Skip site navigation (1)Skip section navigation (2) 
Date:      Thu, 22 Jun 2023 22:10:41 +0000
From:      bugzilla-noreply@freebsd.org
To:        bugs@FreeBSD.org
Subject:   [Bug 272153] [pf] [pfsync] Incomplete state sync causing null pointer dereference
Message-ID:  <bug-272153-227@https.bugs.freebsd.org/bugzilla/>
next in thread | raw e-mail | index | archive | help 
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D272153

            Bug ID: 272153
           Summary: [pf] [pfsync] Incomplete state sync causing null
                    pointer dereference
           Product: Base System
           Version: 13.1-RELEASE
          Hardware: amd64
                OS: Any
            Status: New
          Severity: Affects Only Me
          Priority: ---
         Component: kern
          Assignee: bugs@FreeBSD.org
          Reporter: adam.stradtner@gmail.com

I have a pair of OPNsense firewalls, based on FreeBSD 13.1. They are config=
ured
as an HA pair with state synchronization via pfsync. I am experiencing rand=
om
crashes stating:

Fatal trap 12: page fault while in kernel mode
cpuid =3D 3; apic id =3D 06
fault virtual address   =3D 0x0
fault code      =3D supervisor read data, page not present

One of the OPNsense maintainers looked at a core dump and found this cause
being a null pointer dereference:

#17 0xffffffff8237ed0f in pf_test_state_udp (state=3D<optimized out>,
state@entry=3D0xfffffe001099b828,
    direction=3D<optimized out>, kif=3D<optimized out>,
kif@entry=3D0xfffff800245b3a00, m=3Dm@entry=3D0xfffff801e9409800,
    off=3D20, h=3D<optimized out>, pd=3Dpd@entry=3D0xfffffe001099b758) at
/usr/src/sys/netpfil/pf/pf.c:5086
5086         if (PF_ANEQ(pd->src, &nk->addr[pd->sidx], pd->af) ||
(kgdb) list
5081=20=20=20
5082      /* translate source/destination address, if necessary */
5083      if ((*state)->key[PF_SK_WIRE] !=3D (*state)->key[PF_SK_STACK]) {
5084         struct pf_state_key *nk =3D (*state)->key[pd->didx];
5085=20=20=20
5086         if (PF_ANEQ(pd->src, &nk->addr[pd->sidx], pd->af) ||
5087             nk->port[pd->sidx] !=3D uh->uh_sport)
5088            pf_change_ap(m, pd->src, &uh->uh_sport, pd->ip_sum,
5089                &uh->uh_sum, &nk->addr[pd->sidx],
5090                nk->port[pd->sidx], 1, pd->af);
(kgdb) p nk
$10 =3D (struct pf_state_key *) 0x0

I subsequently disabled pfsync and that has resolved my crashes. It appears=
 the
state sync is bringing invalid states with it, which eventually causes a ke=
rnel
panic.

--=20
You are receiving this mail because:
You are the assignee for the bug.=

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?bug-272153-227>