[Bug 272153] [pf] [pfsync] Incomplete state sync causing null pointer dereference

From: <bugzilla-noreply_at_freebsd.org>
Date: Thu, 22 Jun 2023 22:10:41 UTC

            Bug ID: 272153
           Summary: [pf] [pfsync] Incomplete state sync causing null
                    pointer dereference
           Product: Base System
           Version: 13.1-RELEASE
          Hardware: amd64
                OS: Any
            Status: New
          Severity: Affects Only Me
          Priority: ---
         Component: kern
          Assignee: bugs@FreeBSD.org
          Reporter: adam.stradtner@gmail.com

I have a pair of OPNsense firewalls, based on FreeBSD 13.1. They are configured
as an HA pair with state synchronization via pfsync. I am experiencing random
crashes stating:

Fatal trap 12: page fault while in kernel mode
cpuid = 3; apic id = 06
fault virtual address   = 0x0
fault code      = supervisor read data, page not present

One of the OPNsense maintainers looked at a core dump and found this cause
being a null pointer dereference:

#17 0xffffffff8237ed0f in pf_test_state_udp (state=<optimized out>,
    direction=<optimized out>, kif=<optimized out>,
kif@entry=0xfffff800245b3a00, m=m@entry=0xfffff801e9409800,
    off=20, h=<optimized out>, pd=pd@entry=0xfffffe001099b758) at
5086         if (PF_ANEQ(pd->src, &nk->addr[pd->sidx], pd->af) ||
(kgdb) list
5082      /* translate source/destination address, if necessary */
5083      if ((*state)->key[PF_SK_WIRE] != (*state)->key[PF_SK_STACK]) {
5084         struct pf_state_key *nk = (*state)->key[pd->didx];
5086         if (PF_ANEQ(pd->src, &nk->addr[pd->sidx], pd->af) ||
5087             nk->port[pd->sidx] != uh->uh_sport)
5088            pf_change_ap(m, pd->src, &uh->uh_sport, pd->ip_sum,
5089                &uh->uh_sum, &nk->addr[pd->sidx],
5090                nk->port[pd->sidx], 1, pd->af);
(kgdb) p nk
$10 = (struct pf_state_key *) 0x0

I subsequently disabled pfsync and that has resolved my crashes. It appears the
state sync is bringing invalid states with it, which eventually causes a kernel

You are receiving this mail because:
You are the assignee for the bug.