[Bug 272153] [pf] [pfsync] Incomplete state sync causing null pointer dereference
Date: Thu, 22 Jun 2023 22:10:41 UTC
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=272153
Bug ID: 272153
Summary: [pf] [pfsync] Incomplete state sync causing null
pointer dereference
Product: Base System
Version: 13.1-RELEASE
Hardware: amd64
OS: Any
Status: New
Severity: Affects Only Me
Priority: ---
Component: kern
Assignee: bugs@FreeBSD.org
Reporter: adam.stradtner@gmail.com
I have a pair of OPNsense firewalls, based on FreeBSD 13.1. They are configured
as an HA pair with state synchronization via pfsync. I am experiencing random
crashes stating:
Fatal trap 12: page fault while in kernel mode
cpuid = 3; apic id = 06
fault virtual address = 0x0
fault code = supervisor read data, page not present
One of the OPNsense maintainers looked at a core dump and found this cause
being a null pointer dereference:
#17 0xffffffff8237ed0f in pf_test_state_udp (state=<optimized out>,
state@entry=0xfffffe001099b828,
direction=<optimized out>, kif=<optimized out>,
kif@entry=0xfffff800245b3a00, m=m@entry=0xfffff801e9409800,
off=20, h=<optimized out>, pd=pd@entry=0xfffffe001099b758) at
/usr/src/sys/netpfil/pf/pf.c:5086
5086 if (PF_ANEQ(pd->src, &nk->addr[pd->sidx], pd->af) ||
(kgdb) list
5081
5082 /* translate source/destination address, if necessary */
5083 if ((*state)->key[PF_SK_WIRE] != (*state)->key[PF_SK_STACK]) {
5084 struct pf_state_key *nk = (*state)->key[pd->didx];
5085
5086 if (PF_ANEQ(pd->src, &nk->addr[pd->sidx], pd->af) ||
5087 nk->port[pd->sidx] != uh->uh_sport)
5088 pf_change_ap(m, pd->src, &uh->uh_sport, pd->ip_sum,
5089 &uh->uh_sum, &nk->addr[pd->sidx],
5090 nk->port[pd->sidx], 1, pd->af);
(kgdb) p nk
$10 = (struct pf_state_key *) 0x0
I subsequently disabled pfsync and that has resolved my crashes. It appears the
state sync is bringing invalid states with it, which eventually causes a kernel
panic.
--
You are receiving this mail because:
You are the assignee for the bug.