-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

=============================================================================
FreeBSD-EN-20:04.pfctl                                          Errata Notice
                                                          The FreeBSD Project

Topic:          Missing pfctl(8) tunable

Category:       core
Module:         pfctl(8)
Announced:      2020-03-19
Credits:        Rubicon Communications, LLC (netgate.com)
Affects:        FreeBSD 11.3-RELEASE
Corrected:      2020-02-12 14:50:13 UTC (stable/11, 11.3-STABLE)
                2020-03-19 16:35:15 UTC (releng/11.3, 11.3-RELEASE-p7)

For general information regarding FreeBSD Errata Notices and Security
Advisories, including descriptions of the fields above, security
branches, and the following sections, please visit
<URL:https://security.FreeBSD.org/>.

I.   Background

Packet filtering takes place in the kernel.  A pseudo-device, /dev/pf, allows
userland processes to control the behavior of the packet filter through an
ioctl(2) interface.  Commands include enabling and disabling the filter,
loading rulesets, adding and removing individual rules or state table entries,
and retrieving statistics.  The most commonly used functions are covered by
the pfctl(8) utility.

II.  Problem Description

pf(4) ioctls frequently take a variable number of elements as argument.
This can potentially allow users to request very large allocations.

A failing non-blocking pf(4) allocation can tie up resources resulting in
concurrent blocking allocations entering vm_wait() and inducing reclamation
of caches.

III. Impact

The kernel will reject very large tables to avoid resource exhaustion
attacks.  Some users run into this limit with legitimate table
configurations.

IV.  Workaround

No workaround is available, however systems that do not employ pf(4) nor
use pf(4) table definitions larger than 65535 entries are unaffected.

V.   Solution

Upgrade your system to a supported FreeBSD stable or release / security
branch (releng) dated after the correction date, and reboot.

Perform one of the following:

1) To update your system via a binary patch:

Systems running a RELEASE version of FreeBSD on the i386 or amd64
platforms can be updated via the freebsd-update(8) utility:

# freebsd-update fetch
# freebsd-update install
# shutdown -r +10min "Rebooting for an errata update"

2) To update your system via a source code patch:

The following patches have been verified to apply to the applicable
FreeBSD release branches.

a) Download the relevant patch from the location below, and verify the
detached PGP signature using your PGP utility.

[FreeBSD 11.3]
# fetch https://security.FreeBSD.org/patches/EN-20:04/pfctl.patch
# fetch https://security.FreeBSD.org/patches/EN-20:04/pfctl.patch.asc
# gpg --verify pfctl.patch.asc

b) Apply the patch.  Execute the following commands as root:

# cd /usr/src
# patch < /path/to/patch

c) Recompile your kernel as described in
<URL:https://www.FreeBSD.org/handbook/kernelconfig.html> and reboot the
system.

VI.  Correction details

The following list contains the correction revision numbers for each
affected branch.

Branch/path                                                      Revision
- -------------------------------------------------------------------------
stable/11/                                                        r357822
releng/11.3/                                                      r359135
- -------------------------------------------------------------------------

To see which files were modified by a particular revision, run the
following command, replacing NNNNNN with the revision number, on a
machine with Subversion installed:

# svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base

Or visit the following URL, replacing NNNNNN with the revision number:

<URL:https://svnweb.freebsd.org/base?view=revision&revision=NNNNNN>

VII. References

The latest revision of this advisory is available at
<URL:https://security.FreeBSD.org/advisories/FreeBSD-EN-20:04.pfctl.asc>
-----BEGIN PGP SIGNATURE-----

iQKTBAEBCgB9FiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAl5zpldfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEZD
MEU4NzhBRTVBRkU3ODgwMjhENjM1NUQzOTc5MkY0OUVBN0U1QzIACgkQ05eS9J6n
5cL4Aw/9GhPqyMcVMROjoX2xepwOubsM+C9lMCTQtxOOhYLtt9IIt5KTgSefAcyt
DMcqE78R6wgaxf08XAQyD/iN3udhCFT4YRElB1o5XMEhYUcCIsatKcb8hIVJuRD3
Ap2goT7zHlicFxpKuWblg/qenU0A9PgaCjsRaVePHS2nzOW+d9DJSg3yxz6xwGCZ
Nuv03Y2OBVm/KdW4awk50FdzR2L04U0D0ZATh+5yr25aH99dVpUQMmRc+qjRtXzh
4j34Qj8mWteAkD5690zcE1nGwu7lGDFoRjwhiP5RP9Gn3o2Sv5SJwHNwB5W1WQDr
GAormcXgUwuWwd9ijtKfWNmJm7MhZhCjvq9l0tt54e+j4Nmz39/ZijFfa1Ug7XKJ
4yp1ey2ri3W3bGrv2nRHMzY6d3EaQq/96vupt/dWxlufoIHbUvUQ0l8KWNmQ8kK1
dplsoMS6x/AeFjjF4I62Cp429vBbpRDRCJk4mZ6itJ8CWbNXIv2xCj7aKzRcrwpx
kmcblpkFpm7edVkTGjtv/MMhUPXdlskQStOCjSkHoo/cofcAOUovJ8755AvYNkwl
P0e49iOxvFFMA3jZSuxCrQksHq295VwjImEUSJKYyARGdDiPR4q8AdUy+CPyDoLs
zMrzZz5HiNSNdoh4mX3OFIkjtuk/fXR5LQnMBuzHfmfhLtsmHAQ=
=upRR
-----END PGP SIGNATURE-----