ipfilter: Plug ip_htable kernel information leak
ipf_htable_stats_get() constructs an iphtstat_t on the stack and only initializes select fields before copying the entire structure to userland. The trailing padding array iphs_pad[16] is never initialized, so ~128 bytes of uninitialized kernel stack memory can be leaked to user space on each call. This is a classic information disclosure vulnerability that can reveal pointers and other sensitive data. We fix this by zeroing out the data structure prior to use. Reported by: Ilja Van Sprundel <ivansprundel@ioactive.com> Reviewed by: emaste MFC after: 3 days Differential revision: https://reviews.freebsd.org/D53275
This commit is contained in:
@@ -230,6 +230,8 @@ ipf_htable_stats_get(ipf_main_softc_t *softc, void *arg, iplookupop_t *op)
|
||||
return (EINVAL);
|
||||
}
|
||||
|
||||
bzero(&stats, sizeof(stats));
|
||||
|
||||
stats.iphs_tables = softh->ipf_htables[op->iplo_unit + 1];
|
||||
stats.iphs_numtables = softh->ipf_nhtables[op->iplo_unit + 1];
|
||||
stats.iphs_numnodes = softh->ipf_nhtnodes[op->iplo_unit + 1];
|
||||
|
||||
Reference in New Issue
Block a user