Date: Wed, 30 Dec 2015 22:48:59 +0000 From: bugzilla-noreply@freebsd.org To: freebsd-bugs@FreeBSD.org Subject: [Bug 205743] null pointer dereference in PF running a vimage jail Message-ID: <bug-205743-8@https.bugs.freebsd.org/bugzilla/>
next in thread | raw e-mail | index | archive | help
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D205743 Bug ID: 205743 Summary: null pointer dereference in PF running a vimage jail Product: Base System Version: 11.0-CURRENT Hardware: amd64 OS: Any Status: New Severity: Affects Many People Priority: --- Component: kern Assignee: freebsd-bugs@FreeBSD.org Reporter: ing.gila@gmail.com CC: freebsd-amd64@FreeBSD.org CC: freebsd-amd64@FreeBSD.org Running the following jail on -CURRENT: # cat /etc/jail.conf allow.raw_sockets =3D "1"; allow.set_hostname =3D "0"; allow.sysvipc =3D "1"; test { host.hostname =3D "test.bsdvm"; vnet =3D "new"; vnet.interface =3D "em1", "em2"; devfs_ruleset =3D 4; allow.raw_sockets =3D 1; allow.mount.devfs =3D 1; allow.mount =3D 1; allow.sysvipc =3D 1; persist; } The devfs ruleset is copied for /etc/defaults and modified to expose bp* and pf* devices. Then within the jail: ext_if=3D"em1" int_if=3D"em2" # options set block-policy return set loginterface $ext_if set skip on lo # scrub scrub in # nat/rdr nat on $ext_if inet from !($ext_if) -> ($ext_if:0) nat-anchor "ftp-proxy/*" rdr-anchor "ftp-proxy/*" block in all pass out anchor "ftp-proxy/*" antispoof quick for { lo $int_if } pass in inet proto icmp all icmp-type $icmp_types pass quick on $int_if no state Causes a 100% reproducible panic: Fatal double fault rip =3D 0xffffffff80e484a8 rsp =3D 0xfffffe0230ea0fd0 rbp =3D 0xfffffe0230ea1000 cpuid =3D 4; apic id =3D 05 panic: double fault cpuid =3D 4 KDB: stack backtrace: db_trace_self_wrapper() at db_trace_self_wrapper+0x2c/frame 0xfffffe0227dd8= ce0 kdb_backtrace() at kdb_backtrace+0x53/frame 0xfffffe0227dd8db0 vpanic() at vpanic+0x249/frame 0xfffffe0227dd8e80 vpanic() at vpanic/frame 0xfffffe0227dd8ee0 dblfault_handler() at dblfault_handler+0x10a/frame 0xfffffe0227dd8f30 Xdblfault() at Xdblfault+0xac/frame 0xfffffe0227dd8f30 --- trap 0x17, rip =3D 0xffffffff80e484a8, rsp =3D 0xfffffe0230ea0fd0, rbp = =3D 0xfffffe0230ea1000 --- vtterm_cursor() at vtterm_cursor+0x8/frame 0xfffffe0230ea1000 termteken_cursor() at termteken_cursor+0x37/frame 0xfffffe0230ea1030 teken_funcs_cursor() at teken_funcs_cursor+0x3b/frame 0xfffffe0230ea1050 teken_subr_carriage_return() at teken_subr_carriage_return+0x2c/frame 0xfffffe0230ea1070 teken_input_char() at teken_input_char+0x166/frame 0xfffffe0230ea10b0 teken_input_byte() at teken_input_byte+0x50/frame 0xfffffe0230ea10d0 teken_input() at teken_input+0x52/frame 0xfffffe0230ea1100 termcn_cnputc() at termcn_cnputc+0x1c8/frame 0xfffffe0230ea11b0 cnputc() at cnputc+0x90/frame 0xfffffe0230ea11f0 cnputs() at cnputs+0x154/frame 0xfffffe0230ea1230 putbuf() at putbuf+0x15f/frame 0xfffffe0230ea1260 putchar() at putchar+0xb0/frame 0xfffffe0230ea12a0 kvprintf() at kvprintf+0x15a/frame 0xfffffe0230ea1790 _vprintf() at _vprintf+0xb9/frame 0xfffffe0230ea1890 vprintf() at vprintf+0x2d/frame 0xfffffe0230ea18c0 printf() at printf+0x4b/frame 0xfffffe0230ea1930 trap_fatal() at trap_fatal+0xf5/frame 0xfffffe0230ea1a50 trap_pfault() at trap_pfault+0x188/frame 0xfffffe0230ea1b50 trap() at trap+0x7a9/frame 0xfffffe0230ea1e90 trap_check() at trap_check+0x4a/frame 0xfffffe0230ea1eb0 calltrap() at calltrap+0x8/frame 0xfffffe0230ea1eb0 --- trap 0xc, rip =3D 0xffffffff8168e17f, rsp =3D 0xfffffe0230ea1f80, rbp = =3D 0xfffffe0230ea1fb0 --- pf_begin_rules() at pf_begin_rules+0x6f/frame 0xfffffe0230ea1fb0 pfioctl() at pfioctl+0xb35a/frame 0xfffffe0230ea42e0 devfs_ioctl_f() at devfs_ioctl_f+0x19c/frame 0xfffffe0230ea4420 fo_ioctl() at fo_ioctl+0x4c/frame 0xfffffe0230ea4460 kern_ioctl() at kern_ioctl+0x3c3/frame 0xfffffe0230ea45b0 sys_ioctl() at sys_ioctl+0x2b8/frame 0xfffffe0230ea4690 syscallenter() at syscallenter+0xcfa/frame 0xfffffe0230ea4990 amd64_syscall() at amd64_syscall+0x2a/frame 0xfffffe0230ea4ab0 Xfast_syscall() at Xfast_syscall+0xfb/frame 0xfffffe0230ea4ab0 (kgdb) up 36 #36 0xffffffff8168e17f in pf_begin_rules (ticket=3D0xfffff801e2162404, rs_num=3D0x0, anchor=3D0xfffff801e2162004 "") at /usr/src/sys/netpfil/pf/pf_ioctl.c:745 745 while ((rule =3D TAILQ_FIRST(rs->rules[rs_num].inactive.ptr= )) !=3D NULL) { (kgdb) l 740 if (rs_num < 0 || rs_num >=3D PF_RULESET_MAX) 741 return (EINVAL); 742 rs =3D pf_find_or_create_ruleset(anchor); 743 if (rs =3D=3D NULL) 744 return (EINVAL); 745 while ((rule =3D TAILQ_FIRST(rs->rules[rs_num].inactive.ptr= )) !=3D NULL) { 746 pf_unlink_rule(rs->rules[rs_num].inactive.ptr, rule= ); 747 rs->rules[rs_num].inactive.rcount--; 748 } 749 *ticket =3D ++rs->rules[rs_num].inactive.ticket; (kgdb) print rs->rules[0] $10 =3D { queues =3D 0xfffffe0001f8dd28, active =3D { ptr =3D 0x0, ptr_array =3D 0x0, rcount =3D 0x0, ticket =3D 0x0, open =3D 0x0 }, inactive =3D { ptr =3D 0x0, ptr_array =3D 0x0, rcount =3D 0x0, ticket =3D 0x0, open =3D 0x0 } } The TAILQ_FIRST macro tries to deference it a pointer which is per above, N= ULL. The idea was to run PF in a jail and have it do routing for other jails. Apologies for not knowing if there are ways to "format" the pastes. --=20 You are receiving this mail because: You are the assignee for the bug.=
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?bug-205743-8>