From nobody Fri Sep 16 10:10:59 2022
X-Original-To: bugs@mlmmj.nyi.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
	by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4MTVFv5lm9z4cGyb
	for <bugs@mlmmj.nyi.freebsd.org>; Fri, 16 Sep 2022 10:10:59 +0000 (UTC)
	(envelope-from bugzilla-noreply@freebsd.org)
Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256
	 client-signature RSA-PSS (4096 bits) client-digest SHA256)
	(Client CN "mxrelay.nyi.freebsd.org", Issuer "R3" (verified OK))
	by mx1.freebsd.org (Postfix) with ESMTPS id 4MTVFv3P6sz46t5
	for <bugs@FreeBSD.org>; Fri, 16 Sep 2022 10:10:59 +0000 (UTC)
	(envelope-from bugzilla-noreply@freebsd.org)
Received: from kenobi.freebsd.org (kenobi.freebsd.org [IPv6:2610:1c1:1:606c::50:1d])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256)
	(Client did not present a certificate)
	by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 4MTVFv2S5pzKhj
	for <bugs@FreeBSD.org>; Fri, 16 Sep 2022 10:10:59 +0000 (UTC)
	(envelope-from bugzilla-noreply@freebsd.org)
Received: from kenobi.freebsd.org ([127.0.1.5])
	by kenobi.freebsd.org (8.15.2/8.15.2) with ESMTP id 28GAAxmU085006
	for <bugs@FreeBSD.org>; Fri, 16 Sep 2022 10:10:59 GMT
	(envelope-from bugzilla-noreply@freebsd.org)
Received: (from www@localhost)
	by kenobi.freebsd.org (8.15.2/8.15.2/Submit) id 28GAAxje085005
	for bugs@FreeBSD.org; Fri, 16 Sep 2022 10:10:59 GMT
	(envelope-from bugzilla-noreply@freebsd.org)
X-Authentication-Warning: kenobi.freebsd.org: www set sender to bugzilla-noreply@freebsd.org using -f
From: bugzilla-noreply@freebsd.org
To: bugs@FreeBSD.org
Subject: [Bug 266442] kernel page fault on packet with broken lengths if
 ipfilter is loaded
Date: Fri, 16 Sep 2022 10:10:59 +0000
X-Bugzilla-Reason: AssignedTo
X-Bugzilla-Type: new
X-Bugzilla-Watch-Reason: None
X-Bugzilla-Product: Base System
X-Bugzilla-Component: kern
X-Bugzilla-Version: CURRENT
X-Bugzilla-Keywords: 
X-Bugzilla-Severity: Affects Some People
X-Bugzilla-Who: rtm@lcs.mit.edu
X-Bugzilla-Status: New
X-Bugzilla-Resolution: 
X-Bugzilla-Priority: ---
X-Bugzilla-Assigned-To: bugs@FreeBSD.org
X-Bugzilla-Flags: 
X-Bugzilla-Changed-Fields: bug_id short_desc product version rep_platform
 op_sys bug_status bug_severity priority component assigned_to reporter
 attachments.mimetype attachments.created
Message-ID: <bug-266442-227@https.bugs.freebsd.org/bugzilla/>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
X-Bugzilla-URL: https://bugs.freebsd.org/bugzilla/
Auto-Submitted: auto-generated
List-Id: Bug reports <freebsd-bugs.freebsd.org>
List-Archive: https://lists.freebsd.org/archives/freebsd-bugs
List-Help: <mailto:freebsd-bugs+help@freebsd.org>
List-Post: <mailto:freebsd-bugs@freebsd.org>
List-Subscribe: <mailto:freebsd-bugs+subscribe@freebsd.org>
List-Unsubscribe: <mailto:freebsd-bugs+unsubscribe@freebsd.org>
Sender: owner-freebsd-bugs@freebsd.org
MIME-Version: 1.0
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org;
	s=dkim; t=1663323059;
	h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
	 to:to:cc:mime-version:mime-version:content-type:content-type:
	 content-transfer-encoding:content-transfer-encoding;
	bh=3f9yKobYmyW9DZkvx1JZ5NlUxLD3zjFUaojA7qaTZko=;
	b=Vhy0U7GHvhDKY2BMXF8cmBaHczvbD73dEMDHMgmGlrKLAfajWxspAsTUgJMk+WBkfHlNvx
	Wo/D1ew0EQldp4FsAHsc4d3T01sBjErvFLX3LLyej5DOkiF21MLeZmVihznTZzc5OAgPZL
	NRye3L4dErJuHgpHJaWC/gpzrnhV7uq8SDP7NlMPXk1K9vQgXcR0fwa86VzUscaMEQkC5i
	1mjvTKb2GKccd2quoTw1zUVtybpkuWBFDUhB2jC1kndHiX8iEnwxkJdEyL6MC49KXceBqe
	9vO/r20JmoWaBaCTFef8iJSGJlPdiFQ/9FljgiaDGm3WCnY6pAs2HpGJa2VJ1Q==
ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1663323059; a=rsa-sha256; cv=none;
	b=UaIU60Vu/PCpw8+2ltM0EgM7IPV2GgprH5FZW/3n2LSRrjKiEkb1X1zk1Pnkc9PWa7Z9YZ
	of8kWTJ+GPfnD3p2bnOGT7iPJqwj54GGAyVEn+csW/UYwOG7H0JYtkOB4Ad7ZKzysP1QBh
	H/+4IKuvJnbjBSLH80TXHhRAQRA/sXcWT0u8wVSaQmW8BvbC9BqxnUeAUcibs7+XfoQHeN
	mp0G3Y/RJpo+2/T747cwM18tG2jJV0bEmjuNNNAtA9gI4J4bb+YLYDIjMw3RzZ9TxKI5G5
	cQ4tZWZdLhVA+oKD+gIWypx4aWY+vU8OCbV6dVCmVqJ8Yogzra4NbynJasPekA==
ARC-Authentication-Results: i=1;
	mx1.freebsd.org;
	none
X-ThisMailContainsUnwantedMimeParts: N

https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D266442

            Bug ID: 266442
           Summary: kernel page fault on packet with broken lengths if
                    ipfilter is loaded
           Product: Base System
           Version: CURRENT
          Hardware: Any
                OS: Any
            Status: New
          Severity: Affects Some People
          Priority: ---
         Component: kern
          Assignee: bugs@FreeBSD.org
          Reporter: rtm@lcs.mit.edu
 Attachment #236590 text/plain
         mime type:

Created attachment 236590
  --> https://bugs.freebsd.org/bugzilla/attachment.cgi?id=3D236590&action=
=3Dedit
Inject a packet that causes a kernel page fault if ipfilter is loaded.

If ipfilter is loaded, and a packet arrives with IP hlen =3D 20 bytes
(the default), IP packet len =3D 67 bytes, and TCP th_off =3D 48 bytes,
ipf_pullup() will call m_pullup(len=3D68), which fails and causes
ipf_pullup() to free the mbuf and zero out the mbuf pointer in
*fin->fin_mp. But the information that the packet was discarded is
lost because ipf_pr_ipv4hdr() does not return an error to
ipf_makefrip(). So the calling code thinks everything is OK,
ip_tryforward() sees PFIL_PASS and uses m =3D *fin->fin_mp, and it
crashes.

Error indications should probably be made to flow up from ipf_pullup()
through ipf_pr_ipv4hdr() to ipf_makefrip(), so that callers know not
to try to use the freed mbuf.

I've attached a demo:

# cc -o pf7a pf7a.c
# ./pf7a
...
panic: Fatal page fault at 0xffffffc000488f14: 0x0000000000001d
panic() at panic+0x2a
page_fault_handler() at page_fault_handler+0x1d6
do_trap_supervisor() at do_trap_supervisor+0x76
cpu_exception_handler_supervisor() at cpu_exception_handler_supervisor+0x70
--- exception 13, tval =3D 0x1d
ip_tryforward() at ip_tryforward+0x278
ip_input() at ip_input+0x356
netisr_dispatch_src() at netisr_dispatch_src+0xca
netisr_dispatch() at netisr_dispatch+0x10
tunwrite_l3() at tunwrite_l3+0x182
tunwrite() at tunwrite+0x128
devfs_write_f() at devfs_write_f+0xa6
fo_write() at fo_write+0xa
dofilewrite() at dofilewrite+0x66
kern_writev() at kern_writev+0x40
sys_write() at sys_write+0x54
syscallenter() at syscallenter+0xec
ecall_handler() at ecall_handler+0x18
do_trap_user() at do_trap_user+0xea
cpu_exception_handler_user() at cpu_exception_handler_user+0x72

Here's the call chain at the point where m_pullup() fails:

  ipf_pullup() at ipf_pullup+0x182
  ipf_pr_pullup() at ipf_pr_pullup+0x5c
  ipf_pr_tcpcommon() at ipf_pr_tcpcommon+0x28e
  ipf_pr_tcp() at ipf_pr_tcp+0x46
  ipf_pr_ipv4hdr() at ipf_pr_ipv4hdr+0x220
  ipf_makefrip() at ipf_makefrip+0x60
  ipf_check() at ipf_check+0x142
  ipf_check_wrapper() at ipf_check_wrapper+0x88
  pfil_mbuf_in() at pfil_mbuf_in+0x58
  ip_tryforward() at ip_tryforward+0x1c0
  ip_input() at ip_input+0x356

--=20
You are receiving this mail because:
You are the assignee for the bug.=