Mailing List Archive

From:: Vitaliy Makkoveev <otto@bsdbox.dev>
Subject:: Re: route an_match NULL deref
To:: Alexander Bluhm <bluhm@openbsd.org>
Cc:: OpenBSD Tech <tech@openbsd.org>
Date:: Mon, 25 Mar 2024 23:45:15 +0300

Download raw body.

Thread

2024-03-25 20:11 Alexander Bluhm:
route an_match NULL deref
- 2024-03-25 20:45 Vitaliy Makkoveev:
  route an_match NULL deref

> On 25 Mar 2024, at 23:11, Alexander Bluhm <bluhm@openbsd.org> wrote:
> 
> Hi,
> 
> On a customer's machine based on OpenBSD 7.4 I saw this crash.
> Stack trace typed from jpeg with OCR.
> 
> uum_fault(0xfffffd87681555b8, 0x0, 0, 1) -> e
> kernel: page fault trap, code=0
> 
> Stopped at rtable_lookup+0xdc: movq 0(%rax),%rdi
> 
> *477466 31379 0 0 0  4 ospfd
> 
> rtable_lookup()
> rtm_output()
> route_output()
> route_send()
> sosend()
> dofilewritev()
> sys_writev()
> syscall()
> Xsyscall()
> 
> From disassmbler I see that rt == NULL in an_match().
> 
> ok?
> 

ok mvs

> bluhm
> 
> Index: net/rtable.c
> ===================================================================
> RCS file: /data/mirror/openbsd/cvs/src/sys/net/rtable.c,v
> diff -u -p -r1.85 rtable.c
> --- net/rtable.c	12 Nov 2023 17:51:40 -0000	1.85
> +++ net/rtable.c	25 Mar 2024 19:24:05 -0000
> @@ -875,7 +875,7 @@ an_match(struct art_node *an, const stru
> 		return (0);
> 
> 	rt = SRPL_FIRST(&sr, &an->an_rtlist);
> -	match = (memcmp(rt->rt_dest, dst, dst->sa_len) == 0);
> +	match = (rt != NULL && memcmp(rt->rt_dest, dst, dst->sa_len) == 0);
> 	SRPL_LEAVE(&sr);
> 
> 	return (match);
>

2024-03-25 20:11 Alexander Bluhm:
route an_match NULL deref
- 2024-03-25 20:45 Vitaliy Makkoveev:
  route an_match NULL deref