uvm_fault: pfi_dynaddr

uvm_fault: pfi_dynaddr_remove

Status: fixed on 2020/04/20 18:58
Reported-by: syzbot+ae5e359d7f82688edd6a@syzkaller.appspotmail.com
Fix commit: 3d97bff14298 fix insufficient input sanitization in pf_rulecopyin() and pf_pool_copyin()
First crash: 1576d, last: 1571d

▶ ▼ Last patch testing requests (2)


Created	Duration	User	Patch	Repo	Result
2020/04/19 00:02	18m	greg@nest.cx		git://github.com/blackgnezdo/src c4fa7f2562c6318a999d877a6b05647a480baa3d	report log
2020/04/18 08:58	17m	anton@basename.se		https://github.com/mptre/openbsd-src pf	OK

Sample crash report:

login: uvm_fault(0xfffffd806bc09880, 0x440010051, 0, 1) -> e
kernel: page fault trap, code=0
Stopped at      pfi_dynaddr_remove+0x4a:        movq    0x58(%r15),%r12
ddb> 
ddb> set $lines = 0
ddb> set $maxwidth = 0
ddb> show panic
kernel page fault
uvm_fault(0xfffffd806bc09880, 0x440010051, 0, 1) -> e
pfi_dynaddr_remove(ffff8000009f3008) at pfi_dynaddr_remove+0x4a sys/net/pf_if.c:602
end trace frame: 0xffff80001d3de200, count: 0
ddb> trace
pfi_dynaddr_remove(ffff8000009f3008) at pfi_dynaddr_remove+0x4a sys/net/pf_if.c:602
pf_rm_rule(0,ffff8000009f2fd0) at pf_rm_rule+0x3ae sys/net/pf_ioctl.c:303
pfioctl(4900,cd604404,ffff8000006be000,c2,ffff8000ffff4010) at pfioctl+0x3082
VOP_IOCTL(fffffd80644150d0,cd604404,ffff8000006be000,c2,fffffd806c3bed20,ffff8000ffff4010) at VOP_IOCTL+0x88 sys/kern/vfs_vops.c:291
vn_ioctl(fffffd805dfa7440,cd604404,ffff8000006be000,ffff8000ffff4010) at vn_ioctl+0xb7 sys/kern/vfs_vnops.c:533
sys_ioctl(ffff8000ffff4010,ffff80001d3de648,ffff80001d3de690) at sys_ioctl+0x5b9
syscall(ffff80001d3de710) at syscall+0x507 sys/arch/amd64/amd64/trap.c:555
Xsyscall() at Xsyscall+0x128
end of kernel
end trace frame: 0xc7eb1c5fea0, count: -8
ddb> show registers
rdi                              0x2
rsi                              0x2
rbp               0xffff80001d3de1a0
rbx                              0x2
rdx                              0x4
rcx                              0x1
rax                             0x10
r8                              0xf8
r9                               0x5
r10               0x51b03886c3577b7f
r11               0xf80ef84dcf3c9ed0
r12               0xffff8000009f3008
r13                             0x10
r14               0xffff8000009f3008
r15                      0x44000fff9
rip               0xffffffff819b386a    pfi_dynaddr_remove+0x4a
cs                               0x8
rflags                       0x10206    __ALIGN_SIZE+0xf206
rsp               0xffff80001d3de170
ss                              0x10
pfi_dynaddr_remove+0x4a:        movq    0x58(%r15),%r12
ddb> show proc
PROC (syz-executor2422) pid=433763 stat=onproc
    flags process=2<EXEC> proc=4000000<THREAD>
    pri=52, usrpri=52, nice=20
    forw=0xffffffffffffffff, list=0xffff8000ffff5b38,0xffffffff8256d538
    process=0xffff80001d39aa50 user=0xffff80001d3d9000, vmspace=0xfffffd806bc09880
    estcpu=2, cpticks=0, pctcpu=0.0
    user=0, sys=0, intr=0
ddb> ps
   PID     TID   PPID    UID  S       FLAGS  WAIT          COMMAND
 69112  240130  40878      0  2         0x2                syz-executor2422
 69112  181471  40878      0  3   0x4000082  lockf         syz-executor2422
*69112  433763  40878      0  7   0x4000002                syz-executor2422
 40878  453568  46398      0  3    0x10008a  pause         ksh
 46398  449527   6465      0  3        0x92  select        sshd
 44672  128101      1      0  3    0x100083  ttyin         getty
  6465  426938      1      0  3        0x80  select        sshd
 37160   58174  25987     73  3    0x100090  kqread        syslogd
 25987   56230      1      0  3    0x100082  netio         syslogd
 59558   25458      1     77  3    0x100090  poll          dhclient
 74278   45751      1      0  3        0x80  poll          dhclient
 33845  281488      0      0  2     0x14200                zerothread
 82931  408893      0      0  3     0x14200  aiodoned      aiodoned
 50738  222890      0      0  3     0x14200  syncer        update
 31777  300726      0      0  3     0x14200  cleaner       cleaner
  4453  337877      0      0  3     0x14200  reaper        reaper
 30583  461001      0      0  3     0x14200  pgdaemon      pagedaemon
 18763  203006      0      0  3     0x14200  bored         crynlk
 87407  446502      0      0  3     0x14200  bored         crypto
 26439  115400      0      0  3  0x40014200  acpi0         acpi0
 99917  374148      0      0  3     0x14200  bored         softnet
  5652  346876      0      0  3     0x14200  bored         systqmp
 66278  398081      0      0  3     0x14200  bored         systq
 42552  108190      0      0  3  0x40014200  bored         softclock
 93377  106265      0      0  3  0x40014200                idle0
 99721  329354      0      0  3     0x14200  bored         smr
     1  106596      0      0  3        0x82  wait          init
     0       0     -1      0  3     0x10200  scheduler     swapper
ddb> show all locks
No such command
ddb> show malloc
           Type InUse  MemUse  HighUse   Limit  Requests Type Lim
         devbuf  9438   6319K    6320K  78643K     10535        0
            pcb    13      8K       8K  78643K        13        0
         rtable    64      2K       2K  78643K       120        0
         ifaddr    28      8K       8K  78643K        28        0
       counters    19     16K      16K  78643K        19        0
       ioctlops     1      4K       4K  78643K        15        0
          mount     1      1K       1K  78643K         1        0
         vnodes  1180     74K      74K  78643K      1185        0
      UFS quota     1     32K      32K  78643K         1        0
      UFS mount     5     36K      36K  78643K         5        0
            shm     2      1K       1K  78643K         2        0
         VM map     2      0K       0K  78643K         2        0
            sem     2      0K       0K  78643K         2        0
        dirhash    12      2K       2K  78643K        12        0
           ACPI  1794    195K     288K  78643K     12646        0
      file desc     1      0K       0K  78643K         1        0
           proc    47     38K      46K  78643K       278        0
    NFS srvsock     1      0K       0K  78643K         1        0
     NFS daemon     1     16K      16K  78643K         1        0
       in_multi    11      0K       0K  78643K        11        0
    ether_multi     1      0K       0K  78643K         1        0
    ISOFS mount     1     32K      32K  78643K         1        0
  MSDOSFS mount     1     16K      16K  78643K         1        0
           ttys    19     95K      95K  78643K        19        0
           exec     0      0K       1K  78643K       151        0
        pagedep     1      8K       8K  78643K         1        0
       inodedep     1     32K      32K  78643K         1        0
         newblk     1      0K       0K  78643K         1        0
        VM swap     7     26K      26K  78643K         7        0
       UVM amap    63      3K       3K  78643K       710        0
       UVM aobj     2      2K       2K  78643K         2        0
        memdesc     1      4K       4K  78643K         1        0
    crypto data     1      1K       1K  78643K         1        0
            NDP     3      0K       0K  78643K         3        0
           temp    20   3003K    3067K  78643K      1711        0
      SYN cache     2     16K      16K  78643K         2        0
ddb> show all pools
Name      Size Requests Fail Releases Pgreq Pgrel Npage Hiwat Minpg Maxpg Idle
arp         64        2    0        0     1     0     1     1     0     8    0
rtpcb       80       15    0       13     1     0     1     1     0     8    0
rtentry    112       23    0        1     1     0     1     1     0     8    0
unpcb      120       27    0       19     1     0     1     1     0     8    0
syncache   264        5    0        5     2     1     1     1     0     8    1
tcpcb      544        8    0        5     1     0     1     1     0     8    0
inpcb      280       22    0       16     1     0     1     1     0     8    0
pfrktable  1344       1    0        0     1     0     1     1     0     8    0
pfrule     1360       2    0        0     1     0     1     1     0     8    0
art_heap8  4096       1    0        0     1     0     1     1     0     8    0
art_heap4  256       97    0        0     7     0     7     7     0     8    0
art_table   32       98    0        0     1     0     1     1     0     8    0
art_node    16       22    0        2     1     0     1     1     0     8    0
dirhash    1024      17    0        0     3     0     3     3     0     8    0
dino1pl    128     1392    0       15    45     0    45    45     0     8    0
ffsino     240     1392    0       15    81     0    81    81     0     8    0
nchpl      144     1567    0       31    57     0    57    57     0     8    0
uvmvnodes   72     1401    0        0    26     0    26    26     0     8    0
vnodes     208     1401    0        0    74     0    74    74     0     8    0
namei      1024    3482    0     3482     2     1     1     1     0     8    1
scxspl     192     2439    0     2439     1     0     1     1     0     8    1
plimitpl   152       13    0        8     1     0     1     1     0     8    0
sigapl     432      176    0      166     2     0     2     2     0     8    0
futexpl     56        8    0        8     1     0     1     1     0     8    1
knotepl    112        5    0        0     1     0     1     1     0     8    0
kqueuepl   104        3    0        0     1     0     1     1     0     8    0
pipepl     112      114    0      107     2     1     1     1     0     8    0
fdescpl    424      177    0      166     2     0     2     2     0     8    0
filepl     120      863    0      816     2     0     2     2     0     8    0
lockfpl    104        7    0        4     1     0     1     1     0     8    0
lockfspl    48        4    0        2     1     0     1     1     0     8    0
sessionpl  112       17    0        9     1     0     1     1     0     8    0
pgrppl      48       17    0        9     1     0     1     1     0     8    0
ucredpl     96       47    0       40     1     0     1     1     0     8    0
zombiepl   144      166    0      166     2     1     1     1     0     8    1
processpl  872      191    0      166     4     0     4     4     0     8    0
procpl     632      193    0      166     3     0     3     3     0     8    0
sockpl     384       64    0       48     2     0     2     2     0     8    0
mcl4k      4096      10    0       10     2     1     1     1     0     8    1
mcl2k      2048    5916    0     5887     8     2     6     7     0     8    2
mtagpl      80        2    0        2     1     1     0     1     0     8    0
mbufpl     256    10115    0    10077     5     1     4     5     0     8    0
bufpl      280     2108    0      258   133     0   133   133     0     8    0
anonpl      16    17400    0    16216     7     2     5     7     0   107    0
amapchunkpl 152     470    0      430     2     0     2     2     0   158    0
amappl16   192       29    0       27     1     0     1     1     0     8    0
amappl15   184       42    0       38     1     0     1     1     0     8    0
amappl14   176       13    0       12     2     1     1     1     0     8    0
amappl12   160        4    0        4     1     1     0     1     0     8    0
amappl11   152       41    0       30     1     0     1     1     0     8    0
amappl10   144        1    0        1     1     1     0     1     0     8    0
amappl9    136      370    0      369     1     0     1     1     0     8    0
amappl8    128       66    0       61     1     0     1     1     0     8    0
amappl7    120       63    0       55     1     0     1     1     0     8    0
amappl6    112       44    0       42     1     0     1     1     0     8    0
amappl5    104      162    0      152     1     0     1     1     0     8    0
amappl4     96      394    0      373     1     0     1     1     0     8    0
amappl3     88      111    0      102     1     0     1     1     0     8    0
amappl2     80      738    0      678     3     1     2     2     0     8    0
amappl1     72    12252    0    11840    16     6    10    16     0     8    0
amappl      80      355    0      334     1     0     1     1     0    84    0
dma4096    4096       1    0        1     1     1     0     1     0     8    0
dma256     256        6    0        6     1     1     0     1     0     8    0
dma128     128      253    0      253     1     1     0     1     0     8    0
dma64       64        6    0        6     1     1     0     1     0     8    0
dma32       32        7    0        7     1     1     0     1     0     8    0
dma16       16       18    0       17     1     0     1     1     0     8    0
aobjpl      64        1    0        0     1     0     1     1     0     8    0
uaddrrnd    24      177    0      166     1     0     1     1     0     8    0
uaddrbest   32        2    0        0     1     0     1     1     0     8    0
uaddr       24      177    0      166     1     0     1     1     0     8    0
vmmpekpl   168     5233    0     5219     1     0     1     1     0     8    0
vmmpepl    168    26122    0    25294    50    12    38    48     0   357    2
vmsppl     272      176    0      166     1     0     1     1     0     8    0
pdppl      4096     360    0      332     5     0     5     5     0     8    0
pvpl        32    70899    0    68066    32     5    27    27     0   265    4
pmappl     200      176    0      166     1     0     1     1     0     8    0
extentpl    40       46    0       29     1     0     1     1     0     8    0
phpool     112      119    0        7     4     0     4     4     0     8    0

Crashes (17):
Time	Kernel	Commit	Syzkaller	Config	Log	Report	Syz repro	C repro	Manager
2019/12/31 09:32	openbsd	44bcf650e904	7f117e28	.config	console log	report	syz	C	ci-openbsd-main
2020/01/04 21:16	openbsd	8761fbd57358	68256974	.config	console log	report			ci-openbsd-main
2020/01/04 19:31	openbsd	8761fbd57358	68256974	.config	console log	report			ci-openbsd-main
2020/01/04 17:11	openbsd	8761fbd57358	68256974	.config	console log	report			ci-openbsd-multicore
2020/01/04 13:13	openbsd	8761fbd57358	68256974	.config	console log	report			ci-openbsd-multicore
2020/01/04 08:42	openbsd	8761fbd57358	68256974	.config	console log	report			ci-openbsd-multicore
2020/01/04 08:35	openbsd	8761fbd57358	68256974	.config	console log	report			ci-openbsd-main
2020/01/04 02:30	openbsd	7945b8879d45	76d86b16	.config	console log	report			ci-openbsd-main
2020/01/03 22:23	openbsd	7945b8879d45	76d86b16	.config	console log	report			ci-openbsd-main
2020/01/03 15:57	openbsd	e22fe1b6b6d2	9dcc1191	.config	console log	report			ci-openbsd-main
2020/01/03 12:13	openbsd	e22fe1b6b6d2	9dcc1191	.config	console log	report			ci-openbsd-main
2020/01/03 09:22	openbsd	e22fe1b6b6d2	9dcc1191	.config	console log	report			ci-openbsd-main
2020/01/02 09:55	openbsd	ae88e52d437c	25a0186e	.config	console log	report			ci-openbsd-main
2020/01/02 08:31	openbsd	ae88e52d437c	25a0186e	.config	console log	report			ci-openbsd-main
2020/01/01 20:48	openbsd	ad460bdde645	25a0186e	.config	console log	report			ci-openbsd-main
2020/01/01 19:06	openbsd	ad460bdde645	25a0186e	.config	console log	report			ci-openbsd-main
2019/12/31 09:03	openbsd	44bcf650e904	7f117e28	.config	console log	report			ci-openbsd-main

* ~~Struck through~~ repros no longer work on HEAD.