When pfctl(8) is completed for CheriABI and run on an Arm Morello board, it experiences a crash when used with -a “”, as used by “periodic daily” every 24 hours:
pid 1763 (pfctl), jid 0, uid 0: exited on signal 34 (core dumped)
This seems to be reproducible (in CheriBSD) via:
root@cheribsd:/tmp # /sbin/pfctl -a "" -sr -v -z
In-address space security exception (core dumped)
As described in https://github.com/CTSRD-CHERI/cheribsd/issues/1385, this is due to a buffer underflow when processing the -a argument. On CHERI-enabled hardware, this leads to a deterministic process crash. On non-CHERI hardware it silently continues.
A commit in branch main references this bug:
Author: Jessica Clarke <jrtc27@FreeBSD.org>
AuthorDate: 2022-05-22 08:31:42 +0000
Commit: Kristof Provost <kp@FreeBSD.org>
CommitDate: 2022-05-22 08:31:42 +0000
pfctl: fix out-of-bounds access
If pfctl is called with "pfctl -a ''" we read outside of the anchoropt
buffer. Check that the buffer is sufficiently long to avoid that.
Maintain the existing (and desired, because it's used as such in
/etc/periodic/security/520.pfdenied) behaviour of treating "-a ''" as a
request for the root anchor (or no anchor specified).
Reviewed by: kp
sbin/pfctl/pfctl.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)