From owner-freebsd-pf@freebsd.org  Tue Mar  9 10:05:47 2021
Return-Path: <owner-freebsd-pf@freebsd.org>
Delivered-To: freebsd-pf@mailman.nyi.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
 by mailman.nyi.freebsd.org (Postfix) with ESMTP id 28A28573135
 for <freebsd-pf@mailman.nyi.freebsd.org>; Tue,  9 Mar 2021 10:05:47 +0000 (UTC)
 (envelope-from patfbsd@davenulle.org)
Received: from sender4-of-o58.zoho.com (sender4-of-o58.zoho.com
 [136.143.188.58])
 (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
 (Client did not present a certificate)
 by mx1.freebsd.org (Postfix) with ESMTPS id 4DvrSV1tHqz3j2v
 for <freebsd-pf@freebsd.org>; Tue,  9 Mar 2021 10:05:45 +0000 (UTC)
 (envelope-from patfbsd@davenulle.org)
ARC-Seal: i=1; a=rsa-sha256; t=1615284341; cv=none; 
 d=zohomail.com; s=zohoarc; 
 b=KFgcAuylXUNtmf/ya/1DVje6gM11pOb/167N6pok211uG1CU4GwPVb3YbxtQSW5oYFWs3q9LeAQMTrme824jGNqO+w6SqraaaxcakeEEpOXDBozrCzd4cga2+MesvcICZosM7zG6ir7E0T2fwycu+FMBjfsCEiwCiGDt+DIeauk=
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com;
 s=zohoarc; t=1615284341;
 h=Content-Type:Content-Transfer-Encoding:Date:From:MIME-Version:Message-ID:Subject:To;
 bh=q7wM5mI2xIai2S+pnKkZvyi+kcyeNw13wmWofS9oEgw=; 
 b=mmAEMUeUZWuSzy2WI4nv9ZgEaUGIIyY3fvaRU1UqjoHqb5K3DKrSF27uoPg66hgsgBForS5JLSEPJIwO1YBXofKGfKARWcWdIE+7XD3r7LKBh0s+sxo2aNaBIdVjqe+PGy8m529CIMHr+WJd5mpgGehE1wfd/UigGXDHgeA+SYg=
ARC-Authentication-Results: i=1; mx.zohomail.com;
 spf=pass  smtp.mailfrom=patfbsd@davenulle.org;
 dmarc=pass header.from=<patfbsd@davenulle.org>
 header.from=<patfbsd@davenulle.org>
Received: from mr185033.univ-rennes1.fr (mr185033.univ-rennes1.fr
 [129.20.185.33]) by mx.zohomail.com
 with SMTPS id 1615284338303770.2083207884294;
 Tue, 9 Mar 2021 02:05:38 -0800 (PST)
Date: Tue, 9 Mar 2021 11:05:30 +0100
From: Patrick Lamaiziere <patfbsd@davenulle.org>
To: freebsd-pf@freebsd.org
Subject: pfctl segmentation fault in pfctl_optimize.c
Message-ID: <20210309110530.63834499@mr185033.univ-rennes1.fr>
X-Mailer: Claws Mail 3.16.0 (GTK+ 2.24.32; x86_64-pc-linux-gnu)
MIME-Version: 1.0
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: 7bit
X-ZohoMailClient: External
X-Rspamd-Queue-Id: 4DvrSV1tHqz3j2v
X-Spamd-Bar: ----
Authentication-Results: mx1.freebsd.org; dkim=none;
 arc=pass (zohomail.com:s=zohoarc:i=1); dmarc=none;
 spf=none (mx1.freebsd.org: domain of patfbsd@davenulle.org has no SPF policy
 when checking 136.143.188.58) smtp.mailfrom=patfbsd@davenulle.org
X-Spamd-Result: default: False [-4.10 / 15.00];
 NEURAL_HAM_MEDIUM(-1.00)[-1.000];
 RWL_MAILSPIKE_VERYGOOD(0.00)[136.143.188.58:from];
 ARC_ALLOW(-1.00)[zohomail.com:s=zohoarc:i=1];
 FROM_HAS_DN(0.00)[]; TO_MATCH_ENVRCPT_ALL(0.00)[];
 NEURAL_HAM_LONG(-1.00)[-1.000]; MIME_GOOD(-0.10)[text/plain];
 TO_DN_NONE(0.00)[]; DMARC_NA(0.00)[davenulle.org];
 RCPT_COUNT_ONE(0.00)[1]; NEURAL_HAM_SHORT(-1.00)[-1.000];
 RCVD_IN_DNSWL_NONE(0.00)[136.143.188.58:from];
 R_SPF_NA(0.00)[no SPF record]; FROM_EQ_ENVFROM(0.00)[];
 RCVD_TLS_LAST(0.00)[]; R_DKIM_NA(0.00)[];
 ASN(0.00)[asn:2639, ipnet:136.143.188.0/23, country:US];
 MIME_TRACE(0.00)[0:+]; MAILMAN_DEST(0.00)[freebsd-pf];
 RCVD_COUNT_TWO(0.00)[2]
X-BeenThere: freebsd-pf@freebsd.org
X-Mailman-Version: 2.1.34
Precedence: list
List-Id: "Technical discussion and general questions about packet filter
 \(pf\)" <freebsd-pf.freebsd.org>
List-Unsubscribe: <https://lists.freebsd.org/mailman/options/freebsd-pf>,
 <mailto:freebsd-pf-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-pf/>
List-Post: <mailto:freebsd-pf@freebsd.org>
List-Help: <mailto:freebsd-pf-request@freebsd.org?subject=help>
List-Subscribe: <https://lists.freebsd.org/mailman/listinfo/freebsd-pf>,
 <mailto:freebsd-pf-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Tue, 09 Mar 2021 10:05:47 -0000

Hello,

FreeBSD 11.4-RELEASE-p3 / amd64

Yesterday while loading a ruleset, pfctl core dumped with a
segmentation fault (see gdb below)

We are recently using some big tables so may be this is what triggered the problem (?), i can't reproduce this.

I've found something on tech@openbsd.org that looks closely related:
https://www.mail-archive.com/tech@openbsd.org/msg42870.html

Thanks, regards.

# gdb /sbin/pfctl
GNU gdb 6.1.1 [FreeBSD]
Copyright 2004 Free Software Foundation, Inc.
GDB is free software, covered by the GNU General Public License, and you are
welcome to change it and/or distribute copies of it under certain conditions.
Type "show copying" to see the conditions.
There is absolutely no warranty for GDB.  Type "show warranty" for details.
This GDB was configured as "amd64-marcel-freebsd"...
(gdb) core /home/adminsys/pfctl.core 
Core was generated by `/sbin/pfctl -f /etc/pf.conf'.
Program terminated with signal 11, Segmentation fault.
Reading symbols from /lib/libm.so.5...Reading symbols from /usr/lib/debug//lib/libm.so.5.debug...done.
done.
Loaded symbols for /lib/libm.so.5
Reading symbols from /lib/libmd.so.6...Reading symbols from /usr/lib/debug//lib/libmd.so.6.debug...done.
done.
Loaded symbols for /lib/libmd.so.6
Reading symbols from /lib/libc.so.7...Reading symbols from /usr/lib/debug//lib/libc.so.7.debug...done.
done.
Loaded symbols for /lib/libc.so.7
Reading symbols from /libexec/ld-elf.so.1...Reading symbols from /usr/lib/debug//libexec/ld-elf.so.1.debug...done.
done.
Loaded symbols for /libexec/ld-elf.so.1
#0  0x0000000800d6bf4d in ifree (ptr=0x801452fc0, tcache=0x80140d000, slow_path=<value optimized out>)
    at src/contrib/jemalloc/include/jemalloc/internal/tcache.h:415
415		if (unlikely(tbin->ncached == tbin_info->ncached_max)) {
Current language:  auto; currently minimal
(gdb) bt
#0  0x0000000800d6bf4d in ifree (ptr=0x801452fc0, tcache=0x80140d000, slow_path=<value optimized out>)
    at src/contrib/jemalloc/include/jemalloc/internal/tcache.h:415
#1  0x0000000800d6bdb1 in __free (ptr=0x801452fc0) at src/contrib/jemalloc/include/jemalloc/internal/tsd.h:716
#2  0x0000000000425345 in superblock_free (pf=0x7fffffffdd60, block=0x80149b600) at /usr/src/sbin/pfctl/pfctl_optimize.c:1647
#3  0x0000000000424b1f in pfctl_optimize_ruleset (pf=0x7fffffffdd60, rs=0x801458490) at /usr/src/sbin/pfctl/pfctl_optimize.c:357
#4  0x000000000040572c in pfctl_load_ruleset (pf=0x7fffffffdd60, path=<value optimized out>, rs=0x801458490, rs_num=1, depth=0)
    at /usr/src/sbin/pfctl/pfctl.c:1396
#5  0x0000000000405ffd in pfctl_rules (dev=3, filename=0x7fffffffee6f "/etc/pf.conf", opts=0, optimize=<value optimized out>, 
    anchorname=0x7fffffffe600 "", trans=0x0) at /usr/src/sbin/pfctl/pfctl.c:1594
#6  0x000000000040856f in main (argc=<value optimized out>, argv=<value optimized out>) at /usr/src/sbin/pfctl/pfctl.c:2475
#7  0x000000000040251b in _start ()
#8  0x0000000800667000 in ?? ()
#9  0x0000000000000000 in ?? ()
(gdb) frame 2
#2  0x0000000000425345 in superblock_free (pf=0x7fffffffdd60, block=0x80149b600) at /usr/src/sbin/pfctl/pfctl_optimize.c:1647
warning: Source file is more recent than executable.

1647				free(por->por_dst_tbl);