Page MenuHomeFreeBSD
Differential D34880

pf: grab pf_config_lock when freeing a rule
AbandonedPublic
Actions

Authored by rew on Apr 11 2022, 7:20 AM.
Tags
None
Referenced Files
Unknown Object (File)
Sat, Nov 16, 10:19 AM
Unknown Object (File)
Thu, Oct 31, 4:23 AM
Unknown Object (File)
Sep 27 2024, 12:16 PM
Unknown Object (File)
Sep 9 2024, 4:43 AM
Unknown Object (File)
Sep 9 2024, 4:43 AM
Unknown Object (File)
Sep 4 2024, 5:00 PM
Unknown Object (File)
Sep 2 2024, 12:25 PM
Unknown Object (File)
Sep 2 2024, 3:20 AM
View All 26 Files
Subscribers
farrokhi
glebius
imp
melifaro

Details

Reviewers
kp
mjg
Summary

Take PF_CONFIG_LOCK() when pf_free_rule() is called. The assert being
hit was added in bd7762c86986537a5b393537b85de31b1556735b.

When adding a new rule through DIOCCHANGERULE it's possible the new rule
will be freed. This can happen if an error occurs or when the new rule
is to be added before/after a given rule number that doesn't exist.

It is the latter scenario that syzkaller found.

Reported by: syzbot+ba6bcae2eabec42983f6@syzkaller.appspotmail.com

Diff Detail

Repository
rS FreeBSD src repository - subversion
Lint
Lint Passed
Unit
No Test Coverage
Build Status
Buildable 45120
Build 42008: arc lint + arc unit

Event Timeline

rew created this revision.Apr 11 2022, 7:20 AM
Herald added subscribers: glebius, melifaro, farrokhi, imp. · View Herald TranscriptApr 11 2022, 7:20 AM
rew requested review of this revision.Apr 11 2022, 7:20 AM
Harbormaster completed remote builds in B45120: Diff 104866.Apr 11 2022, 7:20 AM
rew added reviewers: kp, mjg.Apr 11 2022, 7:22 AM
mjg added a comment.Apr 11 2022, 11:29 AM

I'm aware of this crash, but this is more broken than that and sprinkling the lock only takes care of the apparent problem. The key here is that the ioctl at hand does not properly update the rule anymore and unfortunately there are no tests for it either. I'm going to fix it soon(tm).

kp added a comment.Apr 11 2022, 12:25 PM
In D34880#790375, @mjg wrote:

I'm aware of this crash, but this is more broken than that and sprinkling the lock only takes care of the apparent problem. The key here is that the ioctl at hand does not properly update the rule anymore and unfortunately there are no tests for it either. I'm going to fix it soon(tm).

I'm very, very tempted to say we should just remove DIOCCHANGERULE, but at least miniupnpd actually uses it.

rew abandoned this revision.Apr 11 2022, 2:34 PM
In D34880#790376, @kp wrote:

I'm very, very tempted to say we should just remove DIOCCHANGERULE, but at least miniupnpd actually uses it.

Looks like it uses PF_CHANGE_REMOVE, PF_CHANGE_GET_TICKET, and PF_CHANGE_ADD_TAIL from the ioctl.

The locking contract did seem a bit odd when I was looking at this, guess because there's active work going on here.

I'll let this go, thanks for the comments.

mjg added a comment.Apr 11 2022, 2:54 PM

thanks for the patch. if there was a way of marking syzkaller crashes as worked on I would have done it :)

Revision Contents
Changeset List

PathSize
sys/
netpfil/
pf/
5 lines

Diff 104866

View Options

sys/netpfil/pf/pf_ioctl.c

Loading...