From nobody Thu Jan 02 16:31:37 2025
X-Original-To: bugs@mlmmj.nyi.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
	by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4YPBzt6xl0z5jPYy
	for <bugs@mlmmj.nyi.freebsd.org>; Thu, 02 Jan 2025 16:31:38 +0000 (UTC)
	(envelope-from bugzilla-noreply@freebsd.org)
Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256
	 client-signature RSA-PSS (4096 bits) client-digest SHA256)
	(Client CN "mxrelay.nyi.freebsd.org", Issuer "R11" (verified OK))
	by mx1.freebsd.org (Postfix) with ESMTPS id 4YPBzs6z7Xz4fYc
	for <bugs@FreeBSD.org>; Thu,  2 Jan 2025 16:31:37 +0000 (UTC)
	(envelope-from bugzilla-noreply@freebsd.org)
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org;
	s=dkim; t=1735835498;
	h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
	 to:to:cc:mime-version:mime-version:content-type:content-type:
	 content-transfer-encoding:content-transfer-encoding;
	bh=EJq4vB2y3ufkNc+zWQB2NdkGnae0aM3y0Azk8OCqgpY=;
	b=LIHOoVMKOEqW6698eMlLPNgwpo3D3T7Sjl6IcpofTC5eUTVdJaBG1qKtRV+o2sH84+hiAE
	ZF0Z5AmzTChg7kivfOcWYHUQXDBERXNSHXLaPezDl7EIzmqswNuraGZEf1fGuRJM8Fhs+P
	Od7nFA5ZYEDls8iofEmvDQqJgaUlVrKQsvtieTh1CuzDkanGGRO9R7FSSo7Mh7CigCj1R3
	IoOiNdgvCH+BS5rrfmyawA8BiBQ0xaGWr1esjQdcE6tcnnAHoOdknawddm5sZdPt6kK2jK
	V9dRw2wUMUIzmlmH7xKVXysWyRGhtg+AXvhsuDyYXQZsttsxofdhcMSBw4d88g==
ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1735835498; a=rsa-sha256; cv=none;
	b=CzJsesIkMXEaCbTjEVNP277UBpkpo54s7eYBBlyfHShZEagu9m2ZUIbBAVeYKaPuwGu251
	3VyuOqEv4YWYSO+yYgCtLDmUpfJBcl7AkrzvlgvsbO5yyezKgOk9ixHXSJOXbDWFnlWblD
	xRXk3Vgy2UantANu/9Uov5ruCiPDsy0ciFTWOOJAGlN9j09H2bvGmPnOB+j/Tx6BLn40lm
	YPblLEmIYa9sJQknZPPUN36QSmSBnrLqitPQd3PriR5W3Lq62jAT7CoErDo9mzYvwVxJV+
	SkyInh3Tr1AhqE/Qm4JJI4WQBHEBMtm5blSL2sWYm46IkQ3PWYB6TyOChdG+tw==
ARC-Authentication-Results: i=1;
	mx1.freebsd.org;
	none
Received: from kenobi.freebsd.org (kenobi.freebsd.org [IPv6:2610:1c1:1:606c::50:1d])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256)
	(Client did not present a certificate)
	by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 4YPBzs6W24zkp9
	for <bugs@FreeBSD.org>; Thu, 02 Jan 2025 16:31:37 +0000 (UTC)
	(envelope-from bugzilla-noreply@freebsd.org)
Received: from kenobi.freebsd.org ([127.0.1.5])
	by kenobi.freebsd.org (8.15.2/8.15.2) with ESMTP id 502GVbVn031206
	for <bugs@FreeBSD.org>; Thu, 2 Jan 2025 16:31:37 GMT
	(envelope-from bugzilla-noreply@freebsd.org)
Received: (from www@localhost)
	by kenobi.freebsd.org (8.15.2/8.15.2/Submit) id 502GVbVe031205
	for bugs@FreeBSD.org; Thu, 2 Jan 2025 16:31:37 GMT
	(envelope-from bugzilla-noreply@freebsd.org)
X-Authentication-Warning: kenobi.freebsd.org: www set sender to bugzilla-noreply@freebsd.org using -f
From: bugzilla-noreply@freebsd.org
To: bugs@FreeBSD.org
Subject: [Bug 283797] netlink's npt_clear() should set npt->cookie = 0
Date: Thu, 02 Jan 2025 16:31:37 +0000
X-Bugzilla-Reason: AssignedTo
X-Bugzilla-Type: new
X-Bugzilla-Watch-Reason: None
X-Bugzilla-Product: Base System
X-Bugzilla-Component: kern
X-Bugzilla-Version: Unspecified
X-Bugzilla-Keywords: 
X-Bugzilla-Severity: Affects Some People
X-Bugzilla-Who: rtm@lcs.mit.edu
X-Bugzilla-Status: New
X-Bugzilla-Resolution: 
X-Bugzilla-Priority: ---
X-Bugzilla-Assigned-To: bugs@FreeBSD.org
X-Bugzilla-Flags: 
X-Bugzilla-Changed-Fields: bug_id short_desc product version rep_platform
 op_sys bug_status bug_severity priority component assigned_to reporter
 attachments.mimetype attachments.created
Message-ID: <bug-283797-227@https.bugs.freebsd.org/bugzilla/>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
X-Bugzilla-URL: https://bugs.freebsd.org/bugzilla/
Auto-Submitted: auto-generated
List-Id: Bug reports <freebsd-bugs.freebsd.org>
List-Archive: https://lists.freebsd.org/archives/freebsd-bugs
List-Help: <mailto:freebsd-bugs+help@freebsd.org>
List-Post: <mailto:freebsd-bugs@freebsd.org>
List-Subscribe: <mailto:freebsd-bugs+subscribe@freebsd.org>
List-Unsubscribe: <mailto:freebsd-bugs+unsubscribe@freebsd.org>
Sender: owner-freebsd-bugs@FreeBSD.org
MIME-Version: 1.0

https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D283797

            Bug ID: 283797
           Summary: netlink's npt_clear() should set npt->cookie =3D 0
           Product: Base System
           Version: Unspecified
          Hardware: Any
                OS: Any
            Status: New
          Severity: Affects Some People
          Priority: ---
         Component: kern
          Assignee: bugs@FreeBSD.org
          Reporter: rtm@lcs.mit.edu
 Attachment #256345 text/plain
         mime type:

Created attachment 256345
  --> https://bugs.freebsd.org/bugzilla/attachment.cgi?id=3D256345&action=
=3Dedit
demonstrate a bug in netlink's npt_clear()

npt_clear() in sys/netlink/netlink_io.c zeroes npt->lb, but leaves
npt->cookie unchanged. Since npt->cookie (if non-NULL) points into
npt->lb, this means that npt_clear() can leave a non-NULL npt->cookie
pointing to zeroed contents.

As a result, if nl_process_nbuf() takes more than one trip through its
for loop, on the second &c trip npt->cookie can be non-NULL even
though npt->cookie->nla_len is zero. This can cause nlmsg_ack()'s call
to nlattr_add_raw(nw, npt->cookie) to execute

        return (nlattr_add(nw, nla_src->nla_type,
            nla_src->nla_len - sizeof(struct nlattr),
            (const void *)(nla_src + 1)));

which (since nla_src->nla_len is zero) will pass attr_len=3D65532 to
nlattr_add.

With an INVARIANTS kernel, this will cause an MPASS() or KASSERT()
failure. On an ordinary kernel, it will cause nlattr_add() to memcpy
off the end of the allocated nw->buf.

I've attached a demo.

# uname -a
FreeBSD  15.0-CURRENT FreeBSD 15.0-CURRENT #335
main-n250995-3750873316a1-dirty: Thu Jan  2 11:25:30 EST 2025=20=20=20=20
rtm@xxx:/usr/obj/usr/rtm/symbsd/src/riscv.riscv64/sys/RTM riscv
# cc netlink4c.c
# ./a.out
tap0: Ethernet address: da:2e:d7:ce:2d:57
tap0: promiscuous mode enabled
REDZONE: Buffer overflow detected. 16 bytes corrupted after 0xffffffc09e011=
020
(65568 bytes allocated).
Allocation backtrace:
#0 0xffffffc000617370 at redzone_setup+0xa0
#1 0xffffffc0002d4da8 at malloc_large+0x90
#2 0xffffffc0002d4bc4 at malloc+0x120
#3 0xffffffc00052bad4 at nl_buf_alloc+0x2a
#4 0xffffffc00052ca02 at _nlmsg_refill_buffer+0xb2
#5 0xffffffc00052d11e at nlmsg_ack+0x3a6
#6 0xffffffc00052bfca at nl_taskqueue_handler+0x32a
#7 0xffffffc000357070 at taskqueue_run_locked+0x158
#8 0xffffffc000357d74 at taskqueue_thread_loop+0xd4
#9 0xffffffc0002ba19c at fork_exit+0x68
#10 0xffffffc0006785ea at fork_trampoline+0xa
Free backtrace:
#0 0xffffffc00061773a at redzone_check+0x344
#1 0xffffffc0002d5bac at free_dbg+0x5c
#2 0xffffffc0002d4976 at free+0x1c
#3 0xffffffc00052bb1c at nl_buf_free+0x14
#4 0xffffffc00052a85c at nl_close+0x1ca
#5 0xffffffc00038e438 at soclose+0xba
#6 0xffffffc00036cd88 at soo_close+0x20
#7 0xffffffc0002a1f8e at _fdrop+0x16
#8 0xffffffc0002a55d8 at closef+0x1b0
#9 0xffffffc0002a4ca4 at fdescfree+0x4ea
#10 0xffffffc0002b55bc at exit1+0x40a
#11 0xffffffc0002b51ae at sys_exit+0x10
#12 0xffffffc00067913a at do_trap_user+0x1e0
#13 0xffffffc000666b12 at cpu_exception_handler_user+0x72
panic: Stopping here.

--=20
You are receiving this mail because:
You are the assignee for the bug.=