From owner-freebsd-security Mon Sep 18 13:15:41 2000 Delivered-To: freebsd-security@freebsd.org Received: from fw.wintelcom.net (ns1.wintelcom.net [209.1.153.20]) by hub.freebsd.org (Postfix) with ESMTP id 917D537B422 for ; Mon, 18 Sep 2000 13:15:37 -0700 (PDT) Received: (from bright@localhost) by fw.wintelcom.net (8.10.0/8.10.0) id e8IKFI629749; Mon, 18 Sep 2000 13:15:18 -0700 (PDT) Date: Mon, 18 Sep 2000 13:15:17 -0700 From: Alfred Perlstein To: Fred Souza Cc: Bosko Milekic , security@FreeBSD.ORG Subject: Re: Panic when receiving packets with invalid versions Message-ID: <20000918131517.I15156@fw.wintelcom.net> References: <20000918115643.A470@torment.secfreak.com> <20000918171214.A269@torment.secfreak.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.4i In-Reply-To: <20000918171214.A269@torment.secfreak.com>; from cseg@kronus.com.br on Mon, Sep 18, 2000 at 05:12:14PM -0300 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org * Fred Souza [000918 13:09] wrote: > > Can you please send a complete traceback, as well as other (more > > useful) debugging information? -- See the Handbook for more information. > > Looks like a NULL pointer dereference. > > Hi. Thank you for the time, in advance. I've read the Handbook as you > told me to, followed its steps (I ended up having to rebuild the kernel) > and generated the dump files, but I don't have enough knowledge to do > much from it. > > I just did exactly how it looked like in the Handbook, and it's almost the > same I posted before. Anyways, here goes what I got from it. > > ----- > torment:ttyp1:/usr/src/sys/compile/TORMENT# gdb -k kernel.debug /var/crash/vmcore.0 > GNU gdb 4.18 > Copyright 1998 Free Software Foundation, Inc. > GDB is free software, covered by the GNU General Public License, and you are > welcome to change it and/or distribute copies of it under certain conditions. > Type "show copying" to see the conditions. > There is absolutely no warranty for GDB. Type "show warranty" for details. > This GDB was configured as "i386-unknown-freebsd"... > IdlePTD 3293184 > initial pcb at 2aa060 > panicstr: page fault > panic messages: > --- > Fatal trap 12: page fault while in kernel mode > fault virtual address = 0x0 > fault code = supervisor read, page not present > instruction pointer = 0x8:0xc0190b43 > stack pointer = 0x10:0xc644dcc0 > frame pointer = 0x10:0xc644dcec > code segment = base 0x0, limit 0xfffff, type 0x1b > = DPL 0, pres 1, def32 1, gran 1 > processor eflags = interrupt enabled, resume, IOPL = 0 > current process = 246 (isic) > interrupt mask = > trap number = 12 > panic: page fault > > syncing disks... 27 27 13 2 > done > Uptime: 2m39s > > dumping to dev #ad/0x40001, offset 139264 > dump ata0: resetting devices .. done > 60 59 58 57 56 55 54 53 52 51 50 49 48 47 46 45 44 43 42 41 40 39 38 37 36 35 34 33 32 31 30 29 28 27 26 25 24 23 22 21 20 19 18 17 16 15 14 13 12 11 10 9 8 7 6 5 4 3 2 1 > --- > #0 0xc0133214 in boot () > (kgdb) where > #0 0xc0133214 in boot () > #1 0xc0133598 in poweroff_wait () > #2 0xc0236e0d in trap_fatal () > #3 0xc0236ae5 in trap_pfault () > #4 0xc023669f in trap () > #5 0xc0190b43 in ip_natout () > #6 0xc018e012 in fr_check () > #7 0xc0183fd4 in ip_output () > #8 0xc018590b in rip_output () > #9 0xc0185d4f in rip_send () > #10 0xc014f44b in sosend () > #11 0xc0152a19 in sendit () > #12 0xc0152b0d in sendto () > #13 0xc02370b9 in syscall2 () > #14 0xc02294b5 in Xint0x80_syscall () > #15 0x8049235 in ?? () > #16 0x8048ad1 in ?? () > (kgdb) up 10 > #10 0xc014f44b in sosend () > (kgdb) up > #11 0xc0152a19 in sendit () > (kgdb) up > #12 0xc0152b0d in sendto () > (kgdb) up > #13 0xc02370b9 in syscall2 () > (kgdb) up > #14 0xc02294b5 in Xint0x80_syscall () > (kgdb) up > #15 0x8049235 in ?? () > (kgdb) up > #16 0x8048ad1 in ?? () > (kgdb) up > Initial frame selected; you cannot go up. > (kgdb) list > 1 /*- > 2 * Copyright (c) 2000 FreeBSD Inc. > 3 * All rights reserved. > 4 * > 5 * Redistribution and use in source and binary forms, with or without > 6 * modification, are permitted provided that the following conditions > 7 * are met: > 8 * 1. Redistributions of source code must retain the above copyright > 9 * notice, this list of conditions and the following disclaimer. > 10 * 2. Redistributions in binary form must reproduce the above copyright > (kgdb) quit > torment:ttyp1:/usr/src/sys/compile/TORMENT# exit > exit > ----- > > Is it helpful by any chances? If anybody knows what I should be looking for > exactly, please tell me and I'll look for it. So close! :) You don't want to do 'up 10' you want to go 'up' until you hit the frame above 'trap' which is 'ip_natout', that's where you want to do your 'list' and 'print' of some of the variables that appear. you may also want to printout several variables by prefixing * to them to get the structure contents. This looks like it may be a bug in ipfilter. -Alfred To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message