Bug #1803

ifconfig wlan0 create causes memory corruption

Added by Johannes.Hofmann over 4 years ago. Updated about 4 years ago.

Status:ClosedStart date:
Priority:NormalDue date:
Assignee:-% Done:

0%

Category:-
Target version:-

Description

When cloning an wlan interface with e.g
ifconfig wlan0 create wlandev ath0
a struct ifnet is allocated via if_alloc and then passed to
ether_ifattach_bpf() which writes beyond the struct ifnet.
This is especially a problem if struct ifnet size is close to a chunk
size of the slab allocator - as it happens with the recent pf update.
This was catched by guards I added to the slab allocator.

Cheers,
Johannes

History

#1 Updated by dillon over 4 years ago

:When cloning an wlan interface with e.g
: ifconfig wlan0 create wlandev ath0
:a struct ifnet is allocated via if_alloc and then passed to
:ether_ifattach_bpf() which writes beyond the struct ifnet.
:This is especially a problem if struct ifnet size is close to a chunk
:size of the slab allocator - as it happens with the recent pf update.
:This was catched by guards I added to the slab allocator.
:
:Cheers,
:Johannes

Ok, we need to track this down. I don't see anything in
ether_ifattach_bpf() itself that indexes past the end of the
ifnet, is it something ether_ifattach_bpf() calls or something
after ether_ifattach_bpf() returns? How much code do we have to
review here?

-Matt
Matthew Dillon
<>

#2 Updated by Johannes.Hofmann over 4 years ago

Matthew Dillon <> wrote:
>
> :When cloning an wlan interface with e.g
> : ifconfig wlan0 create wlandev ath0
> :a struct ifnet is allocated via if_alloc and then passed to
> :ether_ifattach_bpf() which writes beyond the struct ifnet.
> :This is especially a problem if struct ifnet size is close to a chunk
> :size of the slab allocator - as it happens with the recent pf update.
> :This was catched by guards I added to the slab allocator.
> :
> :Cheers,
> :Johannes
>
> Ok, we need to track this down. I don't see anything in
> ether_ifattach_bpf() itself that indexes past the end of the
> ifnet, is it something ether_ifattach_bpf() calls or something
> after ether_ifattach_bpf() returns? How much code do we have to
> review here?

It's the bcopy() in ether_ifattach_bpf() with the XXX in the comment.
ifp is expected to be embedded in a struct arpcom, which is not the
case for the cloned wlan interface.

Cheers,
Johannes

#3 Updated by dillon over 4 years ago

:It's the bcopy() in ether_ifattach_bpf() with the XXX in the comment.
:ifp is expected to be embedded in a struct arpcom, which is not the
:case for the cloned wlan interface.
:
:Cheers,
:Johannes

Ok, what I will do is adopt the changes FreeBSD made which is
to hang arpcom off of a pointer in the ifp instead of embedding
the ifnet in the arpcom.

-Matt
Matthew Dillon
<>

#4 Updated by dillon over 4 years ago

Urk. Let me take that back. For the moment I'll change the wlan
code to declare an arpcom, then I'll take a look at how easy it
would be to convert all of our arpcoms to if_l2com.

-Matt

#5 Updated by alexh about 4 years ago

Has this been addressed yet?

Regards,
Alex

#6 Updated by Johannes.Hofmann about 4 years ago

"Alex Hornung \(via DragonFly issue tracker\)" <> wrote:
>
> Alex Hornung <> added the comment:
>
> Has this been addressed yet?

Yes, there is a "temporary hack" that fixes it:
7e39593549a460369e7be716ca160d20932105fd

Also available in: Atom PDF