[Bug 205743] null pointer dereference in PF running a vimage jail

bugzilla-noreply at freebsd.org bugzilla-noreply at freebsd.org
Wed Dec 30 22:49:00 UTC 2015 

https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=205743

            Bug ID: 205743
           Summary: null pointer dereference in PF running a vimage jail
           Product: Base System
           Version: 11.0-CURRENT
          Hardware: amd64
                OS: Any
            Status: New
          Severity: Affects Many People
          Priority: ---
         Component: kern
          Assignee: freebsd-bugs at FreeBSD.org
          Reporter: ing.gila at gmail.com
                CC: freebsd-amd64 at FreeBSD.org
                CC: freebsd-amd64 at FreeBSD.org

Running the following jail on -CURRENT:

# cat /etc/jail.conf

allow.raw_sockets = "1";
allow.set_hostname = "0";
allow.sysvipc = "1";

test {
        host.hostname = "test.bsdvm";
        vnet = "new";
        vnet.interface  = "em1", "em2";
        devfs_ruleset = 4;
        allow.raw_sockets = 1;
        allow.mount.devfs = 1;
        allow.mount = 1;
        allow.sysvipc = 1;
        persist;
}

The devfs ruleset is copied for /etc/defaults and modified to expose bp* and
pf* devices.

Then within the jail:

ext_if="em1"
int_if="em2"

# options
set block-policy return
set loginterface $ext_if

set skip on lo

# scrub
scrub in

# nat/rdr
nat on $ext_if inet from !($ext_if) -> ($ext_if:0)
nat-anchor "ftp-proxy/*"
rdr-anchor "ftp-proxy/*"

block in all

pass out

anchor "ftp-proxy/*"
antispoof quick for { lo $int_if }
pass in inet proto icmp all icmp-type $icmp_types
pass quick on $int_if no state


Causes a 100% reproducible panic:

Fatal double fault
rip = 0xffffffff80e484a8
rsp = 0xfffffe0230ea0fd0
rbp = 0xfffffe0230ea1000
cpuid = 4; apic id = 05
panic: double fault
cpuid = 4
KDB: stack backtrace:
db_trace_self_wrapper() at db_trace_self_wrapper+0x2c/frame 0xfffffe0227dd8ce0
kdb_backtrace() at kdb_backtrace+0x53/frame 0xfffffe0227dd8db0
vpanic() at vpanic+0x249/frame 0xfffffe0227dd8e80
vpanic() at vpanic/frame 0xfffffe0227dd8ee0
dblfault_handler() at dblfault_handler+0x10a/frame 0xfffffe0227dd8f30
Xdblfault() at Xdblfault+0xac/frame 0xfffffe0227dd8f30
--- trap 0x17, rip = 0xffffffff80e484a8, rsp = 0xfffffe0230ea0fd0, rbp =
0xfffffe0230ea1000 ---
vtterm_cursor() at vtterm_cursor+0x8/frame 0xfffffe0230ea1000
termteken_cursor() at termteken_cursor+0x37/frame 0xfffffe0230ea1030
teken_funcs_cursor() at teken_funcs_cursor+0x3b/frame 0xfffffe0230ea1050
teken_subr_carriage_return() at teken_subr_carriage_return+0x2c/frame
0xfffffe0230ea1070
teken_input_char() at teken_input_char+0x166/frame 0xfffffe0230ea10b0
teken_input_byte() at teken_input_byte+0x50/frame 0xfffffe0230ea10d0
teken_input() at teken_input+0x52/frame 0xfffffe0230ea1100
termcn_cnputc() at termcn_cnputc+0x1c8/frame 0xfffffe0230ea11b0
cnputc() at cnputc+0x90/frame 0xfffffe0230ea11f0
cnputs() at cnputs+0x154/frame 0xfffffe0230ea1230
putbuf() at putbuf+0x15f/frame 0xfffffe0230ea1260
putchar() at putchar+0xb0/frame 0xfffffe0230ea12a0
kvprintf() at kvprintf+0x15a/frame 0xfffffe0230ea1790
_vprintf() at _vprintf+0xb9/frame 0xfffffe0230ea1890
vprintf() at vprintf+0x2d/frame 0xfffffe0230ea18c0
printf() at printf+0x4b/frame 0xfffffe0230ea1930
trap_fatal() at trap_fatal+0xf5/frame 0xfffffe0230ea1a50
trap_pfault() at trap_pfault+0x188/frame 0xfffffe0230ea1b50
trap() at trap+0x7a9/frame 0xfffffe0230ea1e90
trap_check() at trap_check+0x4a/frame 0xfffffe0230ea1eb0
calltrap() at calltrap+0x8/frame 0xfffffe0230ea1eb0
--- trap 0xc, rip = 0xffffffff8168e17f, rsp = 0xfffffe0230ea1f80, rbp =
0xfffffe0230ea1fb0 ---
pf_begin_rules() at pf_begin_rules+0x6f/frame 0xfffffe0230ea1fb0
pfioctl() at pfioctl+0xb35a/frame 0xfffffe0230ea42e0
devfs_ioctl_f() at devfs_ioctl_f+0x19c/frame 0xfffffe0230ea4420
fo_ioctl() at fo_ioctl+0x4c/frame 0xfffffe0230ea4460
kern_ioctl() at kern_ioctl+0x3c3/frame 0xfffffe0230ea45b0
sys_ioctl() at sys_ioctl+0x2b8/frame 0xfffffe0230ea4690
syscallenter() at syscallenter+0xcfa/frame 0xfffffe0230ea4990
amd64_syscall() at amd64_syscall+0x2a/frame 0xfffffe0230ea4ab0
Xfast_syscall() at Xfast_syscall+0xfb/frame 0xfffffe0230ea4ab0

(kgdb) up 36
#36 0xffffffff8168e17f in pf_begin_rules (ticket=0xfffff801e2162404,
rs_num=0x0, anchor=0xfffff801e2162004 "")
    at /usr/src/sys/netpfil/pf/pf_ioctl.c:745
745             while ((rule = TAILQ_FIRST(rs->rules[rs_num].inactive.ptr)) !=
NULL) {
(kgdb) l
740             if (rs_num < 0 || rs_num >= PF_RULESET_MAX)
741                     return (EINVAL);
742             rs = pf_find_or_create_ruleset(anchor);
743             if (rs == NULL)
744                     return (EINVAL);
745             while ((rule = TAILQ_FIRST(rs->rules[rs_num].inactive.ptr)) !=
NULL) {
746                     pf_unlink_rule(rs->rules[rs_num].inactive.ptr, rule);
747                     rs->rules[rs_num].inactive.rcount--;
748             }
749             *ticket = ++rs->rules[rs_num].inactive.ticket;

(kgdb) print rs->rules[0]
$10 = {
  queues = 0xfffffe0001f8dd28,
  active = {
    ptr = 0x0,
    ptr_array = 0x0,
    rcount = 0x0,
    ticket = 0x0,
    open = 0x0
  },
  inactive = {
    ptr = 0x0,
    ptr_array = 0x0,
    rcount = 0x0,
    ticket = 0x0,
    open = 0x0
  }
}


The TAILQ_FIRST macro tries to deference it a pointer which is per above, NULL.
The idea was to run PF in a jail and have it do routing for other jails.

Apologies for not knowing if there are ways to "format" the pastes.

-- 
You are receiving this mail because:
You are on the CC list for the bug.

More information about the freebsd-amd64 mailing list