NetBSD Problem Report #48109

From t-hash@abox3.so-net.ne.jp  Wed Aug  7 23:18:39 2013
Return-Path: <t-hash@abox3.so-net.ne.jp>
Received: from mail.netbsd.org (mail.netbsd.org [149.20.53.66])
	(using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits))
	(Client CN "mail.NetBSD.org", Issuer "Postmaster NetBSD.org" (verified OK))
	by mollari.NetBSD.org (Postfix) with ESMTPS id 24A2C705FB
	for <gnats-bugs@gnats.NetBSD.org>; Wed,  7 Aug 2013 23:18:39 +0000 (UTC)
Message-Id: <201308072149.r77LnZfm000875@ms-omx11.plus.so-net.ne.jp>
Date: Thu, 08 Aug 2013 06:49:35 +0900
From: Takahiro HAYASHI <t-hash@abox3.so-net.ne.jp>
To: gnats-bugs@gnats.NetBSD.org
Subject: ipf: mixed directions in same group rules may cause panic

>Number:         48109
>Category:       kern
>Synopsis:       ipf: mixed directions in same group rules may cause panic
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    kern-bug-people
>State:          closed
>Class:          sw-bug
>Submitter-Id:   net
>Arrival-Date:   Wed Aug 07 23:20:00 +0000 2013
>Closed-Date:    Tue Apr 14 13:18:58 +0000 2015
>Last-Modified:  Tue Apr 14 13:18:58 +0000 2015
>Originator:     Takahiro HAYASHI
>Release:        NetBSD 6.99.22
>Organization:
>Environment:
System: NetBSD  6.99.22 NetBSD 6.99.22 (UNION) #0: Sat Jun 29 14:27:03 JST 2013  root@halt:/usr/build2/obj.i386/sys/arch/i386/compile/UNION i386
Architecture: i386
Machine: i386
>Description:

The kernel may panic when the direction of group rules to be added
does not match to the direction of head rule.
In other words, kernel panics when ipfilter cannot find the same
group with same direction as the rule to be added is.

For example, following rules causes following panic.

> block in all head 100
> pass out all group 100

uvm_fault(0xc1225d40, 0, 1) -> 0xe
fatal page fault in supervisor mode
trap type 6 code 0 eip c019e663 cs 8 eflags 10282 cr2 10 ilevel 0 esp c04a1600
curlwp 0xc12132a0 pid 5 lid 1 lowest kstack 0xd7c22000
kernel: supervisor trap page fault, code=0
Stopped in pid 5.1 (ipf) at     netbsd:frrequest+0x3df: movl    10(%ebx),%edx
db{0}> bt
frrequest(c04a1600,0,8034723c,d7c23c58,0,1,c123d000,2,d7c237bc,d7c236c8) at netb
sd:frrequest+0x3df
ipf_ipf_ioctl(c04a1600,d7c23c58,8034723c,3,0,c12132a0,c12132a0,c12132a0,2c00,0) a
t netbsd:ipf_ipf_ioctl+0x60a
ipfioctl(2c00,0,8034723c,d7c23c58,3,c12132a0,c043f900,c12132a0,d7c23c58,8034723c
) at netbsd:ipfioctl+0x99
cdev_ioctl(2c00,0,8034723c,d7c23c58,3,c12132a0,2c00,c127edc8,c126bec0,8034723c) a
t netbsd:cdev_ioctl+0x9a
spec_ioctl(d7c23b34,5,c0f06c90,c04500d0,c127edc8,8034723c,d7c23c58,3,c0f19f00,c1
27edc8) at netbsd:spec_ioctl+0xdd
VOP_IOCTL(c127edc8,8034723c,d7c23c58,3,c0f19f00,c03ed294,d7c23b7c,1,0,c0450394) a
t netbsd:VOP_IOCTL+0x3e
vn_ioctl(c126bec0,8034723c,d7c23c58,c03ed2fb,d7c23c34,c1272f24,d7c23c88,c04503b8
,34,0) at netbsd:vn_ioctl+0x68
sys_ioctl(c12132a0,d7c23d00,d7c23d28,d7c23d00,36,4,8034723c,bfbfed14,bfbfecd8,ff
ffffff) at netbsd:sys_ioctl+0x1b2
syscall() at netbsd:syscall+0x86
--- syscall (number 54) ---
bbb61467:

>How-To-Repeat:

ipf -E
ipf -Fa -f - << _EOF_
block in all head 100
pass out all group 100
_EOF_

>Fix:
	check null dereference.

Index: src/sys/external/bsd/ipf/netinet/fil.c
===================================================================
RCS file: /cvsroot/src/sys/external/bsd/ipf/netinet/fil.c,v
retrieving revision 1.8
diff -u -p -r1.8 fil.c
--- src/sys/external/bsd/ipf/netinet/fil.c	9 Jan 2013 13:23:20 -0000	1.8
+++ src/sys/external/bsd/ipf/netinet/fil.c	3 Aug 2013 16:14:45 -0000
@@ -4487,6 +4487,11 @@ frrequest(ipf_main_softc_t *softc, int u
 			if (addrem == 0) {
 				fg = ipf_group_add(softc, group, NULL,
 						   fp->fr_flags, unit, set);
+				if (fg == NULL) {
+					IPFERROR(152);
+					error = ESRCH;
+					goto donenolock;
+				}
 				fp->fr_grp = fg;
 			} else {
 				fg = ipf_findgroup(softc, group, unit,

--
t-hash

>Release-Note:

>Audit-Trail:
From: "Pierre Pronchery" <khorben@netbsd.org>
To: gnats-bugs@gnats.NetBSD.org
Cc: 
Subject: PR/48109 CVS commit: src
Date: Thu, 2 Apr 2015 00:12:58 +0000

 Module Name:	src
 Committed By:	khorben
 Date:		Thu Apr  2 00:12:58 UTC 2015

 Modified Files:
 	src/external/bsd/ipf/dist/lib: interror.c
 	src/sys/external/bsd/ipf/netinet: fil.c

 Log Message:
 Fix for PR kern/48109 (and its duplicate kern/49807)

 As provided by Takahiro HAYASHI in PR kern/48109. Additional error
 registration in ipf(8) by myself. Changes tested with GENERIC and
 XEN3_DOM0. Thanks!

 XXX pull-up netbsd-7


 To generate a diff of this commit:
 cvs rdiff -u -r1.3 -r1.4 src/external/bsd/ipf/dist/lib/interror.c
 cvs rdiff -u -r1.15 -r1.16 src/sys/external/bsd/ipf/netinet/fil.c

 Please note that diffs are not public domain; they are subject to the
 copyright notices on the relevant files.

State-Changed-From-To: open->pending-pullups
State-Changed-By: khorben@NetBSD.org
State-Changed-When: Thu, 02 Apr 2015 00:20:14 +0000
State-Changed-Why:
Patch committed, thank you!


From: "Soren Jacobsen" <snj@netbsd.org>
To: gnats-bugs@gnats.NetBSD.org
Cc: 
Subject: PR/48109 CVS commit: [netbsd-7] src
Date: Fri, 10 Apr 2015 20:26:47 +0000

 Module Name:	src
 Committed By:	snj
 Date:		Fri Apr 10 20:26:47 UTC 2015

 Modified Files:
 	src/external/bsd/ipf/dist/lib [netbsd-7]: interror.c
 	src/sys/external/bsd/ipf/netinet [netbsd-7]: fil.c

 Log Message:
 Pull up following revision(s) (requested by khorben in ticket #671):
 	external/bsd/ipf/dist/lib/interror.c: revision 1.4
 	sys/external/bsd/ipf/netinet/fil.c: revision 1.16
 Fix for PR kern/48109 (and its duplicate kern/49807)
 As provided by Takahiro HAYASHI in PR kern/48109. Additional error
 registration in ipf(8) by myself. Changes tested with GENERIC and
 XEN3_DOM0. Thanks!


 To generate a diff of this commit:
 cvs rdiff -u -r1.3 -r1.3.6.1 src/external/bsd/ipf/dist/lib/interror.c
 cvs rdiff -u -r1.15 -r1.15.2.1 src/sys/external/bsd/ipf/netinet/fil.c

 Please note that diffs are not public domain; they are subject to the
 copyright notices on the relevant files.

From: Takahiro HAYASHI <t.hash425@gmail.com>
To: gnats-bugs@NetBSD.org, kern-bug-people@netbsd.org, 
 netbsd-bugs@netbsd.org
Cc: 
Subject: Re: PR/48109 CVS commit: [netbsd-7] src
Date: Tue, 14 Apr 2015 17:51:25 +0900

 Thank you for fixing problem!

 On 2015/04/11 05:30, Soren Jacobsen wrote:
 > From: "Soren Jacobsen" <snj@netbsd.org>
 > To: gnats-bugs@gnats.NetBSD.org
 > Cc:
 > Subject: PR/48109 CVS commit: [netbsd-7] src
 > Date: Fri, 10 Apr 2015 20:26:47 +0000
 >
 >   Module Name:	src
 >   Committed By:	snj
 >   Date:		Fri Apr 10 20:26:47 UTC 2015
 >
 >   Modified Files:
 >   	src/external/bsd/ipf/dist/lib [netbsd-7]: interror.c
 >   	src/sys/external/bsd/ipf/netinet [netbsd-7]: fil.c
 >
 >   Log Message:
 >   Pull up following revision(s) (requested by khorben in ticket #671):
 >   	external/bsd/ipf/dist/lib/interror.c: revision 1.4
 >   	sys/external/bsd/ipf/netinet/fil.c: revision 1.16
 >   Fix for PR kern/48109 (and its duplicate kern/49807)
 >   As provided by Takahiro HAYASHI in PR kern/48109. Additional error
 >   registration in ipf(8) by myself. Changes tested with GENERIC and
 >   XEN3_DOM0. Thanks!


 -- 
 t-hash

State-Changed-From-To: pending-pullups->closed
State-Changed-By: msaitoh@NetBSD.org
State-Changed-When: Tue, 14 Apr 2015 13:18:58 +0000
State-Changed-Why:
Pulled up.
Thanks.


>Unformatted:

NetBSD Home
NetBSD PR Database Search

(Contact us) $NetBSD: query-full-pr,v 1.39 2013/11/01 18:47:49 spz Exp $
$NetBSD: gnats_config.sh,v 1.8 2006/05/07 09:23:38 tsutsui Exp $
Copyright © 1994-2014 The NetBSD Foundation, Inc. ALL RIGHTS RESERVED.