Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Intended out-of-bound access from struct field in IPFW #2277

Open
RoundofThree opened this issue Dec 28, 2024 · 1 comment
Open

Intended out-of-bound access from struct field in IPFW #2277

RoundofThree opened this issue Dec 28, 2024 · 1 comment

Comments

@RoundofThree
Copy link
Member

  • Type: Code written intentionally to access out of bounds causes CHERI bounds violation
  • Trigger Conditions: IPFW enabled with any rule containing IPv6 masks. An example would be the default open setting
  • Impact: Remote DoS with any IPv6 packet on CheriBSD
  • Root cause:
    An IPFW rule with opcode O_IP6_SRC_MASK or O_IP6_DST_MASK can contain an array of one or more ipfw_insn_ip6. The C code obtains a pointer to the first ipfw_insn_ip6's second field addr6 and uses it to access the third field mask6. It then also increments the same pointer to access the fields of the next ipfw_insn_ip6 in the array.
    There should be no actual vulnerability in this code.

Tagging @YiChenChai.
@brooksdavis
Copy link
Member

I think this is a subobject bounds issue. Either this cast needs to be altered not to set bounds or the code needs be altered to derive the pointer from cmd each time.

cheribsd/sys/netpfil/ipfw/ip_fw2.c

Lines 2626 to 2627 in fb0e4b1

struct in6_addr *d =
&((ipfw_insn_ip6 *)cmd)->addr6;

cc: @qwattash

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@brooksdavis @RoundofThree