When pfctl(8) is completed for CheriABI and run on an Arm Morello board, it experiences a crash when used with -a “”, as used by “periodic daily” every 24 hours: pid 1763 (pfctl), jid 0, uid 0: exited on signal 34 (core dumped) This seems to be reproducible (in CheriBSD) via: root@cheribsd:/tmp # /sbin/pfctl -a "" -sr -v -z In-address space security exception (core dumped) As described in https://github.com/CTSRD-CHERI/cheribsd/issues/1385, this is due to a buffer underflow when processing the -a argument. On CHERI-enabled hardware, this leads to a deterministic process crash. On non-CHERI hardware it silently continues.
A commit in branch main references this bug: URL: https://cgit.FreeBSD.org/src/commit/?id=298663855015c1eba7ccf5b88168f433653eb609 commit 298663855015c1eba7ccf5b88168f433653eb609 Author: Jessica Clarke <jrtc27@FreeBSD.org> AuthorDate: 2022-05-22 08:31:42 +0000 Commit: Kristof Provost <kp@FreeBSD.org> CommitDate: 2022-05-22 08:31:42 +0000 pfctl: fix out-of-bounds access If pfctl is called with "pfctl -a ''" we read outside of the anchoropt buffer. Check that the buffer is sufficiently long to avoid that. Maintain the existing (and desired, because it's used as such in /etc/periodic/security/520.pfdenied) behaviour of treating "-a ''" as a request for the root anchor (or no anchor specified). PR: 264128 Reviewed by: kp sbin/pfctl/pfctl.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)