The branch main has been updated by cy: URL: https://cgit.FreeBSD.org/src/commit/?id=0d589ecbc7aa916537fd21c0344919491cfcb293
commit 0d589ecbc7aa916537fd21c0344919491cfcb293 Author: Cy Schubert <[email protected]> AuthorDate: 2025-10-22 16:29:03 +0000 Commit: Cy Schubert <[email protected]> CommitDate: 2025-10-23 22:56:28 +0000 ipfilter: Plug ip_htable kernel information leak ipf_htable_stats_get() constructs an iphtstat_t on the stack and only initializes select fields before copying the entire structure to userland. The trailing padding array iphs_pad[16] is never initialized, so ~128 bytes of uninitialized kernel stack memory can be leaked to user space on each call. This is a classic information disclosure vulnerability that can reveal pointers and other sensitive data. We fix this by zeroing out the data structure prior to use. Reported by: Ilja Van Sprundel <[email protected]> Reviewed by: emaste MFC after: 3 days Differential revision: https://reviews.freebsd.org/D53275 --- sys/netpfil/ipfilter/netinet/ip_htable.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/sys/netpfil/ipfilter/netinet/ip_htable.c b/sys/netpfil/ipfilter/netinet/ip_htable.c index 91b375f80db1..3f765cfab947 100644 --- a/sys/netpfil/ipfilter/netinet/ip_htable.c +++ b/sys/netpfil/ipfilter/netinet/ip_htable.c @@ -230,6 +230,8 @@ ipf_htable_stats_get(ipf_main_softc_t *softc, void *arg, iplookupop_t *op) return (EINVAL); } + bzero(&stats, sizeof(stats)); + stats.iphs_tables = softh->ipf_htables[op->iplo_unit + 1]; stats.iphs_numtables = softh->ipf_nhtables[op->iplo_unit + 1]; stats.iphs_numnodes = softh->ipf_nhtnodes[op->iplo_unit + 1];
