Date: Sun, 15 Jan 2006 19:44:38 -0500 From: Kris Kennaway <kris@obsecurity.org> To: net@FreeBSD.org Subject: Changing time causes ipv6 panics Message-ID: <20060116004438.GA27901@xor.obsecurity.org>
next in thread | raw e-mail | index | archive | help
--huq684BweRXVnRxX
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
I ran ntpdate on an amd64 system with ipv6 enabled and a skewed clock
(ntpdate stepped it back by about an hour), and immediately got a
use-after-free panic in ifaddr. When I rebooted with memguard enabled
on this malloc type and retried, I got this panic upon changing the
date forward, then back, then forward again (also note the garbage
return data from ntpdate):
# date 200606011200
Thu Jun 1 12:00:00 UTC 2006
# ntpdate ntp.apple.com
16 Jan 00:40:18 ntpdate[612]: step time server 17.254.0.28 offset -~9000pm6}9426375508.195959 sec
# date 200606011200
Thu Jun 1 12:00:00 UTC 2006
Fatal trap 12: page fault while in kernel mode
cpuid = 0; apic id = 00
fault virtual address = 0xffffffff91bd2198
fault code = supervisor write, protection violation
instruction pointer = 0x8:0xffffffff80321346
stack pointer = 0x10:0xffffffffbcfa1b60
frame pointer = 0x10:0xffffffffbcfa1b90
code segment = base 0x0, limit 0xfffff, type 0x1b
= DPL 0, pres 1, long 1, def32 0, gran 1
processor eflags = interrupt enabled, resume, IOPL = 0
current process = 14 (swi4: clock sio)
[thread pid 14 tid 100010 ]
Stopped at nd6_timer+0x106: movl %eax,0x198(%rbx)
db> wh
Tracing pid 14 tid 100010 td 0xffffff03e15d6c30
nd6_timer() at nd6_timer+0x106
softclock() at softclock+0x279
ithread_execute_handlers() at ithread_execute_handlers+0x12f
ithread_loop() at ithread_loop+0x99
fork_exit() at fork_exit+0xdf
fork_trampoline() at fork_trampoline+0xe
--- trap 0, rip = 0, rsp = 0xffffffffbcfa1d40, rbp = 0 ---
Unfortunately I can't dump on this system, but:
(kgdb) list *(nd6_timer+0x106)
0xffffffff80321346 is in nd6_timer (../../../netinet6/nd6.c:585).
580 goto addrloop; /* XXX: see below */
581 }
582 if (IFA6_IS_DEPRECATED(ia6)) {
583 int oldflags = ia6->ia6_flags;
584
585 ia6->ia6_flags |= IN6_IFF_DEPRECATED;
586
587 /*
588 * If a temporary address has just become deprecated,
589 * regenerate a new one if possible.
Kris
--huq684BweRXVnRxX
Content-Type: application/pgp-signature
Content-Disposition: inline
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (FreeBSD)
iD8DBQFDyux2Wry0BWjoQKURAp5eAKCHAm1I8JeP7TEY4hYQ4x5Df3ilNACeIMjN
2cSnayeCI1ipsN1PYtR2RLM=
=0PJL
-----END PGP SIGNATURE-----
--huq684BweRXVnRxX--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20060116004438.GA27901>