From bwb@holo.org  Sun Sep 12 19:06:28 2004
Return-Path: <bwb@holo.org>
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id DB67916A4CE
	for <freebsd-gnats-submit@freebsd.org>; Sun, 12 Sep 2004 19:06:28 +0000 (GMT)
Received: from thought.holo.org (h-68-166-32-19.snvacaid.covad.net [68.166.32.19])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 7128843D3F
	for <freebsd-gnats-submit@freebsd.org>; Sun, 12 Sep 2004 19:06:28 +0000 (GMT)
	(envelope-from bwb@holo.org)
Received: from localhost (localhost [127.0.0.1])
	by thought.holo.org (8.13.1/8.13.1) with ESMTP id i8CJ6RZg001048
	(version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO)
	for <freebsd-gnats-submit@freebsd.org>; Sun, 12 Sep 2004 12:06:28 -0700 (PDT)
	(envelope-from bwb@holo.org)
Message-Id: <20040912112934.W620@thought.holo.org>
Date: Sun, 12 Sep 2004 12:06:27 -0700 (PDT)
From: Brian Buchanan <bwb@holo.org>
To: freebsd-gnats-submit@freebsd.org
Subject: MAC Biba / IPFW panic

>Number:         71677
>Category:       kern
>Synopsis:       [mac] [patch] MAC Biba / IPFW panic
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    csjp
>State:          closed
>Quarter:        
>Keywords:       
>Date-Required:  
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Sun Sep 12 19:10:11 GMT 2004
>Closed-Date:    Mon Jan 29 12:50:04 GMT 2007
>Last-Modified:  Mon Jan 29 12:50:04 GMT 2007
>Originator:     Brian Buchanan
>Release:        FreeBSD 5.3-BETA2 i386
>Organization:
>Environment:
System: FreeBSD thought.holo.org 5.3-BETA2 FreeBSD 5.3-BETA2 #2: Sat Sep 11 19:21:14 PDT 2004 root@thought.holo.org:/usr/src/sys/i386/compile/THOUGHT i386

>Description:
When the Biba MAC policy is loaded and IPFW is configured to send a RST in
response to certain TCP packets, the system will panic when it receives
a packet that triggers such an IPFW rule.


panic: mac_biba_dominate_element: a->mbe_type invalid
KDB: enter: panic
[thread 100038]
Stopped at      kdb_enter+0x30: leave
db> tr
kdb_enter(c06d2398,c0729be0,c08a2bb4,d542c930,0) at kdb_enter+0x30
panic(c08a2bb4,c1f771c4,0,c197be70,d542c958) at panic+0xcc
mac_biba_dominate_element(c1f771c4,c197be98,c08a3580,0,c1a63800) at mac_biba_dominate_element+0x12d
mac_biba_effective_in_range(c1f771c0,c197be70,d542c994,c0607fdd,c1a63800) at mac_biba_effective_in_range+0x3f
mac_biba_check_ifnet_transmit(c1a63800,c197a604,c1c80600,c1e18550,0) at mac_biba_check_ifnet_transmit+0x34
mac_check_ifnet_transmit(c1a63800,c1c80600,0,0,0) at mac_check_ifnet_transmit+0xad
ether_output(c1a63800,c1c80600,c1b9d990,c1e199cc,c1e18540) at ether_output+0x32
ip_output(c1c80600,0,d542ca2c,0,0) at ip_output+0x9c0
send_pkt(d542cc0c,78f13960,0,6,3c2) at send_pkt+0x19a
send_reject(d542cbf4,100,0,30,1) at send_reject+0xb1
ipfw_chk(d542cbf4,0,f,0,c1dcae00) at ipfw_chk+0x12e3
ipfw_check_in(0,d542cc48,c1a63800,1,0) at ipfw_check_in+0x88
pfil_run_hooks(c0730ea0,d542cc90,c1a63800,1,20a000a) at pfil_run_hooks+0xf7
ip_input(c1dcae00,c19cb6e0,0,d0cf11b1,dad35cd4) at ip_input+0x24e
netisr_processqueue(c072eb78,2f5,532c9cdd,d971c9c8,0) at netisr_processqueue+0xc9
swi_net(0,0,0,0,0) at swi_net+0xca
ithread_loop(c19e4280,d542cd48,0,0,0) at ithread_loop+0x1a8
fork_exit(c04b1ef0,c19e4280,d542cd48) at fork_exit+0x80
fork_trampoline() at fork_trampoline+0x8
--- trap 0x1, eip = 0, esp = 0xd542cd7c, ebp = 0 ---

>How-To-Repeat:

Compile "options MAC" into the kernel.
Set mac_biba_load="YES" in loader.conf and reboot the system.
Configure the MAC label on an Ethernet interface to "biba/equal(equal-equal)"
Create an IPFW rule with the "reset" action to be invoked for packets
destined to some TCP port.
From a remote machine, send a packet to the TCP port configured above.

>Fix:

The fix is probably to create MAC labels for packets sent by IPFW.  In the 
case of reset packets this looks easy enough, but I'm not sure what to do 
about the keepalive packets sent in ipfw_tick().  Perhaps the 
ipfw_dyn_rule needs a label?
>Release-Note:
>Audit-Trail:
Responsible-Changed-From-To: freebsd-bugs->rwatson 
Responsible-Changed-By: linimon 
Responsible-Changed-When: Sun Sep 12 20:00:04 GMT 2004 
Responsible-Changed-Why:  
Over to the logical candidate. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=71677 
Responsible-Changed-From-To: rwatson->csjp 
Responsible-Changed-By: csjp 
Responsible-Changed-When: Mon Jan 29 12:48:17 UTC 2007 
Responsible-Changed-Why:  
I've been doing work here already, I will take this one off 
Robert's plate 

http://www.freebsd.org/cgi/query-pr.cgi?pr=71677 
State-Changed-From-To: open->patched 
State-Changed-By: csjp 
State-Changed-When: Mon Jan 29 12:48:54 UTC 2007 
State-Changed-Why:  
This has been fixed in -CURRENT 

http://www.freebsd.org/cgi/query-pr.cgi?pr=71677 
State-Changed-From-To: patched->closed 
State-Changed-By: csjp 
State-Changed-When: Mon Jan 29 12:49:31 UTC 2007 
State-Changed-Why:  
Actually, this has been MFCed and should no longer be a problem 
on RELENG_6 

http://www.freebsd.org/cgi/query-pr.cgi?pr=71677 
>Unformatted:
