreeBSD.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1735591502; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=BVQ/b/3ukhi4im9Fq1Vorb/rvCu4HeZRRZ29D+lVjXA=; b=Loadf9Wc066Ft2X+LR/zS9YBNgUqU+usu9wvq3kXhIp/DZuaT4CL9wuropQF+yHgyxpFat kWQYzXbuB/bDjvvKnbkaPC6D9l7DT4+57B14sN4tcYFbU+oy2un0KmgFXm3eRh8pqXMHu+ Y8t0UIx9OrFN+CcwDbo2wUwK3CZbrFwkyF+IAFjF7nWxBZanPiRtkhqGfH0tLyfoHo/tsM poix47iWHdBseXbn9u/U9wwr62ouk+/wKc9/9GllU+QyN5obNmrCWjOLaKbfhmxZLDVJyR ph8plb66nFE3p5h9M0VBZjhEW6Ws3q6ZkmZKrljJTFarEWNRF8zCf2txq5RGcg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1735591502; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=BVQ/b/3ukhi4im9Fq1Vorb/rvCu4HeZRRZ29D+lVjXA=; b=pRfcMrkqrGTDy0jnuZlYA6sPN4oHeK6qUXdl9BZT3q0YOnLERoiiOM/47Ei+RrTcYb3Pwg uOl4AIZUs3WyoUK298aOoU8WPDBkEqfOVecYYfhE2SZMpuYk9jLavb/DCujbsEIIaTzLZ7 8rNjN5YLsWhwDuPBw4B9PV5COsAEq166cKQMC6YQRQmQN4VKi+n8/Y6gWZb96DEJ0XxF2Y k4XQjHw4ceOhH1U7LhgQloklnqWqg6x1HH0eLcU2hxVOMG53qFGhUurzPIOckrURnDfRkG 26+7+d/G6dhYIBGmPQnuBK64+oP88vYrDVOaTeL0WZhyMUUq6JSYTy7BYLO8Ig== ARC-Authentication-Results: i=1; mx1.freebsd.org; none ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1735591502; a=rsa-sha256; cv=none; b=pDrxkTHAb1+m2tlSMMopm68GXXlr91wxL4714Yt6qSwsKlJZCGZlEs0nc582uZBi4kJhYG 3BvM6sm1B0jJgWmKqlzNRj7egLico0bCEPMcEU0IJ0CmQgnMDjTGOEdrcwa/zOlhccoaDw BxydyrDt/09y5+K+wlmbelOZBVaS+tdMiOpfB4Kv5fpJ5c2zhxm35K/KsM663OoNHsw1B1 TaRUlcU9nQAgSR9QdPhIpcMo2snb0+hODu1cGtt5s1y1+083BxLLqnjWDPE/PU9BL9Jiek rrc7O0+s4Tx8vEZyK0HioWKhn/ABxXdvyeICaQKi4W9QoXFMMiieXLFOyiy3Hg== Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 4YMSlf34wNz18MS; Mon, 30 Dec 2024 20:45:02 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from gitrepo.freebsd.org ([127.0.1.44]) by gitrepo.freebsd.org (8.18.1/8.18.1) with ESMTP id 4BUKj2Tt020438; Mon, 30 Dec 2024 20:45:02 GMT (envelope-from git@gitrepo.freebsd.org) Received: (from git@localhost) by gitrepo.freebsd.org (8.18.1/8.18.1/Submit) id 4BUKj2ab020435; Mon, 30 Dec 2024 20:45:02 GMT (envelope-from git) Date: Mon, 30 Dec 2024 20:45:02 GMT Message-Id: <202412302045.4BUKj2ab020435@gitrepo.freebsd.org> To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-branches@FreeBSD.org From: Kristof Provost Subject: git: e2bb5f213a72 - stable/13 - pf: fix double free in pf_state_key_attach() List-Id: Commit messages for all branches of the src repository List-Archive: https://lists.freebsd.org/archives/dev-commits-src-all List-Help: List-Post: List-Subscribe: List-Unsubscribe: X-BeenThere: dev-commits-src-all@freebsd.org Sender: owner-dev-commits-src-all@FreeBSD.org MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit X-Git-Committer: kp X-Git-Repository: src X-Git-Refname: refs/heads/stable/13 X-Git-Reftype: branch X-Git-Commit: e2bb5f213a724fd163be4262eb925def0fa8f9fc Auto-Submitted: auto-generated The branch stable/13 has been updated by kp: URL: https://cgit.FreeBSD.org/src/commit/?id=e2bb5f213a724fd163be4262eb925def0fa8f9fc commit e2bb5f213a724fd163be4262eb925def0fa8f9fc Author: Kristof Provost AuthorDate: 2024-12-11 22:27:21 +0000 Commit: Kristof Provost CommitDate: 2024-12-30 20:42:33 +0000 pf: fix double free in pf_state_key_attach() In 371bd29d4b we fixed a state key leak, but unintentionally introduced a double free. We pass through the relevant code twice, first for PF_SK_WIRE, then for PF_SK_STACK. If we fail to attach on the second pass we have a more complex cleanup job, handled by pf_detach_state(). We must only free the state keys manually on the first pass, on the second one pf_detach_state() takes care of everything. Tested by: yds Fixes: 371bd29d4b22257a7e92e1e711cca3d94cfbd00d MFC after: 2 weeks Sponsored by: Rubicon Communications, LLC ("Netgate") (cherry picked from commit 01eb1261443dddcb50a3a278f1278fffdfb0d36e) --- sys/netpfil/pf/pf.c | 10 ++++++---- 1 file changed, 6 insertions(+), 4 deletions(-) diff --git a/sys/netpfil/pf/pf.c b/sys/netpfil/pf/pf.c index 2ebfd08b362a..e5cd0b83ac0c 100644 --- a/sys/netpfil/pf/pf.c +++ b/sys/netpfil/pf/pf.c @@ -1302,11 +1302,13 @@ keyattach: s->timeout = PFTM_UNLINKED; PF_HASHROW_UNLOCK(ih); KEYS_UNLOCK(); - uma_zfree(V_pf_state_key_z, skw); - if (skw != sks) - uma_zfree(V_pf_state_key_z, sks); - if (idx == PF_SK_STACK) + if (idx == PF_SK_WIRE) { + uma_zfree(V_pf_state_key_z, skw); + if (skw != sks) + uma_zfree(V_pf_state_key_z, sks); + } else { pf_detach_state(s); + } return (EEXIST); /* collision! */ } }