Bug #1803
ifconfig wlan0 create causes memory corruption
| Status: | Closed | Start date: | ||
|---|---|---|---|---|
| Priority: | Normal | Due date: | ||
| Assignee: | - | % Done: | 0% |
|
| Category: | - | |||
| Target version: | - |
Description
When cloning an wlan interface with e.g
ifconfig wlan0 create wlandev ath0
a struct ifnet is allocated via if_alloc and then passed to
ether_ifattach_bpf() which writes beyond the struct ifnet.
This is especially a problem if struct ifnet size is close to a chunk
size of the slab allocator - as it happens with the recent pf update.
This was catched by guards I added to the slab allocator.
Cheers,
Johannes
Related todos
History
Updated by dillon almost 3 years ago
:When cloning an wlan interface with e.g
: ifconfig wlan0 create wlandev ath0
:a struct ifnet is allocated via if_alloc and then passed to
:ether_ifattach_bpf() which writes beyond the struct ifnet.
:This is especially a problem if struct ifnet size is close to a chunk
:size of the slab allocator - as it happens with the recent pf update.
:This was catched by guards I added to the slab allocator.
:
:Cheers,
:Johannes
Ok, we need to track this down. I don't see anything in
ether_ifattach_bpf() itself that indexes past the end of the
ifnet, is it something ether_ifattach_bpf() calls or something
after ether_ifattach_bpf() returns? How much code do we have to
review here?
-Matt
Matthew Dillon
<dillon@backplane.com>
Updated by Johannes.Hofmann almost 3 years ago
Matthew Dillon <dillon@apollo.backplane.com> wrote:
>
> :When cloning an wlan interface with e.g
> : ifconfig wlan0 create wlandev ath0
> :a struct ifnet is allocated via if_alloc and then passed to
> :ether_ifattach_bpf() which writes beyond the struct ifnet.
> :This is especially a problem if struct ifnet size is close to a chunk
> :size of the slab allocator - as it happens with the recent pf update.
> :This was catched by guards I added to the slab allocator.
> :
> :Cheers,
> :Johannes
>
> Ok, we need to track this down. I don't see anything in
> ether_ifattach_bpf() itself that indexes past the end of the
> ifnet, is it something ether_ifattach_bpf() calls or something
> after ether_ifattach_bpf() returns? How much code do we have to
> review here?
It's the bcopy() in ether_ifattach_bpf() with the XXX in the comment.
ifp is expected to be embedded in a struct arpcom, which is not the
case for the cloned wlan interface.
Cheers,
Johannes
Updated by dillon almost 3 years ago
:It's the bcopy() in ether_ifattach_bpf() with the XXX in the comment.
:ifp is expected to be embedded in a struct arpcom, which is not the
:case for the cloned wlan interface.
:
:Cheers,
:Johannes
Ok, what I will do is adopt the changes FreeBSD made which is
to hang arpcom off of a pointer in the ifp instead of embedding
the ifnet in the arpcom.
-Matt
Matthew Dillon
<dillon@backplane.com>
Updated by dillon almost 3 years ago
Urk. Let me take that back. For the moment I'll change the wlan
code to declare an arpcom, then I'll take a look at how easy it
would be to convert all of our arpcoms to if_l2com.
-Matt
Updated by alexh over 2 years ago
Has this been addressed yet?
Regards,
Alex
Updated by Johannes.Hofmann over 2 years ago
"Alex Hornung \(via DragonFly issue tracker\)" <sinknull@leaf.dragonflybsd.org> wrote:
>
> Alex Hornung <ahornung@gmail.com> added the comment:
>
> Has this been addressed yet?
Yes, there is a "temporary hack" that fixes it:
7e39593549a460369e7be716ca160d20932105fd