Bug 264128 - Out-of-bounds read in pfctl(8) when run with -a “” (as in “periodic daily”).
Summary: Out-of-bounds read in pfctl(8) when run with -a “” (as in “periodic daily”).
Status: New
Alias: None
Product: Base System
Classification: Unclassified
Component: bin (show other bugs)
Version: CURRENT
Hardware: Any Any
: --- Affects Only Me
Assignee: freebsd-pf (Nobody)
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2022-05-21 17:29 UTC by Robert Watson
Modified: 2022-05-22 09:00 UTC (History)
2 users (show)

See Also:


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Robert Watson freebsd_committer 2022-05-21 17:29:39 UTC
When pfctl(8) is completed for CheriABI and run on an Arm Morello board, it experiences a crash when used with -a “”, as used by “periodic daily” every 24 hours:

  pid 1763 (pfctl), jid 0, uid 0: exited on signal 34 (core dumped)

This seems to be reproducible (in CheriBSD) via:

  root@cheribsd:/tmp # /sbin/pfctl -a "" -sr -v -z
  In-address space security exception (core dumped)

As described in https://github.com/CTSRD-CHERI/cheribsd/issues/1385, this is due to a buffer underflow when processing the -a argument.  On CHERI-enabled hardware, this leads to a deterministic process crash.  On non-CHERI hardware it silently continues.
Comment 1 commit-hook freebsd_committer 2022-05-22 09:00:42 UTC
A commit in branch main references this bug:

URL: https://cgit.FreeBSD.org/src/commit/?id=298663855015c1eba7ccf5b88168f433653eb609

commit 298663855015c1eba7ccf5b88168f433653eb609
Author:     Jessica Clarke <jrtc27@FreeBSD.org>
AuthorDate: 2022-05-22 08:31:42 +0000
Commit:     Kristof Provost <kp@FreeBSD.org>
CommitDate: 2022-05-22 08:31:42 +0000

    pfctl: fix out-of-bounds access

    If pfctl is called with "pfctl -a ''" we read outside of the anchoropt
    buffer. Check that the buffer is sufficiently long to avoid that.

    Maintain the existing (and desired, because it's used as such in
    /etc/periodic/security/520.pfdenied) behaviour of treating "-a ''" as a
    request for the root anchor (or no anchor specified).

    PR:             264128
    Reviewed by:    kp

 sbin/pfctl/pfctl.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)