NetBSD-Bugs archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
kern/48109: ipf: mixed directions in same group rules may cause panic
>Number: 48109
>Category: kern
>Synopsis: ipf: mixed directions in same group rules may cause panic
>Confidential: no
>Severity: serious
>Priority: medium
>Responsible: kern-bug-people
>State: open
>Class: sw-bug
>Submitter-Id: net
>Arrival-Date: Wed Aug 07 23:20:00 +0000 2013
>Originator: Takahiro HAYASHI
>Release: NetBSD 6.99.22
>Organization:
>Environment:
System: NetBSD 6.99.22 NetBSD 6.99.22 (UNION) #0: Sat Jun 29 14:27:03 JST 2013
root@halt:/usr/build2/obj.i386/sys/arch/i386/compile/UNION i386
Architecture: i386
Machine: i386
>Description:
The kernel may panic when the direction of group rules to be added
does not match to the direction of head rule.
In other words, kernel panics when ipfilter cannot find the same
group with same direction as the rule to be added is.
For example, following rules causes following panic.
> block in all head 100
> pass out all group 100
uvm_fault(0xc1225d40, 0, 1) -> 0xe
fatal page fault in supervisor mode
trap type 6 code 0 eip c019e663 cs 8 eflags 10282 cr2 10 ilevel 0 esp c04a1600
curlwp 0xc12132a0 pid 5 lid 1 lowest kstack 0xd7c22000
kernel: supervisor trap page fault, code=0
Stopped in pid 5.1 (ipf) at netbsd:frrequest+0x3df: movl 10(%ebx),%edx
db{0}> bt
frrequest(c04a1600,0,8034723c,d7c23c58,0,1,c123d000,2,d7c237bc,d7c236c8) at netb
sd:frrequest+0x3df
ipf_ipf_ioctl(c04a1600,d7c23c58,8034723c,3,0,c12132a0,c12132a0,c12132a0,2c00,0)
a
t netbsd:ipf_ipf_ioctl+0x60a
ipfioctl(2c00,0,8034723c,d7c23c58,3,c12132a0,c043f900,c12132a0,d7c23c58,8034723c
) at netbsd:ipfioctl+0x99
cdev_ioctl(2c00,0,8034723c,d7c23c58,3,c12132a0,2c00,c127edc8,c126bec0,8034723c)
a
t netbsd:cdev_ioctl+0x9a
spec_ioctl(d7c23b34,5,c0f06c90,c04500d0,c127edc8,8034723c,d7c23c58,3,c0f19f00,c1
27edc8) at netbsd:spec_ioctl+0xdd
VOP_IOCTL(c127edc8,8034723c,d7c23c58,3,c0f19f00,c03ed294,d7c23b7c,1,0,c0450394)
a
t netbsd:VOP_IOCTL+0x3e
vn_ioctl(c126bec0,8034723c,d7c23c58,c03ed2fb,d7c23c34,c1272f24,d7c23c88,c04503b8
,34,0) at netbsd:vn_ioctl+0x68
sys_ioctl(c12132a0,d7c23d00,d7c23d28,d7c23d00,36,4,8034723c,bfbfed14,bfbfecd8,ff
ffffff) at netbsd:sys_ioctl+0x1b2
syscall() at netbsd:syscall+0x86
--- syscall (number 54) ---
bbb61467:
>How-To-Repeat:
ipf -E
ipf -Fa -f - << _EOF_
block in all head 100
pass out all group 100
_EOF_
>Fix:
check null dereference.
Index: src/sys/external/bsd/ipf/netinet/fil.c
===================================================================
RCS file: /cvsroot/src/sys/external/bsd/ipf/netinet/fil.c,v
retrieving revision 1.8
diff -u -p -r1.8 fil.c
--- src/sys/external/bsd/ipf/netinet/fil.c 9 Jan 2013 13:23:20 -0000
1.8
+++ src/sys/external/bsd/ipf/netinet/fil.c 3 Aug 2013 16:14:45 -0000
@@ -4487,6 +4487,11 @@ frrequest(ipf_main_softc_t *softc, int u
if (addrem == 0) {
fg = ipf_group_add(softc, group, NULL,
fp->fr_flags, unit, set);
+ if (fg == NULL) {
+ IPFERROR(152);
+ error = ESRCH;
+ goto donenolock;
+ }
fp->fr_grp = fg;
} else {
fg = ipf_findgroup(softc, group, unit,
--
t-hash
Home |
Main Index |
Thread Index |
Old Index