kern/71677: MAC Biba / IPFW panic

Brian Buchanan bwb at
Sun Sep 12 12:10:12 PDT 2004

>Number:         71677
>Category:       kern
>Synopsis:       MAC Biba / IPFW panic
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    freebsd-bugs
>State:          open
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Sun Sep 12 19:10:11 GMT 2004
>Originator:     Brian Buchanan
>Release:        FreeBSD 5.3-BETA2 i386
System: FreeBSD 5.3-BETA2 FreeBSD 5.3-BETA2 #2: Sat Sep 11 19:21:14 PDT 2004 root at i386

When the Biba MAC policy is loaded and IPFW is configured to send a RST in
response to certain TCP packets, the system will panic when it receives
a packet that triggers such an IPFW rule.

panic: mac_biba_dominate_element: a->mbe_type invalid
KDB: enter: panic
[thread 100038]
Stopped at      kdb_enter+0x30: leave
db> tr
kdb_enter(c06d2398,c0729be0,c08a2bb4,d542c930,0) at kdb_enter+0x30
panic(c08a2bb4,c1f771c4,0,c197be70,d542c958) at panic+0xcc
mac_biba_dominate_element(c1f771c4,c197be98,c08a3580,0,c1a63800) at mac_biba_dominate_element+0x12d
mac_biba_effective_in_range(c1f771c0,c197be70,d542c994,c0607fdd,c1a63800) at mac_biba_effective_in_range+0x3f
mac_biba_check_ifnet_transmit(c1a63800,c197a604,c1c80600,c1e18550,0) at mac_biba_check_ifnet_transmit+0x34
mac_check_ifnet_transmit(c1a63800,c1c80600,0,0,0) at mac_check_ifnet_transmit+0xad
ether_output(c1a63800,c1c80600,c1b9d990,c1e199cc,c1e18540) at ether_output+0x32
ip_output(c1c80600,0,d542ca2c,0,0) at ip_output+0x9c0
send_pkt(d542cc0c,78f13960,0,6,3c2) at send_pkt+0x19a
send_reject(d542cbf4,100,0,30,1) at send_reject+0xb1
ipfw_chk(d542cbf4,0,f,0,c1dcae00) at ipfw_chk+0x12e3
ipfw_check_in(0,d542cc48,c1a63800,1,0) at ipfw_check_in+0x88
pfil_run_hooks(c0730ea0,d542cc90,c1a63800,1,20a000a) at pfil_run_hooks+0xf7
ip_input(c1dcae00,c19cb6e0,0,d0cf11b1,dad35cd4) at ip_input+0x24e
netisr_processqueue(c072eb78,2f5,532c9cdd,d971c9c8,0) at netisr_processqueue+0xc9
swi_net(0,0,0,0,0) at swi_net+0xca
ithread_loop(c19e4280,d542cd48,0,0,0) at ithread_loop+0x1a8
fork_exit(c04b1ef0,c19e4280,d542cd48) at fork_exit+0x80
fork_trampoline() at fork_trampoline+0x8
--- trap 0x1, eip = 0, esp = 0xd542cd7c, ebp = 0 ---


Compile "options MAC" into the kernel.
Set mac_biba_load="YES" in loader.conf and reboot the system.
Configure the MAC label on an Ethernet interface to "biba/equal(equal-equal)"
Create an IPFW rule with the "reset" action to be invoked for packets
destined to some TCP port.
>From a remote machine, send a packet to the TCP port configured above.


The fix is probably to create MAC labels for packets sent by IPFW.  In the 
case of reset packets this looks easy enough, but I'm not sure what to do 
about the keepalive packets sent in ipfw_tick().  Perhaps the 
ipfw_dyn_rule needs a label?

More information about the freebsd-bugs mailing list