From nobody Mon Feb 26 14:28:04 2024 X-Original-To: dev-commits-src-main@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4Tk2yr3GqDz5BTtx; Mon, 26 Feb 2024 14:28:04 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4Tk2yr2SRtz49lr; Mon, 26 Feb 2024 14:28:04 +0000 (UTC) (envelope-from git@FreeBSD.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1708957684; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=1mwuNwC0BMVXr6S8tf/1L/wBZZ65n/LtVAyZYkJStRQ=; b=WANR+xIITLDrEq7V4Y0qdOrvdu4EOeaCIBz3SGfIWqGJFKvSpBKnnidL7NdezjsazPsc8k 5qdhtwA4cjvYxNuuVi7DVeTvCP6JCeoIpc/pljm770GKTJFmFK5m5ahEpR4bmZSqwS3KrP 9CuC8PoaOBwEYRcHktWvh7aLwbGTL6wE3F+f0Y7jO4b8iXetDyo+u+5aw7o/v+WMIePk5f DNlIIgut2LqMsiHTon+g/kPgnFosDRkUoAopZdOVsZ5ZB/8vcx0JB5zjjVljCRhkwR+89k hER7BlOAUxp2tsCn4t3TXOw1VVNDhiMGIMg02BFFWtY33Vl2Fp1QLjBaTEW0Mg== ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1708957684; a=rsa-sha256; cv=none; b=fotSz+qLPZixa8nms9CVfoFdmDYAOngIsMVO8mvsBgv3GYssA+v0dRCw0EajMAUVgNWNDR 8VYeEeRQcS/Ccut6GP5o3ot1MNOd+CNZH5X8wyfs7MtB1KvSld54JZbfncY3gRWTA8oOTe itmZPDjB1VnTlsLHtsga5swADgrxX0XPLl2RRCRn1ACoQG3bfcNRMwpzFWZ28W8NE5VST+ C4dIBB7ThOJG8d6U1RojpMXdWIjGZFIioKHfsk1JGqoiWkyAIGaugC0lMdFOMs69BoXqdv YA4QXYPvd7Ak0gjmhZcqIsKTVPlvDRKLirbsvCPxRhWQuOmvnddRSCpIoiFu3A== ARC-Authentication-Results: i=1; mx1.freebsd.org; none ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1708957684; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=1mwuNwC0BMVXr6S8tf/1L/wBZZ65n/LtVAyZYkJStRQ=; b=aFHK1uyJi8uHkFbBPmIgiqz4esP/w6N7OhxKPmm7Je/8xN3VqIlSTv7h46mo3YU3ESNv4I GvCPSTSaXxdTFZPCOs2hcLtKOjvfXBWFTBMwApHNTjzoeqVhCjHmjj/vYVdWL57hCnIxdM vEw7ohvki9Jag3FIjeMyiMS3hyQ1GO1BMaXT9FlNMk69QtMQQAiErZmzPrF7VrTYDInsTM 0fR5Mtc+MYSkf1lbAuui76qjMtqB3Bf1+g8/5yV3ksVaeddG1j7/xV+a7BCvMlD0db5s86 wnjjyojr8c1HmqewoJ6CTB+TrZvz22qwPCn1Wqt7cc39QDhZvy3m7yiE6ez9Uw== Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 4Tk2yr1X3SzXV9; Mon, 26 Feb 2024 14:28:04 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from gitrepo.freebsd.org ([127.0.1.44]) by gitrepo.freebsd.org (8.17.1/8.17.1) with ESMTP id 41QES4cG003315; Mon, 26 Feb 2024 14:28:04 GMT (envelope-from git@gitrepo.freebsd.org) Received: (from git@localhost) by gitrepo.freebsd.org (8.17.1/8.17.1/Submit) id 41QES4om003312; Mon, 26 Feb 2024 14:28:04 GMT (envelope-from git) Date: Mon, 26 Feb 2024 14:28:04 GMT Message-Id: <202402261428.41QES4om003312@gitrepo.freebsd.org> To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-main@FreeBSD.org From: Konstantin Belousov Subject: git: 1a56620b7958 - main - ipsec esp: avoid dereferencing freed secasindex List-Id: Commit messages for the main branch of the src repository List-Archive: https://lists.freebsd.org/archives/dev-commits-src-main List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-dev-commits-src-main@freebsd.org X-BeenThere: dev-commits-src-main@freebsd.org MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit X-Git-Committer: kib X-Git-Repository: src X-Git-Refname: refs/heads/main X-Git-Reftype: branch X-Git-Commit: 1a56620b7958cac2b9048589cb730c46958ab539 Auto-Submitted: auto-generated The branch main has been updated by kib: URL: https://cgit.FreeBSD.org/src/commit/?id=1a56620b7958cac2b9048589cb730c46958ab539 commit 1a56620b7958cac2b9048589cb730c46958ab539 Author: Konstantin Belousov AuthorDate: 2024-02-25 10:30:48 +0000 Commit: Konstantin Belousov CommitDate: 2024-02-26 14:27:46 +0000 ipsec esp: avoid dereferencing freed secasindex It is possible that SA was removed while processing packed, in which case it is changed to the DEAD state and it index is removed from the tree. Dereferencing sav->sah then touches freed memory. Reviewed by: ae Sponsored by: NVIDIA networking MFC after: 1 week Differential revision: https://reviews.freebsd.org/D44079 --- sys/netipsec/xform_esp.c | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/sys/netipsec/xform_esp.c b/sys/netipsec/xform_esp.c index 16f7b24375fa..7ad6085db87f 100644 --- a/sys/netipsec/xform_esp.c +++ b/sys/netipsec/xform_esp.c @@ -508,6 +508,13 @@ esp_input_cb(struct cryptop *crp) xd = crp->crp_opaque; CURVNET_SET(xd->vnet); sav = xd->sav; + if (sav->state >= SADB_SASTATE_DEAD) { + /* saidx is freed */ + DPRINTF(("%s: dead SA %p spi %#x\n", __func__, sav, sav->spi)); + ESPSTAT_INC(esps_notdb); + error = ESRCH; + goto bad; + } skip = xd->skip; protoff = xd->protoff; cryptoid = xd->cryptoid;