Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

"pid 1763 (pfctl), jid 0, uid 0: exited on signal 34 (core dumped)” on boot #1385

Closed
rwatson opened this issue May 21, 2022 · 3 comments · Fixed by #1386
Closed

"pid 1763 (pfctl), jid 0, uid 0: exited on signal 34 (core dumped)” on boot #1385

rwatson opened this issue May 21, 2022 · 3 comments · Fixed by #1386
Labels
CheriABI

Comments

@rwatson
Copy link
Member

rwatson commented May 21, 2022

With a hybrid kernel and CheriABI userspace on my Morello board, I get this message during the daily event each day (or when running periodic daily manually):

pid 1763 (pfctl), jid 0, uid 0: exited on signal 34 (core dumped)

This seems to be reproducible via:

root@cheribsd:/tmp # /sbin/pfctl -a "" -sr -v -z
In-address space security exception (core dumped)
@rwatson
Copy link
Member Author

rwatson commented May 21, 2022

With gdb-cheri:

Program received signal SIGPROT, CHERI protection violation
Capability bounds fault.
0x000000000013f2a4 in main (argc=6, argv=0xffffbff7f740 [rwRW,0xffffbff7f740-0xffffbff7f7b0]) at /local/scratch/jenkins/workspace/CheriBSD-pipeline_dev/cheribsd/sbin/pfctl/pfctl.c:2776
2776	/local/scratch/jenkins/workspace/CheriBSD-pipeline_dev/cheribsd/sbin/pfctl/pfctl.c: No such file or directory.
(gdb) bt
#0  0x000000000013f2a4 in main (argc=6, argv=0xffffbff7f740 [rwRW,0xffffbff7f740-0xffffbff7f7b0])
    at /local/scratch/jenkins/workspace/CheriBSD-pipeline_dev/cheribsd/sbin/pfctl/pfctl.c:2776

Which is here in the in-sync version of pfctl.c:

        if ((path = calloc(1, MAXPATHLEN)) == NULL)
                errx(1, "pfctl: calloc");
        memset(anchorname, 0, sizeof(anchorname));
        if (anchoropt != NULL) {
                int len = strlen(anchoropt);

                if (anchoropt[len - 1] == '*') {              <--- Bounds check violation here
                        if (len >= 2 && anchoropt[len - 2] == '/')
                                anchoropt[len - 2] = '\0';
                        else
                                anchoropt[len - 1] = '\0';
                        opts |= PF_OPT_RECURSE;
                }
                if (strlcpy(anchorname, anchoropt,
                    sizeof(anchorname)) >= sizeof(anchorname))
                        errx(1, "anchor name '%s' too long",
                            anchoropt);
                loadopt &= PFCTL_FLAG_FILTER|PFCTL_FLAG_NAT|PFCTL_FLAG_TABLE|PFCTL_FLAG_ETH;
        }

And this is indeed a bounds underflow when used with -a “” -- i.e., a legit source-code bug in pfctl.c.

@rwatson
Copy link
Member Author

rwatson commented May 21, 2022

Bug reported upstream as: https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=264128

@rwatson
Copy link
Member Author

rwatson commented May 21, 2022

Exploration of a potential solution in #1386.

@arichardson arichardson linked a pull request May 22, 2022 that will close this issue
Don't dereference anchoropt, even if non-NULL, if it is an empty string. #1386
Merged
@rwatson rwatson mentioned this issue May 22, 2022
Merged
@bsdjhb bsdjhb closed this as completed May 23, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
CheriABI
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Don't dereference anchoropt, even if non-NULL, if it is an empty string. CTSRD-CHERI/cheribsd
2 participants
@rwatson @bsdjhb