From nobody Thu Sep 19 15:48:49 2024 X-Original-To: freebsd-security@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4X8g0x6LStz5X8RG for ; Thu, 19 Sep 2024 15:48:49 +0000 (UTC) (envelope-from security-advisories@freebsd.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2610:1c1:1:6074::16:84]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "freefall.freebsd.org", Issuer "R11" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4X8g0x3z1Lz4Qb1; Thu, 19 Sep 2024 15:48:49 +0000 (UTC) (envelope-from security-advisories@freebsd.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1726760929; h=from:from:reply-to:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc; bh=BJNKaD5q2HZcveB+sT+jmRqRYb5p5lxHsO/6QsTd4nc=; b=jrM7XpvY1Sqp3i1lHlGwIO4wT65HHxJ7RX4KdRSlPcpna19E7qfLEWTEn26ozAF/pmybYN x98XpfFmjEQ5RbhYFlqhn19wUMpjexjKbs8Zn5AA/6MUyUd8H5LZ1c0vgtsREwV+NqxQqz a7qBZknnU9/tjSZEuUE8Ntjz4qJrrNFbuNFw6KdBFLMAP6y7dWS9XboSmbpBw5Sf2PAXcd qWhB+dptd4tgUXRk9W4icJdPOnSuJL3oEcCOFlvh5nmGqyRQfGS7Fc93XhlRfslaOm8+81 oBxVQ0z3gkbBuY0pJ4W9H1Knjoh8QEtLqXVYZvezJqvZ37/OI72wr/Fx+yMmrg== ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1726760929; a=rsa-sha256; cv=none; b=Y2sHlu4rkl4IEjQ0XwxULx7pCQW40NLvYY7PMu82VaAbECz5Z89gf0G81D9OE3DXjyUY7g m00ApnQI51Rw7zEQpFend0bSBh/dgFAgJRpoyaZ7N498t5oIPdsbXgJBaGh93MDgZLe3q7 Rk5f/z4Vlq0oYn0xDp0GFOz1k41Q+7ZuDPWJvRwPvaDUCBDBfpLKgFw/c/UAbE37tea8d2 8tG5+s3t1KCCgugynU5q7pIX2kRdEdC+Bv1Uum4ePqCXilL9kWr6XCptgYaTYnkVBRWo9u 8EeneliTbv9EupvqlASSaAvx27dj5u5z/DQR3O0Z+KGV8fdMB/CtmK/RtB3jMg== ARC-Authentication-Results: i=1; mx1.freebsd.org; none ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1726760929; h=from:from:reply-to:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc; bh=BJNKaD5q2HZcveB+sT+jmRqRYb5p5lxHsO/6QsTd4nc=; b=ya9v3aD80SVca9Cs8mOP1obhHPvsPQr3ZeZpCfoZ2eCpaaSUq19+gtHDRHlwX4i6PW8PuC YDuoz6LEM4Wd2tnFe4R+rm7F6AFjG9uWaOABYi9hvL+mxqNz0JA7tGcE6JpUsdFrBCzus8 iPM3Mj/ERiFa4oQgqc5hWgWU7+Avkau9ItrzRCfZ5rDiQfOxDsRyxq8WPj1lk3+Zg4SUce xWk7/Ie3gLD8+bUkqBgfD0E0rjhFjwvHwxOmQgr8ssgSwkVmpR9XB+CYra+auA1qibruLe S8uFSiJ9DDuPO1RgiVgl48klnxc2wgQDCxK/2as+zCrN2rDbflVzTsPluQsQxA== Received: by freefall.freebsd.org (Postfix, from userid 945) id 70DA91C274; Thu, 19 Sep 2024 15:48:49 +0000 (UTC) From: FreeBSD Security Advisories To: FreeBSD Security Advisories Subject: FreeBSD Security Advisory FreeBSD-SA-24:15.bhyve Reply-To: freebsd-security@freebsd.org Precedence: bulk Message-Id: <20240919154849.70DA91C274@freefall.freebsd.org> Date: Thu, 19 Sep 2024 15:48:49 +0000 (UTC) List-Id: Security issues List-Archive: https://lists.freebsd.org/archives/freebsd-security List-Help: List-Post: List-Subscribe: List-Unsubscribe: X-BeenThere: freebsd-security@freebsd.org Sender: owner-freebsd-security@FreeBSD.org -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 ============================================================================= FreeBSD-SA-24:15.bhyve Security Advisory The FreeBSD Project Topic: bhyve(8) out-of-bounds read access via XHCI emulation Category: core Module: bhyve Announced: 2024-09-19 Credits: Synacktiv Sponsored by: The FreeBSD Foundation, The Alpha-Omega Project Affects: All supported versions of FreeBSD. Corrected: 2024-09-19 12:40:17 UTC (stable/14, 14.1-STABLE) 2024-09-19 13:30:18 UTC (releng/14.1, 14.1-RELEASE-p5) 2024-09-19 13:30:44 UTC (releng/14.0, 14.0-RELEASE-p11) 2024-09-19 12:48:52 UTC (stable/13, 13.4-STABLE) 2024-09-19 13:35:06 UTC (releng/13.4, 13.4-RELEASE-p1) 2024-09-19 13:35:37 UTC (releng/13.3, 13.3-RELEASE-p7) CVE Name: CVE-2024-41721 For general information regarding FreeBSD Security Advisories, including descriptions of the fields above, security branches, and the following sections, please visit . I. Background bhyve(8) is a hypervisor that runs guest operating systems inside a virtual machine. II. Problem Description bhyve can be configured to emulate devices on a virtual USB controller (XHCI), such as USB tablet devices. An insufficient boundary validation in the USB code could lead to an out-of-bounds read on the heap, which could potentially lead to an arbitrary write and remote code execution. III. Impact A malicious, privileged software running in a guest VM can exploit the vulnerability to crash the hypervisor process or potentially achieve code execution on the host in the bhyve userspace process, which typically runs as root. Note that bhyve runs in a Capsicum sandbox, so malicious code is constrained by the capabilities available to the bhyve process. IV. Workaround No workaround is available, but guests that do not use XHCI emulation are not impacted. V. Solution Upgrade your vulnerable system to a supported FreeBSD stable or release / security branch (releng) dated after the correction date. Guest operating systems emulating USB devices with XHCI need to be restarted for the correction to be applied (i.e., their corresponding bhyve process needs to be terminated and started again). Perform one of the following: 1) To update your vulnerable system via a binary patch: Systems running a RELEASE version of FreeBSD on the amd64 or arm64 platforms, or the i386 platform on FreeBSD 13, can be updated via the freebsd-update(8) utility: # freebsd-update fetch # freebsd-update install 2) To update your vulnerable system via a source code patch: The following patches have been verified to apply to the applicable FreeBSD release branches. a) Download the relevant patch from the location below, and verify the detached PGP signature using your PGP utility. # fetch https://security.FreeBSD.org/patches/SA-24:15/bhyve.patch # fetch https://security.FreeBSD.org/patches/SA-24:15/bhyve.patch.asc # gpg --verify bhyve.patch.asc b) Apply the patch. Execute the following commands as root: # cd /usr/src # patch < /path/to/patch c) Recompile the operating system using buildworld and installworld as described in . Restart the corresponding bhyve processes, or reboot the system. VI. Correction details This issue is corrected as of the corresponding Git commit hash in the following stable and release branches: Branch/path Hash Revision - ------------------------------------------------------------------------- stable/14/ 419da61f8203 stable/14-n268745 releng/14.1/ 3c6c0dcb5acb releng/14.1-n267716 releng/14.0/ ba46f1174972 releng/14.0-n265453 stable/13/ 2abd2ad64899 stable/13-n258347 releng/13.4/ 5f035df278cc releng/13.4-n258258 releng/13.3/ e7a790dc3ffe releng/13.3-n257468 - ------------------------------------------------------------------------- Run the following command to see which files were modified by a particular commit: # git show --stat Or visit the following URL, replacing NNNNNN with the hash: To determine the commit count in a working tree (for comparison against nNNNNNN in the table above), run: # git rev-list --count --first-parent HEAD VII. References The corresponding part of the security audit report as provided by Synacktiv will be published in due course. The latest revision of this advisory is available at -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEEthUnfoEIffdcgYM7bljekB8AGu8FAmbsPQ0ACgkQbljekB8A Gu/6chAAzST6xGx6RCb7MAHeZbqE3mTTUFoEkElPG3OiFsnFDySDnk0kKIjCNRbq GssLGYfUerFYD4/jDhGLApZnBnPhaTruNgwi38d8Pg4pkcqGv8Y5xSdOQBN83Rjq WiEgRqysuaE6HhvNN+JYf690M1Z6Tz0WkqoUJa8ZB8WcDnvBNQwMM0Prmo1RTZGR UXxftj+is3EQFUQs/3GcPRzTcp8Cu5QZnfFdbGph6Da/ZIQ6NaslYgslWvmsYHzP AVb/WI54VnIuMVoRIDWGtjjQa8p2H+dRih67clZYFxl2ya85aK78UrrtPk8x4dci 9KsISpKidqC/ofdT4mHpNH3Uxx4N2ymPJG6xJ/MGmDmrIIk1vjKejy9RVSJzt4QN Iu1u/8d5NVXsMxbKQMEKqXY2dPFKi17S+EnhKzJUjtXeBxcMbNPh2Xcl+BmI8cZ2 WuJvfplzu5Wcvd3LUa7s0Z3AHKktiMr1IGIlk8XEEee0b7k164imZlRUZFTCYA6S dNGTQ2UcHZz7W2Sk2HZf8CdNEgQQftW0BDc2IIs3lyA2WyPsIjGByUl987k3veQa fQCXzf7cp/a0rOZ9KngMxdJap+TBKCsPLEFm46i074ngmuoJZsW3xd7ZD8hLFlPX eaKh5MjWsHHfTYPRxeUKk2j9dobzN1ZP7AYWDasaDxZ4kmVIuEE= =FVQ2 -----END PGP SIGNATURE----- From nobody Thu Sep 19 15:49:02 2024 X-Original-To: freebsd-security@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4X8g1B5hJ6z5X8tN for ; Thu, 19 Sep 2024 15:49:02 +0000 (UTC) (envelope-from security-advisories@freebsd.org) Received: from freefall.freebsd.org (freefall.freebsd.org [96.47.72.132]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "freefall.freebsd.org", Issuer "R11" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4X8g1B3vVbz4R4k; Thu, 19 Sep 2024 15:49:02 +0000 (UTC) (envelope-from security-advisories@freebsd.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1726760942; h=from:from:reply-to:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc; bh=2FjUZgxBnUT6Al2jZ82pTZprEnjzBacYLGSUtY3h4+U=; b=OiNMnTk0j31ZvyAOgWZfyGSK9NcUP+wCsbn89b/PgqfPJ26eAjYoHGqzd+VTNV5IQzgG6n bL5E1e1BJ3km88k0KufofkKedVu9r+QFNarwweuvG02KLwkTIYCqTMNblwddQOOTlVIGLd 6nNfL6YCJ8XF9W68AJf6a40n/fQFfSrxT/ltOYuDcO9QnAHJRFJBDgEHVjwnqeSgky+nV5 Msc6MeHATqiD5fL7PkXvEHqcAneAMmDi8wL2MdvNxNfsnP9agq9LWi3MZdjLjbyf6oHZdW MUccezkRPQiwQdK1qd+fAEnW7tlSoxp/c2Ajvt8zBvQ9xNECUnpHIuVdtML6Pg== ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1726760942; a=rsa-sha256; cv=none; b=H+M1YGe88N5J7Cj7n3DXvvoHblLv1klhNAhLYEhyWo3XxImXeWCiT2tcEGjonvF77nAb/B +rlq1HmumMs0FUEtzRg0UHOOWCg2wMmnbeDJwaBxndEYNvyflg+Ue0sdUfoBd2cvX3oY1F 71IEaSNkLk5Lu/0Tj/QHct5N6EcMqyaRfb/W6bQhQuweTXNaqgfXKnXSJvXB1JK7jblDgz o/czz50EkjYIELj4xsfcpfKw84MboUW5uEKur3OvobIhciq7q5U3XXMI2QugOzJViH7ZsY RoV0j/t/XQGrnhVdlwgtUeHPEc/btg38c2zIjpDbiLPKwgygK9i+QfDjsMSIJQ== ARC-Authentication-Results: i=1; mx1.freebsd.org; none ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1726760942; h=from:from:reply-to:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc; bh=2FjUZgxBnUT6Al2jZ82pTZprEnjzBacYLGSUtY3h4+U=; b=f06lfl0mISW4d055aPBfJFYNW14vVs4GpRlI1O2t7jtQlAkvigwn8aEf98nsCDK+6YUPVJ NTdsLv2bkxA7FgZSWkNQhZbr5j9ufaXrEZsqpOv7R5S2yh8ycP+OmxS7FGsGfqnNWpHujD XeKB47BK8RqyzV2AMCKYomAS5e+0VQShpVrgJtGS8FRUZvih0tKlKskIFNUgPgQCmIeH32 X50vV0+HJeZPvtSTMBOtyINzM+8Eh2yjnIQ4nwC/Ajht8L5v8iweNQ7xkJsqhtLJpLMMaS 6YiXjptfev+t7zEtSwR2pry/2FiC3p/OspRdbt4a2itGypA3WI+OUbJAYrvt0Q== Received: by freefall.freebsd.org (Postfix, from userid 945) id 6AA7E1C2FB; Thu, 19 Sep 2024 15:49:02 +0000 (UTC) From: FreeBSD Security Advisories To: FreeBSD Security Advisories Subject: FreeBSD Security Advisory FreeBSD-SA-24:16.libnv Reply-To: freebsd-security@freebsd.org Precedence: bulk Message-Id: <20240919154902.6AA7E1C2FB@freefall.freebsd.org> Date: Thu, 19 Sep 2024 15:49:02 +0000 (UTC) List-Id: Security issues List-Archive: https://lists.freebsd.org/archives/freebsd-security List-Help: List-Post: List-Subscribe: List-Unsubscribe: X-BeenThere: freebsd-security@freebsd.org Sender: owner-freebsd-security@FreeBSD.org -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 ============================================================================= FreeBSD-SA-24:16.libnv Security Advisory The FreeBSD Project Topic: Integer overflow in libnv Category: core Module: libnv Announced: 2024-09-19 Credits: Miłosz Kaniewski Affects: All supported versions of FreeBSD. Corrected: 2024-09-15 16:59:15 UTC (stable/14, 14.1-STABLE) 2024-09-19 13:30:20 UTC (releng/14.1, 14.1-RELEASE-p5) 2024-09-19 13:30:45 UTC (releng/14.0, 14.0-RELEASE-p11) 2024-09-15 16:59:51 UTC (stable/13, 13.4-STABLE) 2024-09-19 13:35:07 UTC (releng/13.4, 13.4-RELEASE-p1) 2024-09-19 13:35:38 UTC (releng/13.3, 13.3-RELEASE-p7) CVE Name: CVE-2024-45287 For general information regarding FreeBSD Security Advisories, including descriptions of the fields above, security branches, and the following sections, please visit . I. Background libnv (also called nvlist) is a general-purpose library designed for storing name-value pairs. This library can serve as an Inter-Process Communication (IPC) framework, enabling processes to exchange data. For example, it is used in libcasper to communicate between privileged and unprivileged processes. Additionally, libnv can function as an interface for communication between userland and kernel. Originally, libnv was inspired by OpenZFS nvlist. However, the implementations are separate. This advisory is only about base system implementation of libnv, not a OpenZFS one. II. Problem Description A malicious value of size in a structure of packed libnv can cause an integer overflow, leading to the allocation of a smaller buffer than required for the parsed data. The introduced check was incorrect, as it took into account the size of the pointer, not the structure. This vulnerability affects both kernel and userland. This issue was originally intended to be addressed as part of FreeBSD-SA-24:09.libnv, but due to a logic issue, this issue was not properly addressed. III. Impact It is possible for an attacker to overwrite portions of memory (in userland or the kernel) as the allocated buffer might be smaller than the data received from a malicious process. This vulnerability could result in privilege escalation or cause a system panic. IV. Workaround No workaround is available. V. Solution Upgrade your vulnerable system to a supported FreeBSD stable or release / security branch (releng) dated after the correction date and reboot. Perform one of the following: 1) To update your vulnerable system via a binary patch: Systems running a RELEASE version of FreeBSD on the amd64 or arm64 platforms, or the i386 platform on FreeBSD 13, can be updated via the freebsd-update(8) utility: # freebsd-update fetch # freebsd-update install # shutdown -r +10min "Rebooting for a security update" 2) To update your vulnerable system via a source code patch: The following patches have been verified to apply to the applicable FreeBSD release branches. a) Download the relevant patch from the location below, and verify the detached PGP signature using your PGP utility. # fetch https://security.FreeBSD.org/patches/SA-24:16/libnv.patch # fetch https://security.FreeBSD.org/patches/SA-24:16/libnv.patch.asc # gpg --verify libnv.patch.asc b) Apply the patch. Execute the following commands as root: # cd /usr/src # patch < /path/to/patch c) Recompile the operating system using buildworld and installworld as described in . d) Recompile your kernel as described in and reboot the system. VI. Correction details This issue is corrected as of the corresponding Git commit hash in the following stable and release branches: Branch/path Hash Revision - ------------------------------------------------------------------------- stable/14/ 056c50c48be3 stable/14-n268739 releng/14.1/ f67468e6e5e2 releng/14.1-n267717 releng/14.0/ e9d57be06e23 releng/14.0-n265454 stable/13/ d84fced6b468 stable/13-n258342 releng/13.4/ 2cffa6354d9f releng/13.4-n258259 releng/13.3/ 417e81a40091 releng/13.3-n257469 - ------------------------------------------------------------------------- Run the following command to see which files were modified by a particular commit: # git show --stat Or visit the following URL, replacing NNNNNN with the hash: To determine the commit count in a working tree (for comparison against nNNNNNN in the table above), run: # git rev-list --count --first-parent HEAD VII. References The latest revision of this advisory is available at -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEEthUnfoEIffdcgYM7bljekB8AGu8FAmbsPQ8ACgkQbljekB8A Gu9aMBAA1N3FliBdeklIU0XGoyrvS0z7goFpFKeLVlkIHssYzZQAWHMILHET6O9n Gv5vICw5vGDWv/1Rb9muCMQ4wcEW/c/YFEU0FM3VFTgJ+fQrA4ZO/NjpRSixiGDk uVkJ25Fo2TMp58ITPWmT3Nj1MJ0x9xNzMxXhLk2JgK/sEMH+/Giju8Zq7XojHHC0 QluYmz1V3EClPXiArkcgt/pagQ24b5yYmOAKGQGHEdRM18QWeJzJ4kUBzATcUVjv RWkLHz69emH6aQ3JNwyuEQlK/Xda3ge2zMIJ4tYObg21dEFdgqnFoLFrylCUkgIE T86QPQfb0HGTRhnSjdh/NN5qyiOo9q4FzpIsI3eJ3XJgk0/T/O8Rv+2fexAm0g3+ 37kgkxohETi6RQc3D4ClpmW7bP1DEK8uUwUGeJgCNmkpE4DVpLmGZ0tNbSf/0Mk6 slYSHb6dF6wNB4AV/1HIusp6i2GlPziNYkhlslkRQgeyXO9T1bWxYqdkYihDFLRs PStlk1Diu0p+h3r08sX3LQrszBp1bLGkqaipFPLBwWStxYne9nsClORFhN4q9i+4 fAnWxIRBXH62fJTy1DCPFqpI9zyvQTkVHQVKu5d+JgaTmTPsfJ3MIXdkGdAEV6+m xbZSFwd2e8uzPIlZke2JmaT4xVv1T92lWu7Ywf8M0eEYWg5WQi8= =OHm5 -----END PGP SIGNATURE----- From nobody Fri Sep 20 09:50:39 2024 X-Original-To: freebsd-security@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4X971m1vt5z5XXMb for ; Fri, 20 Sep 2024 09:51:08 +0000 (UTC) (envelope-from Alexander@Leidinger.net) Received: from mailgate.Leidinger.net (bastille.leidinger.net [89.238.82.207]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature ECDSA (P-256) client-digest SHA256) (Client CN "mailgate.leidinger.net", Issuer "E5" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4X971k4vMBz4MRR for ; Fri, 20 Sep 2024 09:51:06 +0000 (UTC) (envelope-from Alexander@Leidinger.net) Authentication-Results: mx1.freebsd.org; dkim=pass header.d=leidinger.net header.s=outgoing-alex header.b=MjyZN3VI; dmarc=pass (policy=quarantine) header.from=leidinger.net; spf=pass (mx1.freebsd.org: domain of Alexander@Leidinger.net designates 89.238.82.207 as permitted sender) smtp.mailfrom=Alexander@Leidinger.net List-Id: Security issues List-Archive: https://lists.freebsd.org/archives/freebsd-security List-Help: List-Post: List-Subscribe: List-Unsubscribe: X-BeenThere: freebsd-security@freebsd.org Sender: owner-freebsd-security@FreeBSD.org MIME-Version: 1.0 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=leidinger.net; s=outgoing-alex; t=1726825857; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: in-reply-to:in-reply-to:references:references; bh=lyEI1UNkC+F66Lh/0cYWULbuuRykWh1R+uqXq29PeDE=; b=MjyZN3VIX55labIDPfm+7wa5estAsz94R8sk+6Myhg4w/xskMXuoBXAIUiXi4En2ezaZcx BEakzEsmlZNwcGzAIT8MqPedelJt+XFWf1hmbCA44IoDxtw1+WIyaCQzICQFApfsO1Nt1N +fIvjNyDqjkS3fp9l2ITAQfyx2LkK/LLbRfz1NDRpO/gGLTY8M5hvvTP3X3bYG0D/RE+yr U/OHIuO4/xtP5Jfsh3zqoIoaowK1XsNe1kgVvjk5NhEKTBFETqTSnRbX7fDcLjHTB2jxqt wccTLOps6DVPEyz3TvMlzndFbHvveUwTAxuNUsf/pqBqqtY3RoZpfVbp4bTsQQ== Date: Fri, 20 Sep 2024 11:50:39 +0200 From: Alexander Leidinger To: FreeBSD Security list Subject: "Unknown error" message from pfctl on an existing table In-Reply-To: References: Message-ID: Organization: No organization, this is a private message. Content-Type: multipart/signed; protocol="application/pgp-signature"; boundary="=_09ba978e39077c5f8b07330efcb0d8a5"; micalg=pgp-sha256 X-Spamd-Result: default: False [-6.09 / 15.00]; SIGNED_PGP(-2.00)[]; NEURAL_HAM_LONG(-1.00)[-1.000]; NEURAL_HAM_MEDIUM(-1.00)[-1.000]; NEURAL_HAM_SHORT(-0.99)[-0.989]; DMARC_POLICY_ALLOW(-0.50)[leidinger.net,quarantine]; R_SPF_ALLOW(-0.20)[+mx]; MIME_GOOD(-0.20)[multipart/signed,multipart/mixed,text/plain]; R_DKIM_ALLOW(-0.20)[leidinger.net:s=outgoing-alex]; ASN(0.00)[asn:34240, ipnet:89.238.64.0/18, country:DE]; RCPT_COUNT_ONE(0.00)[1]; HAS_ORG_HEADER(0.00)[]; MISSING_XM_UA(0.00)[]; MIME_TRACE(0.00)[0:+,1:+,2:+,3:~,4:~]; HAS_ATTACHMENT(0.00)[]; MID_RHS_MATCH_FROM(0.00)[]; ARC_NA(0.00)[]; FROM_EQ_ENVFROM(0.00)[]; FROM_HAS_DN(0.00)[]; RCVD_COUNT_ZERO(0.00)[0]; TO_MATCH_ENVRCPT_ALL(0.00)[]; MLMMJ_DEST(0.00)[freebsd-security@FreeBSD.org]; TO_DN_ALL(0.00)[]; DKIM_TRACE(0.00)[leidinger.net:+] X-Rspamd-Queue-Id: 4X971k4vMBz4MRR X-Spamd-Bar: ------ This is an OpenPGP/MIME signed message (RFC 4880 and 3156) --=_09ba978e39077c5f8b07330efcb0d8a5 Content-Type: multipart/mixed; boundary="=_44cafd6713183a06ee5641096ed9b685" --=_44cafd6713183a06ee5641096ed9b685 Content-Transfer-Encoding: 7bit Content-Type: text/plain; charset=US-ASCII; format=flowed Hi, # pfctl -s Tables bruteforce crowdsec-blocklists crowdsec6-blocklists martians martians6 # pfctl -t crowdsec-blocklists -T show pfctl: Unknown error: -1. What could be the cause of this error? All other tables are ok: ---snip--- # for t in $(pfctl -s Tables); do echo $t pfctl -t $t -T show | wc -l echo done bruteforce 0 crowdsec-blocklists pfctl: Unknown error: -1. 0 crowdsec6-blocklists 610 martians 21 martians6 3 ---snip--- Bye, Alexander. -- http://www.Leidinger.net Alexander@Leidinger.net: PGP 0x8F31830F9F2772BF http://www.FreeBSD.org netchild@FreeBSD.org : PGP 0x8F31830F9F2772BF --=_44cafd6713183a06ee5641096ed9b685 Content-Transfer-Encoding: base64 Content-Type: application/pgp-signature; name=signature.asc Content-Disposition: attachment; filename=signature.asc; size=849 LS0tLS1CRUdJTiBQR1AgU0lHTkFUVVJFLS0tLS0NCg0KaVFJekJBRUJDQUFkRmlFRVI5VWxZWHAx UFNkMDhuV1hFZzJ3bXdQNDJJWUZBbWJzSDNNQUNna1FFZzJ3bXdQNA0KMklielh3LytOdHRac0Jm WmkrWmFiY1cwUHdFMW5PUnFNaFM1NVhiZU0zMjlXR09qbTZQVytKMDkyMmhuSEx5cA0KcXJudXFY Q3FQU3lMNlZFQWU5K01nTjN0SFE4aFM0RkJMQnFuSGdQYklsZm53bTI3L2MxcTMxdFhEL0pla2hH dQ0KcGUxcHpVUkdOY2VLTUJ2bWpoR1kvT0ZmanBwNWE0RE02Yzd4cWM1RGMxdXVUQ0d3aXJ1UkJQ eTQ1UFVBYU9hUA0KQzNaT1J4d0gvNmdBSEozRzJMMk9Mbk54SkMxYitYTzdZS0JsOW5YNjBKZFdS bXc0akVlM21DT1RlZE9KMnFBZQ0KVzIwR21VbXNpSklzWXJBeFRPYWRJVXIvTWxkeDRFTTJqWWZS N3BnbGoya1dEY0MrNm0wSlo5dmFLWlZwWHNKNw0KT2pMQ2ZQbDNJR3hLQ3JaSXFKVFh1MWVaQ3JD dXBZM0h2N0NCb2xYdVBWdW9jR3plMW9NVkpaSmhod0JmaFRBTg0KaTI1RUZBbm1GNnlFOW56R3VI TU1nOUtQQ2JsVmpPTUlNUWRlSUxJdGN1aXFMUzF6NlZJNHVSZUZBZlRDNzJWbw0KRG1nbmFLWWpK NU54bmdZL0lYVlc5TDRZZU91M0FwU2xSc0ZRbnBhbWJHUVNpRG5FOXZNdnY2bHpqdklDOGowdA0K YXYrYVg5UGRmUWM5RElPT2x3VE41VEIvMWlrSTEvcWFyajBjOHgrYjVaTzcralpQa05LdDVJM3pt ZEtpdkpJRw0KSnluZ2JnSG5NN0FmUmNydzhTU1MyOWdhdUorMTFGdlpsZ3FPTEVTejVZdjdpT2J3 Vzh4VnE2Vkh2bGtWVG1hZg0KYnlhRGVMQ21rTGdyUXdEU1ZHWnJFd3FPUnFzeG9uY28yWmxtSDZE K2JQclEzSVcvdHZvPQ0KPUY4SFINCi0tLS0tRU5EIFBHUCBTSUdOQVRVUkUtLS0tLQ0K --=_44cafd6713183a06ee5641096ed9b685-- --=_09ba978e39077c5f8b07330efcb0d8a5 Content-Type: application/pgp-signature; name=signature.asc Content-Disposition: attachment; filename=signature.asc; size=833 Content-Description: OpenPGP digital signature -----BEGIN PGP SIGNATURE----- iQIzBAEBCAAdFiEER9UlYXp1PSd08nWXEg2wmwP42IYFAmbtRX4ACgkQEg2wmwP4 2IbLZBAAjAMMDAu+kYNwPjkMFHYP0BFzBKt/jFvb5zrOoB5AO6YiCWI0NirV52UO ZUwP3qhn4Ibzf2UKjS5bQr82NeDtGW0Xyar5RyqSOrGsBWQCW6P5MCyUJ8T7T0wA ty44RYPtsBt/SprPiAXo7HMrxcjPcJFfYGP1Cgy4rC5qt0bcJoxyqPUe/4+/KGlz hd3FC2pYGV+zrAZ1gIkNsXksiYP1FB3fDyKgzM2V75ah1d7adN0KxzTj7z9l1xhf Wi5xNE9tB5hPg6lZc24SBeGtw3cf/mzFTUx5Hrpv54NvCsaaaTRX7KdUzgvV8W7X 5SiWS8YTj2G7KyV95AUjW4SIa2+tjDdNotu0f2AAaUji9pMId2z/a0Tc0R6Knyfp tXHVs7MTVYd0jpT8Inz6aMwvlLbU9TZNFIFAz3MUMS4JWV3jdA15kVIlqBsPGKB/ pT5dztPTOcTNtOSYuXywzufD8+GpWEMNseC8uuQIBM6XmMQHSx7BLCW1NtfdiUOU Nd1TZvFc2ME8L4C6IbgG2tcOVJj5F66xkxdM5TgO0VyrHUtkXM5M9tJFUyIY2CzP 1/fREl2EyHICRyBiCioK9JQ/e5JcsT+gFXrisYMHyO6l1+Okg9+SRO+7ZuB+hge7 YH/O9PuUwyqSxHlcFgB/z+ixlL2JMXX57QjVzke7yzSq0FgnRow= =L4hh -----END PGP SIGNATURE----- --=_09ba978e39077c5f8b07330efcb0d8a5-- From nobody Fri Sep 20 10:00:32 2024 X-Original-To: freebsd-security@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4X97Dh45pWz5Vb4t for ; Fri, 20 Sep 2024 10:00:36 +0000 (UTC) (envelope-from kp@FreeBSD.org) Received: from smtp.freebsd.org (smtp.freebsd.org [IPv6:2610:1c1:1:606c::24b:4]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "smtp.freebsd.org", Issuer "R10" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4X97Dh1lGdz4QJ7; Fri, 20 Sep 2024 10:00:36 +0000 (UTC) (envelope-from kp@FreeBSD.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1726826436; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=8v4AJuoM9OqD9gfLFCvyDE0tM92EOrCEUhNkqn4vyO4=; b=bDD7uRcSBnYoLfn/avX6FJ0VzzGtgc7DMUvs4VR6we1Ovn37CmRT4i1bPGAx3TdJqupzwV HxgSLjdUu847WPTuTZzn643U/GoWzS8rrpNS59K2j+gG4gtEYLzGDK6g7cyh/0S9sBpuaP 2gqetNAKNvxYJOUnYgt6I5tnobgnVyitbeFozB/7yTAM/X5isLoHpcNVksjSXOo10W52ku aHAEJkcTfvcUaHF2MlgXuVmXWYouM7CiP2PlZAgDzsxgu1e4qmSDn+ByUhiG2GAbcBchNA Jga22bILlEywsynHNIf12RQ30CuHNAANLH9fdsmuFWNQgGypLL+Jv/ep2Rj4ew== ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1726826436; a=rsa-sha256; cv=none; b=wSIoVa2n3gvmuE5+9gm6KZFTPBuIwpu8VpTiibZeplTnhbm1sdMPrU3tWdktlfogEjtPL/ fMz0sS2ovjJ30qECalhy1hv/GSxIwFixWGKVzeW95Wn/K4KdMTQI5sDBWgUAuDH90mdwjl ciZ3VetQ/q0WkhBZfmOL85Rs36tXx3MQ7paK88YokoFjXu69JV1zi2kbdrTJqNCXbS6yZd SnyjpW+VORAYxSOAMjL6xdlAmk7ZdBU07Knuqcewr1ukPTwV/+BY0h2eWK3kCTfh3k31+y TXN3abPmOFvoqcZ/OIBkGbCejSIzH8wc5gX9qPwkJEb3mh8aNjE7CO4CFloV5g== ARC-Authentication-Results: i=1; mx1.freebsd.org; none ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1726826436; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=8v4AJuoM9OqD9gfLFCvyDE0tM92EOrCEUhNkqn4vyO4=; b=X1aDIR5Cplm95kJ6FYffgMB7JO5fGjaX1UagoolgUadvPzOlb4PgTzo+QQp+324Rtuc7Se ZI7AVzPkHHV7IFQwq+jApuSNVf/c001xkQBQiWnGvuuCcqgcjOEcD3Rxlwd3lQ3vTBQEk8 g5RmET8RcnVXqjvgSPxVMi0Rp3fqxoldodi3Gf081wAKsx6mC6V+Chua3mrnlHrOt+n9s7 PFiEg7gOtmqihAhnVb6aFOIDWPSVcVbtnjtiiyemcf3rqItBsDFF36yByNqeiLye4cd5V+ OrgKYLV5KQfKHt9daTyT+5raRN6LJl619mdDLG+pyn2Y5DBpos9BsI/4bwf8LQ== Received: from venus.codepro.be (venus.codepro.be [5.9.86.228]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (2048 bits) client-digest SHA256) (Client CN "mx1.codepro.be", Issuer "R11" (verified OK)) (Authenticated sender: kp) by smtp.freebsd.org (Postfix) with ESMTPSA id 4X97Dh0mz9z1R11; Fri, 20 Sep 2024 10:00:36 +0000 (UTC) (envelope-from kp@FreeBSD.org) Received: by venus.codepro.be (Postfix, authenticated sender kp) id BE2C83BF62; Fri, 20 Sep 2024 12:00:33 +0200 (CEST) From: Kristof Provost To: Alexander Leidinger Cc: FreeBSD Security list Subject: Re: "Unknown error" message from pfctl on an existing table Date: Fri, 20 Sep 2024 11:00:32 +0100 X-Mailer: MailMate (1.14r5937) Message-ID: In-Reply-To: References: List-Id: Security issues List-Archive: https://lists.freebsd.org/archives/freebsd-security List-Help: List-Post: List-Subscribe: List-Unsubscribe: X-BeenThere: freebsd-security@freebsd.org Sender: owner-freebsd-security@FreeBSD.org MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable On 20 Sep 2024, at 10:50, Alexander Leidinger wrote: > Hi, > > # pfctl -s Tables > bruteforce > crowdsec-blocklists > crowdsec6-blocklists > martians > martians6 > > # pfctl -t crowdsec-blocklists -T show > pfctl: Unknown error: -1. > > What could be the cause of this error? The next debugging step would be to use =E2=80=98truss=E2=80=99 to see wh= at call fails. I can reproduce the error message attempting to list a table that doesn=E2= =80=99t exist. There=E2=80=99s been a bug with table name length: https://bugs.freebsd.o= rg/bugzilla/show_bug.cgi?id=3D279225 so perhaps that=E2=80=99s what you=E2= =80=99re running into. Best regards, Kristof From nobody Fri Sep 20 10:21:44 2024 X-Original-To: freebsd-security@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4X97k717rYz5VfDm for ; Fri, 20 Sep 2024 10:22:39 +0000 (UTC) (envelope-from Alexander@Leidinger.net) Received: from mailgate.Leidinger.net (bastille.leidinger.net [89.238.82.207]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature ECDSA (P-256) client-digest SHA256) (Client CN "mailgate.leidinger.net", Issuer "E5" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4X97k66Bnbz4WrC; Fri, 20 Sep 2024 10:22:38 +0000 (UTC) (envelope-from Alexander@Leidinger.net) Authentication-Results: mx1.freebsd.org; none List-Id: Security issues List-Archive: https://lists.freebsd.org/archives/freebsd-security List-Help: List-Post: List-Subscribe: List-Unsubscribe: X-BeenThere: freebsd-security@freebsd.org Sender: owner-freebsd-security@FreeBSD.org MIME-Version: 1.0 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=leidinger.net; s=outgoing-alex; t=1726827756; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: in-reply-to:in-reply-to:references:references; bh=UQ2wZKmPu9IZGAKAwDdZJTUfKJ9MOcvcu+6vmgBDUpU=; b=oAnb8ksvCgs9llm2Yg6FTLSFobuAihcxq4oZWZgCOn6nDFKisXn4gPGnExK6yZrm4eLCtm HtoQq7sjPJYk7o6h9bdsgzCiFybok9zyfCILbkaBQxuwEaSgxAPZ10+X8MdSU2EVqJYs7N KFq0ubb5tlTPZtMRh7X9WgaxhMqxOZM3xcU5kE6Lo5fStQrdh+Wgf1Upx9EzXTePLG/wsr kpeQhJogqg8u3Vv0l8XwgiSvbjf3wAHi1LsYFsAZcUJicm1mU6xeAtradg2MfuaUyo8sUG tQ8IZnLt/TpeMODk+GkNPwBQpyXIF4bVU4UlpM+hg3uv1/VAki3tT4qxfu3DVw== Date: Fri, 20 Sep 2024 12:21:44 +0200 From: Alexander Leidinger To: Kristof Provost Cc: FreeBSD Security list Subject: Re: "Unknown error" message from pfctl on an existing table In-Reply-To: References: Message-ID: Organization: No organization, this is a private message. Content-Type: multipart/signed; protocol="application/pgp-signature"; boundary="=_b899c553f01b9787da7f2f67a168ab65"; micalg=pgp-sha256 X-Spamd-Result: default: False [-4.00 / 15.00]; REPLY(-4.00)[]; ASN(0.00)[asn:34240, ipnet:89.238.64.0/18, country:DE] X-Rspamd-Queue-Id: 4X97k66Bnbz4WrC X-Spamd-Bar: ---- X-Rspamd-Pre-Result: action=no action; module=replies; Message is reply to one we originated This is an OpenPGP/MIME signed message (RFC 4880 and 3156) --=_b899c553f01b9787da7f2f67a168ab65 Content-Transfer-Encoding: 8bit Content-Type: text/plain; charset=UTF-8; format=flowed Am 2024-09-20 12:00, schrieb Kristof Provost: > On 20 Sep 2024, at 10:50, Alexander Leidinger wrote: >> Hi, >> >> # pfctl -s Tables >> bruteforce >> crowdsec-blocklists >> crowdsec6-blocklists >> martians >> martians6 >> >> # pfctl -t crowdsec-blocklists -T show >> pfctl: Unknown error: -1. >> >> What could be the cause of this error? > The next debugging step would be to use ‘truss’ to see what call fails. When I list a working table (crowdsec6-blocklists): ---snip--- openat(AT_FDCWD,"/dev/pf",O_RDONLY,00) = 3 (0x3) ioctl(3,DIOCGETALTQSV1,0x233eb87dbe0) ERR#19 'Operation not supported by device' openat(AT_FDCWD,"/dev/pf",O_RDWR,00) = 4 (0x4) socket(PF_NETLINK,SOCK_RAW,16) = 5 (0x5) setsockopt(5,270,11,0x233eb87db7c,4) = 0 (0x0) getsockopt(5,SOL_SOCKET,SO_RCVBUF,0x233eb87db74,0x233eb87db78) = 0 (0x0) ioctl(3,DIOCRGETADDRS,0x233eb87d240) = 0 (0x0) ioctl(3,DIOCRGETADDRS,0x233eb87d240) = 0 (0x0) fstat(1,{ mode=-rw-r--r-- ,inode=6897,size=7721,blksize=24064 }) = 0 (0x0) 2001:620:20d0::24 2001:67c:6ec:203:192:42:116:173 2001:67c:6ec:203:192:42:116:174 ---snip--- When I list the non-working table (crowdsec-blocklists): ---snip--- openat(AT_FDCWD,"/dev/pf",O_RDONLY,00) = 3 (0x3) ioctl(3,DIOCGETALTQSV1,0x19fc93899a90) ERR#19 'Operation not supported by device' openat(AT_FDCWD,"/dev/pf",O_RDWR,00) = 4 (0x4) socket(PF_NETLINK,SOCK_RAW,16) = 5 (0x5) setsockopt(5,270,11,0x19fc93899a2c,4) = 0 (0x0) getsockopt(5,SOL_SOCKET,SO_RCVBUF,0x19fc93899a24,0x19fc93899a28) = 0 (0x0) ioctl(3,DIOCRGETADDRS,0x19fc938990f0) = 0 (0x0) ioctl(3,DIOCRGETADDRS,0x19fc938990f0) ERR#22 'Invalid argument' issetugid() = 0 (0x0) ---snip--- > I can reproduce the error message attempting to list a table that > doesn’t exist. Well... at least it shows up in the list of tables... > There’s been a bug with table name length: > https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=279225 so perhaps > that’s what you’re running into. I can list crowdsec6-blocklists, but not crowdsec-blocklists. This is current as of 2024-09-05-105247. After looking at the PR, I should run a FreeBSD version which is not affected by this. Correct? I have this on two systems running this version of current. Bye, Alexander. -- http://www.Leidinger.net Alexander@Leidinger.net: PGP 0x8F31830F9F2772BF http://www.FreeBSD.org netchild@FreeBSD.org : PGP 0x8F31830F9F2772BF --=_b899c553f01b9787da7f2f67a168ab65 Content-Type: application/pgp-signature; name=signature.asc Content-Disposition: attachment; filename=signature.asc; size=833 Content-Description: OpenPGP digital signature -----BEGIN PGP SIGNATURE----- iQIzBAEBCAAdFiEER9UlYXp1PSd08nWXEg2wmwP42IYFAmbtTMkACgkQEg2wmwP4 2Ib4wA/+JZeL4oztSlvq7w7xp9C8XqLXu9wMMreaNQFyfoFXL8d3E43abTOWZb9g HoWojSpkOwbsVvdJIo6Ra/MRq5EQHMemOAHfBQ17zcr8QbPvL/vHxQ5BAnJOCwUT YBuwcukomYICx3Znqn70S1n2bqf7R1CM+fh28IPTcAE+IZronZrjP0Ed+suQ5+Qx W5NvnyKW2qtcyKx5zGJH8YFFeFOdzSza480cT6+LahJ3z0jdZgWvL4GxR/9RE9Zc D4r76c/F72tEnUoZvEibB1l5cHAaWyVLdr3U/yXO1SzXc4fNtc6GUXewULWIZVWy LpbNU3nPCz38JF4F50fHWc2Vq6LJHCRo9QhDbvACyKOWuRkHyeKZ3L9ILH1UaHyQ X3jbuXbbcc0QPs12F1nY5Ns6cUnciFfrCk4ya58Q4BNvd16uZkr7+XnoSD4HOXP0 3WneM7QTwgcpMDnQGrzOfsmiwgZkj30uqd87NlaBAzdkg3YeogTHtV8654cRqLAf U67IiHX3zc2V/QCDmp705wOoAdA2utBiqLc7spfvTFyyUb9SOJgyy5jmDu2a+MYs D3NkVYWqvk35sg3Tlf8fH4dc4tBGeLr+ME/QI55OScrEXGUDmEyEhllued1jQPPm P+pncSlKV1GSJMJZyX0h09S5gegusm2fyeK9v6NYc4WqWRii/qI= =bcco -----END PGP SIGNATURE----- --=_b899c553f01b9787da7f2f67a168ab65-- From nobody Fri Sep 20 10:27:30 2024 X-Original-To: freebsd-security@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4X97qm61hTz5Vg8y for ; Fri, 20 Sep 2024 10:27:32 +0000 (UTC) (envelope-from kp@FreeBSD.org) Received: from smtp.freebsd.org (smtp.freebsd.org [96.47.72.83]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "smtp.freebsd.org", Issuer "R10" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4X97qm5Swjz4YN3; Fri, 20 Sep 2024 10:27:32 +0000 (UTC) (envelope-from kp@FreeBSD.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1726828052; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=CbKyfeXI/AGcAqTtrfp4UPiHlcGo37sOM2qn6P86Drs=; b=Oi4kStCew4uoXtrGGdF+2f4EMrMolzs519tTvNhO8Y3TkJJcxVyTTmJIHaY0ghG0LZh6w/ NGcIMGJRDbcnXidFrym2zHyVcdN2kNbPCwqQmds6VWB3O4zgBrOR61tGYDOQprTLojP3/r NBPYwZXRgKbgs207q5xXtvnkkBi5NmeX6riL7mAgDmLPwaQyqNSaJYaSbLnFeCbzT1s2Pq kt3TbG9ak5WqFB3R7qFVDUHiqPSYCKvH2i261Mlnxj4nHTwyqRzJXGp6AiG3o9K/b/Cl5o K7Q+V90ZX9Q2ZTq9D58sblNkBIIWrbE32PJ+CMJcMTJ0YpmZp1duNyzVVhfx1A== ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1726828052; a=rsa-sha256; cv=none; b=iErUSxycM8M1NdMOszDo2vhhi2bPFFoFB9dXu0GeFhBNbtsiHM0PdtTnBDoxnu72s/+42G x3SZQ3vLc3NGwIMbBXisSSgCI1XP8yFyNWELsohsc9rfXy4s895yBE7fmP/wXws0SquhQn kFKlETGatVI+xGjH1ba3RfAbo9+pWJU89p8Nd+hAADkXJzOtwXmxHeta9fnXOah49IVC2c wxL1fgL1MH/QGmGjECIDE19wVeOoNL+YBKYeJ/MQVW0NrIuuPme6l/W3QQ26tYhXs2Yxhv jxQ+TqZEgx9M7IXzUQNMO4ndWTI3mKU6+8mkFRuSd8rl3dOCOK77gjrB+pcVtQ== ARC-Authentication-Results: i=1; mx1.freebsd.org; none ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1726828052; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=CbKyfeXI/AGcAqTtrfp4UPiHlcGo37sOM2qn6P86Drs=; b=bOlUAtzOXM1fFal1TduiEs7/5GVOr+LOUzjdZd85N3i3gOOBybFzLjnPf9Emt48wtnowRB likpZbLMKpGn7aCZoQxELxUjMlFoDmiVaMcbIT5yfLQqnVkth2LYLSM7uFNJzO2RfTVBC8 Q8fyZXD1BPJfQ1repXCxJJG/rKOiw+L8kUw6LZLCWAmDRYQ7x+NvW3zVbmLrnCIyh+yCHH nOvtRbGoPGTtqBfuvNio+gQ2G+5u198LbUZ8sLx+ywdDd7Ow+2MZt9H1D7i9PicLyxG3cw jtyv87xiZCt44BsrLcLkcoM9mE6smH0C0QDLFun2WA1uOAV/gshZ3bwPV1vB9Q== Received: from venus.codepro.be (venus.codepro.be [5.9.86.228]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (2048 bits) client-digest SHA256) (Client CN "mx1.codepro.be", Issuer "R11" (verified OK)) (Authenticated sender: kp) by smtp.freebsd.org (Postfix) with ESMTPSA id 4X97qm4L91z1Rgv; Fri, 20 Sep 2024 10:27:32 +0000 (UTC) (envelope-from kp@FreeBSD.org) Received: by venus.codepro.be (Postfix, authenticated sender kp) id 377DE3BEF1; Fri, 20 Sep 2024 12:27:31 +0200 (CEST) From: Kristof Provost To: Alexander Leidinger Cc: FreeBSD Security list Subject: Re: "Unknown error" message from pfctl on an existing table Date: Fri, 20 Sep 2024 11:27:30 +0100 X-Mailer: MailMate (1.14r5937) Message-ID: In-Reply-To: References: List-Id: Security issues List-Archive: https://lists.freebsd.org/archives/freebsd-security List-Help: List-Post: List-Subscribe: List-Unsubscribe: X-BeenThere: freebsd-security@freebsd.org Sender: owner-freebsd-security@FreeBSD.org MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable On 20 Sep 2024, at 11:21, Alexander Leidinger wrote: > Am 2024-09-20 12:00, schrieb Kristof Provost: >> On 20 Sep 2024, at 10:50, Alexander Leidinger wrote: >>> Hi, >>> >>> # pfctl -s Tables >>> bruteforce >>> crowdsec-blocklists >>> crowdsec6-blocklists >>> martians >>> martians6 >>> >>> # pfctl -t crowdsec-blocklists -T show >>> pfctl: Unknown error: -1. >>> >>> What could be the cause of this error? >> The next debugging step would be to use =E2=80=98truss=E2=80=99 to see= what call fails. > > When I list a working table (crowdsec6-blocklists): > ---snip--- > openat(AT_FDCWD,"/dev/pf",O_RDONLY,00) =3D 3 (0x3) > ioctl(3,DIOCGETALTQSV1,0x233eb87dbe0) ERR#19 'Operation not = supported by device' > openat(AT_FDCWD,"/dev/pf",O_RDWR,00) =3D 4 (0x4) > socket(PF_NETLINK,SOCK_RAW,16) =3D 5 (0x5) > setsockopt(5,270,11,0x233eb87db7c,4) =3D 0 (0x0) > getsockopt(5,SOL_SOCKET,SO_RCVBUF,0x233eb87db74,0x233eb87db78) =3D 0 (0= x0) > ioctl(3,DIOCRGETADDRS,0x233eb87d240) =3D 0 (0x0) > ioctl(3,DIOCRGETADDRS,0x233eb87d240) =3D 0 (0x0) > fstat(1,{ mode=3D-rw-r--r-- ,inode=3D6897,size=3D7721,blksize=3D24064 }= ) =3D 0 (0x0) > 2001:620:20d0::24 > 2001:67c:6ec:203:192:42:116:173 > 2001:67c:6ec:203:192:42:116:174 > ---snip--- > > When I list the non-working table (crowdsec-blocklists): > ---snip--- > openat(AT_FDCWD,"/dev/pf",O_RDONLY,00) =3D 3 (0x3) > ioctl(3,DIOCGETALTQSV1,0x19fc93899a90) ERR#19 'Operation not = supported by device' > openat(AT_FDCWD,"/dev/pf",O_RDWR,00) =3D 4 (0x4) > socket(PF_NETLINK,SOCK_RAW,16) =3D 5 (0x5) > setsockopt(5,270,11,0x19fc93899a2c,4) =3D 0 (0x0) > getsockopt(5,SOL_SOCKET,SO_RCVBUF,0x19fc93899a24,0x19fc93899a28) =3D 0 = (0x0) > ioctl(3,DIOCRGETADDRS,0x19fc938990f0) =3D 0 (0x0) > ioctl(3,DIOCRGETADDRS,0x19fc938990f0) ERR#22 'Invalid argume= nt' > issetugid() =3D 0 (0x0) > ---snip--- > That=E2=80=99s not the error code I see for a non-existent table, so it=E2= =80=99s not quite the same issue. DIOCRGETADDRS returns EINVAL, which is probably because the table is runn= ing into the net.pf.request_maxcount limit. Try increasing that sysctl. That limitation will go away when I get around to converting that particu= lar ioctl to netlink, but that probably won=E2=80=99t be today. I still h= ope to get all of them converted before we branch 15, but that=E2=80=99s = a hope and not a promise. In the mean time I=E2=80=99ll improve libpfctl so we get an actual error = message printed in pfctl, rather than =E2=80=98unknown error=E2=80=99. >> I can reproduce the error message attempting to list a table that does= n=E2=80=99t exist. > > Well... at least it shows up in the list of tables... > >> There=E2=80=99s been a bug with table name length: https://bugs.freebs= d.org/bugzilla/show_bug.cgi?id=3D279225 so perhaps that=E2=80=99s what yo= u=E2=80=99re running into. > > I can list crowdsec6-blocklists, but not crowdsec-blocklists. This is c= urrent as of 2024-09-05-105247. After looking at the PR, I should run a F= reeBSD version which is not affected by this. Correct? > Correct. Best regards, Kristof From nobody Fri Sep 20 10:39:16 2024 X-Original-To: freebsd-security@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4X986M4Gx0z5VhS9 for ; Fri, 20 Sep 2024 10:40:11 +0000 (UTC) (envelope-from Alexander@Leidinger.net) Received: from mailgate.Leidinger.net (bastille.leidinger.net [89.238.82.207]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) client-signature ECDSA (P-256)) (Client CN "mailgate.leidinger.net", Issuer "E5" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4X986M159Rz4bL9; Fri, 20 Sep 2024 10:40:11 +0000 (UTC) (envelope-from Alexander@Leidinger.net) Authentication-Results: mx1.freebsd.org; none List-Id: Security issues List-Archive: https://lists.freebsd.org/archives/freebsd-security List-Help: List-Post: List-Subscribe: List-Unsubscribe: X-BeenThere: freebsd-security@freebsd.org Sender: owner-freebsd-security@FreeBSD.org MIME-Version: 1.0 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=leidinger.net; s=outgoing-alex; t=1726828807; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: in-reply-to:in-reply-to:references:references; bh=QzUoMafonQXnJLyb4RqShf7kfr3ACjFZabRA7zXr+bI=; b=VKg+2FBvrsFwtmSUMzWE14M8K4b7e4As9hU4qLrwTTJdL9/jq3owfdj2MrCvj4WFf5kQYi fDp577Mr5s+6fkBYw1u6Sw4If/9xxdZuJOgxAYqVkReLms9TjNhPlfHKnA2FmoVNjLiOLJ oXjfo/53VGZxkZcJBhysOFdR8kk8SGaARkWLl/y85eIJ8hAdgsui6akQXHVNy/Go/MSDtY SXyClTv5nxsphlSkyefiWK5xYg+k//JlNw1fjVj2XHvpLaBYAQrw6G+3GL8t4VZPwn6mdT oMbAl2KOvE55dH3gPBdH8ql/q5GePCr48Hdv7GxODMRmEQApJ6N4YNtixI1wxg== Date: Fri, 20 Sep 2024 12:39:16 +0200 From: Alexander Leidinger To: Kristof Provost Cc: FreeBSD Security list Subject: Re: "Unknown error" message from pfctl on an existing table In-Reply-To: References: Message-ID: Organization: No organization, this is a private message. Content-Type: multipart/signed; protocol="application/pgp-signature"; boundary="=_95aab8f88938066efd091b876f51918c"; micalg=pgp-sha256 X-Spamd-Result: default: False [-4.00 / 15.00]; REPLY(-4.00)[]; ASN(0.00)[asn:34240, ipnet:89.238.64.0/18, country:DE] X-Rspamd-Queue-Id: 4X986M159Rz4bL9 X-Spamd-Bar: ---- X-Rspamd-Pre-Result: action=no action; module=replies; Message is reply to one we originated This is an OpenPGP/MIME signed message (RFC 4880 and 3156) --=_95aab8f88938066efd091b876f51918c Content-Transfer-Encoding: 8bit Content-Type: text/plain; charset=UTF-8; format=flowed Am 2024-09-20 12:27, schrieb Kristof Provost: > On 20 Sep 2024, at 11:21, Alexander Leidinger wrote: >> When I list the non-working table (crowdsec-blocklists): >> ---snip--- >> openat(AT_FDCWD,"/dev/pf",O_RDONLY,00) = 3 (0x3) >> ioctl(3,DIOCGETALTQSV1,0x19fc93899a90) ERR#19 'Operation not >> supported by device' >> openat(AT_FDCWD,"/dev/pf",O_RDWR,00) = 4 (0x4) >> socket(PF_NETLINK,SOCK_RAW,16) = 5 (0x5) >> setsockopt(5,270,11,0x19fc93899a2c,4) = 0 (0x0) >> getsockopt(5,SOL_SOCKET,SO_RCVBUF,0x19fc93899a24,0x19fc93899a28) = 0 >> (0x0) >> ioctl(3,DIOCRGETADDRS,0x19fc938990f0) = 0 (0x0) >> ioctl(3,DIOCRGETADDRS,0x19fc938990f0) ERR#22 'Invalid >> argument' >> issetugid() = 0 (0x0) >> ---snip--- >> > That’s not the error code I see for a non-existent table, so it’s not > quite the same issue. > > DIOCRGETADDRS returns EINVAL, which is probably because the table is > running into the net.pf.request_maxcount limit. Try increasing that > sysctl. Yes: # pfctl -t crowdsec-blocklists -T show | wc -l 74167 Thanks! Alexander. -- http://www.Leidinger.net Alexander@Leidinger.net: PGP 0x8F31830F9F2772BF http://www.FreeBSD.org netchild@FreeBSD.org : PGP 0x8F31830F9F2772BF --=_95aab8f88938066efd091b876f51918c Content-Type: application/pgp-signature; name=signature.asc Content-Disposition: attachment; filename=signature.asc; size=833 Content-Description: OpenPGP digital signature -----BEGIN PGP SIGNATURE----- iQIzBAEBCAAdFiEER9UlYXp1PSd08nWXEg2wmwP42IYFAmbtUOQACgkQEg2wmwP4 2IbngA/9EHyoXRglZlxt2WHTjXFu2Cgfh1NVvqTSgFm3vbwjw0ZEwvo9hEnMHxrG HE+nOv2Uj6FuU1RjfBtAHZdHtQ28t3oNXPJRV65wk+qiLielzOsAZchSFNSlZZ9u XP+GiObFuOIkHIuN5GLHHLSBTdzckIBeSWL3cJUnf/VBAOj2c8ntiOnv7iNxdXXQ 21K/ZMd/XPnh6ZFsOVCByf5xXRfCs4E5vvrjte3rXEXoNfC5NfHD8oCCXaDqAIK3 klZ/A5wtJvuIAbgWb17CPQnqed+e+WgqtK4RTJRHUPynEIlVzk8q74v5+fhzfjaB 1VfF1lFWXXujKMkfN4AamRVpC3kU7uWsqbWO5BUueOzokcqUPqb0prKf0mQjwW7F PB88eAtWu/7WG0Bvk7VT/B65oRhxc2cTqhEhii41RRArZLWxRl4jZLFH4TGDTDeK CNKCbuspvUI/RCkV8Hg4jPfuCW7glioz3UEgTfS9zpgD4zCJzmWIUpPLOCDWzVo7 quYtNJWlQcpNTjq1veUW4ycbRFat18LtD2ZFejNTT7LgmH79/1Do0SoncaJDQlfq 2BDrlzDYED29WRHaVZ5dTb3x5zm4MN6dqSKskszQjALdVhiaioNbglHt3JYFSMB3 KrKaLALvZOSJ1jgLghKJttU70NBp9zK72crcJAv0L1O3rKnoKyU= =Swg3 -----END PGP SIGNATURE----- --=_95aab8f88938066efd091b876f51918c--