From 0d589ecbc7aa916537fd21c0344919491cfcb293 Mon Sep 17 00:00:00 2001 From: Cy Schubert Date: Wed, 22 Oct 2025 09:29:03 -0700 Subject: [PATCH] ipfilter: Plug ip_htable kernel information leak ipf_htable_stats_get() constructs an iphtstat_t on the stack and only initializes select fields before copying the entire structure to userland. The trailing padding array iphs_pad[16] is never initialized, so ~128 bytes of uninitialized kernel stack memory can be leaked to user space on each call. This is a classic information disclosure vulnerability that can reveal pointers and other sensitive data. We fix this by zeroing out the data structure prior to use. Reported by: Ilja Van Sprundel Reviewed by: emaste MFC after: 3 days Differential revision: https://reviews.freebsd.org/D53275 --- sys/netpfil/ipfilter/netinet/ip_htable.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/sys/netpfil/ipfilter/netinet/ip_htable.c b/sys/netpfil/ipfilter/netinet/ip_htable.c index 91b375f80db..3f765cfab94 100644 --- a/sys/netpfil/ipfilter/netinet/ip_htable.c +++ b/sys/netpfil/ipfilter/netinet/ip_htable.c @@ -230,6 +230,8 @@ ipf_htable_stats_get(ipf_main_softc_t *softc, void *arg, iplookupop_t *op) return (EINVAL); } + bzero(&stats, sizeof(stats)); + stats.iphs_tables = softh->ipf_htables[op->iplo_unit + 1]; stats.iphs_numtables = softh->ipf_nhtables[op->iplo_unit + 1]; stats.iphs_numnodes = softh->ipf_nhtnodes[op->iplo_unit + 1];