Re: kern/58688: userland panic of kernel via wg(4)

["Michael van Elst via gnats" <gnats-admin%NetBSD.org@localhost>]

The following reply was made to PR kern/58688; it has been noted by GNATS.

From: mlelstv%serpens.de@localhost (Michael van Elst)
To: gnats-bugs%netbsd.org@localhost
Cc: 
Subject: Re: kern/58688: userland panic of kernel via wg(4)
Date: Sun, 22 Sep 2024 22:52:37 -0000 (UTC)

 gnats-admin%NetBSD.org@localhost ("Harold Gutch via gnats") writes:
 
 > [ 242.3181815] m_freem() at netbsd:m_freem+0xe
 > [ 242.3181815] udp6_input() at netbsd:udp6_input+0x98
 
 wg_overudp_cb frees an mbuf and returns -1, but doesn't clear *mp.
 udp6_realinput just passes through the condition as rcvcnt = -1.
 udp6_input frees the mbuf again.
 
 int
 udp6_input(struct mbuf **mp)
 {
 	struct mbuf *m = *mp;
 
 	if (udp6_realinput(&m) == 0) {
 		...
 		m = NULL;
 	}
 
 	m_freem(m);
 }
 
 int
 udp6_realinput(struct mbuf **mp)
 {
 	...
 	ret = inp->inp_overudp_cb(mp);
 	switch (ret) {
 	case -1: /* Error, m was freed */
 		rcvcnt = -1;
 		goto bad;
 	...
 	}
 
 bad:
 	return recvcnt;
 }
 
 int
 wg_overudp_cb(struct mbuf **mp)
 {
 	struct mbuf *m = *mp;
 
 	...
 	if (...) {
 		m_freem(m);
 		return -1;
 	}
 	...
 }
 
 
 An unrelated problem in udp6_realinput, the *mp value isn't
 cached again in m.
 
                         case 0: /* plain UDP */
                         default: /* Unexpected */
                                 /*
                                  * Normal UDP processing will take place,
                                  * m may have changed.
                                  */
                                 break;
 			...
 
 		}
 
                 udp6_sendup(m, off, sin6tosa(src), inp->inp_socket);
 
 This only works because the overudp routine in wg(4) does not change m
 when returning zero.