Date: Sun, 12 Sep 2004 12:06:27 -0700 (PDT) From: Brian Buchanan <bwb@holo.org> To: freebsd-gnats-submit@FreeBSD.org Subject: kern/71677: MAC Biba / IPFW panic Message-ID: <20040912112934.W620@thought.holo.org> Resent-Message-ID: <200409121910.i8CJAB8L020994@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help
>Number: 71677 >Category: kern >Synopsis: MAC Biba / IPFW panic >Confidential: no >Severity: serious >Priority: medium >Responsible: freebsd-bugs >State: open >Quarter: >Keywords: >Date-Required: >Class: sw-bug >Submitter-Id: current-users >Arrival-Date: Sun Sep 12 19:10:11 GMT 2004 >Closed-Date: >Last-Modified: >Originator: Brian Buchanan >Release: FreeBSD 5.3-BETA2 i386 >Organization: >Environment: System: FreeBSD thought.holo.org 5.3-BETA2 FreeBSD 5.3-BETA2 #2: Sat Sep 11 19:21:14 PDT 2004 root@thought.holo.org:/usr/src/sys/i386/compile/THOUGHT i386 >Description: When the Biba MAC policy is loaded and IPFW is configured to send a RST in response to certain TCP packets, the system will panic when it receives a packet that triggers such an IPFW rule. panic: mac_biba_dominate_element: a->mbe_type invalid KDB: enter: panic [thread 100038] Stopped at kdb_enter+0x30: leave db> tr kdb_enter(c06d2398,c0729be0,c08a2bb4,d542c930,0) at kdb_enter+0x30 panic(c08a2bb4,c1f771c4,0,c197be70,d542c958) at panic+0xcc mac_biba_dominate_element(c1f771c4,c197be98,c08a3580,0,c1a63800) at mac_biba_dominate_element+0x12d mac_biba_effective_in_range(c1f771c0,c197be70,d542c994,c0607fdd,c1a63800) at mac_biba_effective_in_range+0x3f mac_biba_check_ifnet_transmit(c1a63800,c197a604,c1c80600,c1e18550,0) at mac_biba_check_ifnet_transmit+0x34 mac_check_ifnet_transmit(c1a63800,c1c80600,0,0,0) at mac_check_ifnet_transmit+0xad ether_output(c1a63800,c1c80600,c1b9d990,c1e199cc,c1e18540) at ether_output+0x32 ip_output(c1c80600,0,d542ca2c,0,0) at ip_output+0x9c0 send_pkt(d542cc0c,78f13960,0,6,3c2) at send_pkt+0x19a send_reject(d542cbf4,100,0,30,1) at send_reject+0xb1 ipfw_chk(d542cbf4,0,f,0,c1dcae00) at ipfw_chk+0x12e3 ipfw_check_in(0,d542cc48,c1a63800,1,0) at ipfw_check_in+0x88 pfil_run_hooks(c0730ea0,d542cc90,c1a63800,1,20a000a) at pfil_run_hooks+0xf7 ip_input(c1dcae00,c19cb6e0,0,d0cf11b1,dad35cd4) at ip_input+0x24e netisr_processqueue(c072eb78,2f5,532c9cdd,d971c9c8,0) at netisr_processqueue+0xc9 swi_net(0,0,0,0,0) at swi_net+0xca ithread_loop(c19e4280,d542cd48,0,0,0) at ithread_loop+0x1a8 fork_exit(c04b1ef0,c19e4280,d542cd48) at fork_exit+0x80 fork_trampoline() at fork_trampoline+0x8 --- trap 0x1, eip = 0, esp = 0xd542cd7c, ebp = 0 --- >How-To-Repeat: Compile "options MAC" into the kernel. Set mac_biba_load="YES" in loader.conf and reboot the system. Configure the MAC label on an Ethernet interface to "biba/equal(equal-equal)" Create an IPFW rule with the "reset" action to be invoked for packets destined to some TCP port. >From a remote machine, send a packet to the TCP port configured above. >Fix: The fix is probably to create MAC labels for packets sent by IPFW. In the case of reset packets this looks easy enough, but I'm not sure what to do about the keepalive packets sent in ipfw_tick(). Perhaps the ipfw_dyn_rule needs a label? >Release-Note: >Audit-Trail: >Unformatted:
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20040912112934.W620>