svn commit: r363026 - in releng: 11.3/sys/netinet6 11.4/sys/netinet6 12.1/sys/netinet6

Gordon Tetlow gordon at FreeBSD.org
Wed Jul 8 20:11:42 UTC 2020 

Author: gordon
Date: Wed Jul  8 20:11:40 2020
New Revision: 363026
URL: https://svnweb.freebsd.org/changeset/base/363026

Log:
  Fix IPv6 socket option race condition and use after free.
  
  Approved by:	so
  Security:	FreeBSD-SA-20:20.ipv6
  Security:	CVE-2020-7457

Modified:
  releng/11.3/sys/netinet6/ip6_output.c
  releng/11.4/sys/netinet6/ip6_output.c
  releng/12.1/sys/netinet6/ip6_output.c

Modified: releng/11.3/sys/netinet6/ip6_output.c
==============================================================================
--- releng/11.3/sys/netinet6/ip6_output.c	Wed Jul  8 20:08:05 2020	(r363025)
+++ releng/11.3/sys/netinet6/ip6_output.c	Wed Jul  8 20:11:40 2020	(r363026)
@@ -1498,8 +1498,10 @@ ip6_ctloutput(struct socket *so, struct sockopt *sopt)
 				error = soopt_mcopyin(sopt, m); /* XXX */
 				if (error != 0)
 					break;
+				INP_WLOCK(in6p);
 				error = ip6_pcbopts(&in6p->in6p_outputopts,
 						    m, so, sopt);
+				INP_WUNLOCK(in6p);
 				m_freem(m); /* XXX */
 				break;
 			}
@@ -2244,8 +2246,11 @@ ip6_pcbopts(struct ip6_pktopts **pktopt, struct mbuf *
 			printf("ip6_pcbopts: all specified options are cleared.\n");
 #endif
 		ip6_clearpktopts(opt, -1);
-	} else
-		opt = malloc(sizeof(*opt), M_IP6OPT, M_WAITOK);
+	} else {
+		opt = malloc(sizeof(*opt), M_IP6OPT, M_NOWAIT);
+		if (opt == NULL)
+			return (ENOMEM);
+	}
 	*pktopt = NULL;
 
 	if (!m || m->m_len == 0) {

Modified: releng/11.4/sys/netinet6/ip6_output.c
==============================================================================
--- releng/11.4/sys/netinet6/ip6_output.c	Wed Jul  8 20:08:05 2020	(r363025)
+++ releng/11.4/sys/netinet6/ip6_output.c	Wed Jul  8 20:11:40 2020	(r363026)
@@ -1514,8 +1514,10 @@ ip6_ctloutput(struct socket *so, struct sockopt *sopt)
 				error = soopt_mcopyin(sopt, m); /* XXX */
 				if (error != 0)
 					break;
+				INP_WLOCK(in6p);
 				error = ip6_pcbopts(&in6p->in6p_outputopts,
 						    m, so, sopt);
+				INP_WUNLOCK(in6p);
 				m_freem(m); /* XXX */
 				break;
 			}
@@ -2260,8 +2262,11 @@ ip6_pcbopts(struct ip6_pktopts **pktopt, struct mbuf *
 			printf("ip6_pcbopts: all specified options are cleared.\n");
 #endif
 		ip6_clearpktopts(opt, -1);
-	} else
-		opt = malloc(sizeof(*opt), M_IP6OPT, M_WAITOK);
+	} else {
+		opt = malloc(sizeof(*opt), M_IP6OPT, M_NOWAIT);
+		if (opt == NULL)
+			return (ENOMEM);
+	}
 	*pktopt = NULL;
 
 	if (!m || m->m_len == 0) {

Modified: releng/12.1/sys/netinet6/ip6_output.c
==============================================================================
--- releng/12.1/sys/netinet6/ip6_output.c	Wed Jul  8 20:08:05 2020	(r363025)
+++ releng/12.1/sys/netinet6/ip6_output.c	Wed Jul  8 20:11:40 2020	(r363026)
@@ -1544,8 +1544,10 @@ ip6_ctloutput(struct socket *so, struct sockopt *sopt)
 				error = soopt_mcopyin(sopt, m); /* XXX */
 				if (error != 0)
 					break;
+				INP_WLOCK(in6p);
 				error = ip6_pcbopts(&in6p->in6p_outputopts,
 						    m, so, sopt);
+				INP_WUNLOCK(in6p);
 				m_freem(m); /* XXX */
 				break;
 			}
@@ -2305,8 +2307,11 @@ ip6_pcbopts(struct ip6_pktopts **pktopt, struct mbuf *
 			printf("ip6_pcbopts: all specified options are cleared.\n");
 #endif
 		ip6_clearpktopts(opt, -1);
-	} else
-		opt = malloc(sizeof(*opt), M_IP6OPT, M_WAITOK);
+	} else {
+		opt = malloc(sizeof(*opt), M_IP6OPT, M_NOWAIT);
+		if (opt == NULL)
+			return (ENOMEM);
+	}
 	*pktopt = NULL;
 
 	if (!m || m->m_len == 0) {

More information about the svn-src-releng mailing list