From owner-freebsd-bugs@FreeBSD.ORG Sun Sep 12 19:10:11 2004 Return-Path: Delivered-To: freebsd-bugs@hub.freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id D91D616A4CE for ; Sun, 12 Sep 2004 19:10:11 +0000 (GMT) Received: from freefall.freebsd.org (freefall.freebsd.org [216.136.204.21]) by mx1.FreeBSD.org (Postfix) with ESMTP id BFB0243D41 for ; Sun, 12 Sep 2004 19:10:11 +0000 (GMT) (envelope-from gnats@FreeBSD.org) Received: from freefall.freebsd.org (gnats@localhost [127.0.0.1]) by freefall.freebsd.org (8.12.11/8.12.11) with ESMTP id i8CJABAD020995 for ; Sun, 12 Sep 2004 19:10:11 GMT (envelope-from gnats@freefall.freebsd.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.12.11/8.12.11/Submit) id i8CJAB8L020994; Sun, 12 Sep 2004 19:10:11 GMT (envelope-from gnats) Resent-Date: Sun, 12 Sep 2004 19:10:11 GMT Resent-Message-Id: <200409121910.i8CJAB8L020994@freefall.freebsd.org> Resent-From: FreeBSD-gnats-submit@FreeBSD.org (GNATS Filer) Resent-To: freebsd-bugs@FreeBSD.org Resent-Reply-To: FreeBSD-gnats-submit@FreeBSD.org, Brian Buchanan Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id DB67916A4CE for ; Sun, 12 Sep 2004 19:06:28 +0000 (GMT) Received: from thought.holo.org (h-68-166-32-19.snvacaid.covad.net [68.166.32.19]) by mx1.FreeBSD.org (Postfix) with ESMTP id 7128843D3F for ; Sun, 12 Sep 2004 19:06:28 +0000 (GMT) (envelope-from bwb@holo.org) Received: from localhost (localhost [127.0.0.1]) by thought.holo.org (8.13.1/8.13.1) with ESMTP id i8CJ6RZg001048 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO) for ; Sun, 12 Sep 2004 12:06:28 -0700 (PDT) (envelope-from bwb@holo.org) Message-Id: <20040912112934.W620@thought.holo.org> Date: Sun, 12 Sep 2004 12:06:27 -0700 (PDT) From: Brian Buchanan To: freebsd-gnats-submit@FreeBSD.org Subject: kern/71677: MAC Biba / IPFW panic X-BeenThere: freebsd-bugs@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Bug reports List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 12 Sep 2004 19:10:12 -0000 >Number: 71677 >Category: kern >Synopsis: MAC Biba / IPFW panic >Confidential: no >Severity: serious >Priority: medium >Responsible: freebsd-bugs >State: open >Quarter: >Keywords: >Date-Required: >Class: sw-bug >Submitter-Id: current-users >Arrival-Date: Sun Sep 12 19:10:11 GMT 2004 >Closed-Date: >Last-Modified: >Originator: Brian Buchanan >Release: FreeBSD 5.3-BETA2 i386 >Organization: >Environment: System: FreeBSD thought.holo.org 5.3-BETA2 FreeBSD 5.3-BETA2 #2: Sat Sep 11 19:21:14 PDT 2004 root@thought.holo.org:/usr/src/sys/i386/compile/THOUGHT i386 >Description: When the Biba MAC policy is loaded and IPFW is configured to send a RST in response to certain TCP packets, the system will panic when it receives a packet that triggers such an IPFW rule. panic: mac_biba_dominate_element: a->mbe_type invalid KDB: enter: panic [thread 100038] Stopped at kdb_enter+0x30: leave db> tr kdb_enter(c06d2398,c0729be0,c08a2bb4,d542c930,0) at kdb_enter+0x30 panic(c08a2bb4,c1f771c4,0,c197be70,d542c958) at panic+0xcc mac_biba_dominate_element(c1f771c4,c197be98,c08a3580,0,c1a63800) at mac_biba_dominate_element+0x12d mac_biba_effective_in_range(c1f771c0,c197be70,d542c994,c0607fdd,c1a63800) at mac_biba_effective_in_range+0x3f mac_biba_check_ifnet_transmit(c1a63800,c197a604,c1c80600,c1e18550,0) at mac_biba_check_ifnet_transmit+0x34 mac_check_ifnet_transmit(c1a63800,c1c80600,0,0,0) at mac_check_ifnet_transmit+0xad ether_output(c1a63800,c1c80600,c1b9d990,c1e199cc,c1e18540) at ether_output+0x32 ip_output(c1c80600,0,d542ca2c,0,0) at ip_output+0x9c0 send_pkt(d542cc0c,78f13960,0,6,3c2) at send_pkt+0x19a send_reject(d542cbf4,100,0,30,1) at send_reject+0xb1 ipfw_chk(d542cbf4,0,f,0,c1dcae00) at ipfw_chk+0x12e3 ipfw_check_in(0,d542cc48,c1a63800,1,0) at ipfw_check_in+0x88 pfil_run_hooks(c0730ea0,d542cc90,c1a63800,1,20a000a) at pfil_run_hooks+0xf7 ip_input(c1dcae00,c19cb6e0,0,d0cf11b1,dad35cd4) at ip_input+0x24e netisr_processqueue(c072eb78,2f5,532c9cdd,d971c9c8,0) at netisr_processqueue+0xc9 swi_net(0,0,0,0,0) at swi_net+0xca ithread_loop(c19e4280,d542cd48,0,0,0) at ithread_loop+0x1a8 fork_exit(c04b1ef0,c19e4280,d542cd48) at fork_exit+0x80 fork_trampoline() at fork_trampoline+0x8 --- trap 0x1, eip = 0, esp = 0xd542cd7c, ebp = 0 --- >How-To-Repeat: Compile "options MAC" into the kernel. Set mac_biba_load="YES" in loader.conf and reboot the system. Configure the MAC label on an Ethernet interface to "biba/equal(equal-equal)" Create an IPFW rule with the "reset" action to be invoked for packets destined to some TCP port. >From a remote machine, send a packet to the TCP port configured above. >Fix: The fix is probably to create MAC labels for packets sent by IPFW. In the case of reset packets this looks easy enough, but I'm not sure what to do about the keepalive packets sent in ipfw_tick(). Perhaps the ipfw_dyn_rule needs a label? >Release-Note: >Audit-Trail: >Unformatted: