From owner-freebsd-bugs@freebsd.org  Wed Dec 30 22:48:59 2015
Return-Path: <owner-freebsd-bugs@freebsd.org>
Delivered-To: freebsd-bugs@mailman.ysv.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org
 [IPv6:2001:1900:2254:206a::19:1])
 by mailman.ysv.freebsd.org (Postfix) with ESMTP id C21C1A569B3
 for <freebsd-bugs@mailman.ysv.freebsd.org>;
 Wed, 30 Dec 2015 22:48:59 +0000 (UTC)
 (envelope-from bugzilla-noreply@freebsd.org)
Received: from kenobi.freebsd.org (kenobi.freebsd.org
 [IPv6:2001:1900:2254:206a::16:76])
 (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
 (Client did not present a certificate)
 by mx1.freebsd.org (Postfix) with ESMTPS id A63B0160F
 for <freebsd-bugs@FreeBSD.org>; Wed, 30 Dec 2015 22:48:59 +0000 (UTC)
 (envelope-from bugzilla-noreply@freebsd.org)
Received: from bugs.freebsd.org ([127.0.1.118])
 by kenobi.freebsd.org (8.15.2/8.15.2) with ESMTP id tBUMmxWt049841
 for <freebsd-bugs@FreeBSD.org>; Wed, 30 Dec 2015 22:48:59 GMT
 (envelope-from bugzilla-noreply@freebsd.org)
From: bugzilla-noreply@freebsd.org
To: freebsd-bugs@FreeBSD.org
Subject: [Bug 205743] null pointer dereference in PF running a vimage jail
Date: Wed, 30 Dec 2015 22:48:59 +0000
X-Bugzilla-Reason: AssignedTo
X-Bugzilla-Type: new
X-Bugzilla-Watch-Reason: None
X-Bugzilla-Product: Base System
X-Bugzilla-Component: kern
X-Bugzilla-Version: 11.0-CURRENT
X-Bugzilla-Keywords: 
X-Bugzilla-Severity: Affects Many People
X-Bugzilla-Who: ing.gila@gmail.com
X-Bugzilla-Status: New
X-Bugzilla-Resolution: 
X-Bugzilla-Priority: ---
X-Bugzilla-Assigned-To: freebsd-bugs@FreeBSD.org
X-Bugzilla-Flags: 
X-Bugzilla-Changed-Fields: bug_id short_desc product version rep_platform
 op_sys bug_status bug_severity priority component assigned_to reporter cc
Message-ID: <bug-205743-8@https.bugs.freebsd.org/bugzilla/>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
X-Bugzilla-URL: https://bugs.freebsd.org/bugzilla/
Auto-Submitted: auto-generated
MIME-Version: 1.0
X-BeenThere: freebsd-bugs@freebsd.org
X-Mailman-Version: 2.1.20
Precedence: list
List-Id: Bug reports <freebsd-bugs.freebsd.org>
List-Unsubscribe: <https://lists.freebsd.org/mailman/options/freebsd-bugs>,
 <mailto:freebsd-bugs-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-bugs/>
List-Post: <mailto:freebsd-bugs@freebsd.org>
List-Help: <mailto:freebsd-bugs-request@freebsd.org?subject=help>
List-Subscribe: <https://lists.freebsd.org/mailman/listinfo/freebsd-bugs>,
 <mailto:freebsd-bugs-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Wed, 30 Dec 2015 22:49:00 -0000

https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D205743

            Bug ID: 205743
           Summary: null pointer dereference in PF running a vimage jail
           Product: Base System
           Version: 11.0-CURRENT
          Hardware: amd64
                OS: Any
            Status: New
          Severity: Affects Many People
          Priority: ---
         Component: kern
          Assignee: freebsd-bugs@FreeBSD.org
          Reporter: ing.gila@gmail.com
                CC: freebsd-amd64@FreeBSD.org
                CC: freebsd-amd64@FreeBSD.org

Running the following jail on -CURRENT:

# cat /etc/jail.conf

allow.raw_sockets =3D "1";
allow.set_hostname =3D "0";
allow.sysvipc =3D "1";

test {
        host.hostname =3D "test.bsdvm";
        vnet =3D "new";
        vnet.interface  =3D "em1", "em2";
        devfs_ruleset =3D 4;
        allow.raw_sockets =3D 1;
        allow.mount.devfs =3D 1;
        allow.mount =3D 1;
        allow.sysvipc =3D 1;
        persist;
}

The devfs ruleset is copied for /etc/defaults and modified to expose bp* and
pf* devices.

Then within the jail:

ext_if=3D"em1"
int_if=3D"em2"

# options
set block-policy return
set loginterface $ext_if

set skip on lo

# scrub
scrub in

# nat/rdr
nat on $ext_if inet from !($ext_if) -> ($ext_if:0)
nat-anchor "ftp-proxy/*"
rdr-anchor "ftp-proxy/*"

block in all

pass out

anchor "ftp-proxy/*"
antispoof quick for { lo $int_if }
pass in inet proto icmp all icmp-type $icmp_types
pass quick on $int_if no state


Causes a 100% reproducible panic:

Fatal double fault
rip =3D 0xffffffff80e484a8
rsp =3D 0xfffffe0230ea0fd0
rbp =3D 0xfffffe0230ea1000
cpuid =3D 4; apic id =3D 05
panic: double fault
cpuid =3D 4
KDB: stack backtrace:
db_trace_self_wrapper() at db_trace_self_wrapper+0x2c/frame 0xfffffe0227dd8=
ce0
kdb_backtrace() at kdb_backtrace+0x53/frame 0xfffffe0227dd8db0
vpanic() at vpanic+0x249/frame 0xfffffe0227dd8e80
vpanic() at vpanic/frame 0xfffffe0227dd8ee0
dblfault_handler() at dblfault_handler+0x10a/frame 0xfffffe0227dd8f30
Xdblfault() at Xdblfault+0xac/frame 0xfffffe0227dd8f30
--- trap 0x17, rip =3D 0xffffffff80e484a8, rsp =3D 0xfffffe0230ea0fd0, rbp =
=3D
0xfffffe0230ea1000 ---
vtterm_cursor() at vtterm_cursor+0x8/frame 0xfffffe0230ea1000
termteken_cursor() at termteken_cursor+0x37/frame 0xfffffe0230ea1030
teken_funcs_cursor() at teken_funcs_cursor+0x3b/frame 0xfffffe0230ea1050
teken_subr_carriage_return() at teken_subr_carriage_return+0x2c/frame
0xfffffe0230ea1070
teken_input_char() at teken_input_char+0x166/frame 0xfffffe0230ea10b0
teken_input_byte() at teken_input_byte+0x50/frame 0xfffffe0230ea10d0
teken_input() at teken_input+0x52/frame 0xfffffe0230ea1100
termcn_cnputc() at termcn_cnputc+0x1c8/frame 0xfffffe0230ea11b0
cnputc() at cnputc+0x90/frame 0xfffffe0230ea11f0
cnputs() at cnputs+0x154/frame 0xfffffe0230ea1230
putbuf() at putbuf+0x15f/frame 0xfffffe0230ea1260
putchar() at putchar+0xb0/frame 0xfffffe0230ea12a0
kvprintf() at kvprintf+0x15a/frame 0xfffffe0230ea1790
_vprintf() at _vprintf+0xb9/frame 0xfffffe0230ea1890
vprintf() at vprintf+0x2d/frame 0xfffffe0230ea18c0
printf() at printf+0x4b/frame 0xfffffe0230ea1930
trap_fatal() at trap_fatal+0xf5/frame 0xfffffe0230ea1a50
trap_pfault() at trap_pfault+0x188/frame 0xfffffe0230ea1b50
trap() at trap+0x7a9/frame 0xfffffe0230ea1e90
trap_check() at trap_check+0x4a/frame 0xfffffe0230ea1eb0
calltrap() at calltrap+0x8/frame 0xfffffe0230ea1eb0
--- trap 0xc, rip =3D 0xffffffff8168e17f, rsp =3D 0xfffffe0230ea1f80, rbp =
=3D
0xfffffe0230ea1fb0 ---
pf_begin_rules() at pf_begin_rules+0x6f/frame 0xfffffe0230ea1fb0
pfioctl() at pfioctl+0xb35a/frame 0xfffffe0230ea42e0
devfs_ioctl_f() at devfs_ioctl_f+0x19c/frame 0xfffffe0230ea4420
fo_ioctl() at fo_ioctl+0x4c/frame 0xfffffe0230ea4460
kern_ioctl() at kern_ioctl+0x3c3/frame 0xfffffe0230ea45b0
sys_ioctl() at sys_ioctl+0x2b8/frame 0xfffffe0230ea4690
syscallenter() at syscallenter+0xcfa/frame 0xfffffe0230ea4990
amd64_syscall() at amd64_syscall+0x2a/frame 0xfffffe0230ea4ab0
Xfast_syscall() at Xfast_syscall+0xfb/frame 0xfffffe0230ea4ab0

(kgdb) up 36
#36 0xffffffff8168e17f in pf_begin_rules (ticket=3D0xfffff801e2162404,
rs_num=3D0x0, anchor=3D0xfffff801e2162004 "")
    at /usr/src/sys/netpfil/pf/pf_ioctl.c:745
745             while ((rule =3D TAILQ_FIRST(rs->rules[rs_num].inactive.ptr=
)) !=3D
NULL) {
(kgdb) l
740             if (rs_num < 0 || rs_num >=3D PF_RULESET_MAX)
741                     return (EINVAL);
742             rs =3D pf_find_or_create_ruleset(anchor);
743             if (rs =3D=3D NULL)
744                     return (EINVAL);
745             while ((rule =3D TAILQ_FIRST(rs->rules[rs_num].inactive.ptr=
)) !=3D
NULL) {
746                     pf_unlink_rule(rs->rules[rs_num].inactive.ptr, rule=
);
747                     rs->rules[rs_num].inactive.rcount--;
748             }
749             *ticket =3D ++rs->rules[rs_num].inactive.ticket;

(kgdb) print rs->rules[0]
$10 =3D {
  queues =3D 0xfffffe0001f8dd28,
  active =3D {
    ptr =3D 0x0,
    ptr_array =3D 0x0,
    rcount =3D 0x0,
    ticket =3D 0x0,
    open =3D 0x0
  },
  inactive =3D {
    ptr =3D 0x0,
    ptr_array =3D 0x0,
    rcount =3D 0x0,
    ticket =3D 0x0,
    open =3D 0x0
  }
}


The TAILQ_FIRST macro tries to deference it a pointer which is per above, N=
ULL.
The idea was to run PF in a jail and have it do routing for other jails.

Apologies for not knowing if there are ways to "format" the pastes.

--=20
You are receiving this mail because:
You are the assignee for the bug.=