From owner-freebsd-bugs Wed Feb 16 15:30:44 2000 Delivered-To: freebsd-bugs@freebsd.org Received: from builder.freebsd.org (builder.FreeBSD.ORG [204.216.27.24]) by hub.freebsd.org (Postfix) with ESMTP id 94D2F37B583 for ; Wed, 16 Feb 2000 15:30:06 -0800 (PST) (envelope-from gnats@FreeBSD.org) Received: from freefall.freebsd.org (freefall.FreeBSD.ORG [204.216.27.21]) by builder.freebsd.org (Postfix) with ESMTP id BCB1B132DD for ; Wed, 16 Feb 2000 15:29:28 -0800 (PST) Received: (from gnats@localhost) by freefall.freebsd.org (8.9.3/8.9.2) id PAA96866; Wed, 16 Feb 2000 15:30:06 -0800 (PST) (envelope-from gnats@FreeBSD.org) Date: Wed, 16 Feb 2000 15:30:06 -0800 (PST) Message-Id: <200002162330.PAA96866@freefall.freebsd.org> To: freebsd-bugs@FreeBSD.org Cc: From: Bjoern Groenvall Subject: Re: kern/16568: How to crash FreeBSD 4.4 Reply-To: Bjoern Groenvall Sender: owner-freebsd-bugs@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org The following reply was made to PR kern/16568; it has been noted by GNATS. From: Bjoern Groenvall To: Sheldon Hearn Cc: FreeBSD-gnats-submit@FreeBSD.ORG, tege@swox.se Subject: Re: kern/16568: How to crash FreeBSD 4.4 Date: 16 Feb 2000 14:50:44 +0100 Hi Sheldon, First off I would like to apologize for the "FreeBSD 4.4" typo, this is about *3.4*. I'm sorry about that! Sheldon Hearn writes: > On Mon, 07 Feb 2000 20:07:43 +0100, Bjoern Groenvall wrote: > > > Compile and run the following program. If you don't get a panic on the > > first try, Ctrl-C and rerun. > > It looks like an obfuscated fork-bomb, which is nothing new and can be > controlled with the maxproc capability in login.conf(5). Please note that there is a wait(0) under case 0: it's not a fork bomb. The problem seems to be related to trashing the struct filedesc and only happens when it is large. I.e, have at least one large numbered file descriptor. > Could you please try this in a session for which "max user processes" > (as reported by ulimit -a) is limited to some sane number and provide > feedback? Now limited with ulimit -u 50 as per example below. Note that it took three tries before it paniced. Script started on Wed Feb 16 14:32:51 2000 mummel$ telnet pao Trying 193.10.66.61... Connected to pao.sics.se. Escape character is '^]'. [ Trying mutual KERBEROS4 ... ] [ Kerberos V4 accepts you ] [ Kerberos V4 challenge successful ] pao$ ulimit -u 50 pao$ a.out fd = 4126 ........................................................... pao$ a.out fd = 4126 ........................................................... pao$ a.out fd = 4126 ............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................... ................................................................................................................................................................................................................................................................................................................................................................Connection closed by foreign host. mummel$ exit exit script done on Wed Feb 16 14:36:06 2000 bash# gdb -k kernel.6 vmcore.6 GNU gdb 4.18 Copyright 1998 Free Software Foundation, Inc. GDB is free software, covered by the GNU General Public License, and you are welcome to change it and/or distribute copies of it under certain conditions. Type "show copying" to see the conditions. There is absolutely no warranty for GDB. Type "show warranty" for details. This GDB was configured as "i386-unknown-freebsd"... (no debugging symbols found)... IdlePTD 2977792 initial pcb at 2646a4 panicstr: page fault panic messages: --- Fatal trap 12: page fault while in kernel mode fault virtual address = 0x181b0 fault code = supervisor write, page not present instruction pointer = 0x8:0xc014a31f stack pointer = 0x10:0xc7260f08 frame pointer = 0x10:0xc7260f2c code segment = base 0x0, limit 0xfffff, type 0x1b = DPL 0, pres 1, def32 1, gran 1 processor eflags = interrupt enabled, resume, IOPL = 0 current process = 14828 (a.out) interrupt mask = trap number = 12 panic: page fault syncing disks... 26 25 20 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 giving up dumping to dev 40401, offset 316196 dump 128 127 126 125 124 123 122 121 120 119 118 117 116 115 114 113 112 111 110 109 108 107 106 105 104 103 102 101 100 99 98 97 96 95 94 93 92 91 90 89 88 87 86 85 84 83 82 81 80 79 78 77 76 75 74 73 72 71 70 69 68 67 66 65 64 63 62 61 60 59 58 57 56 55 54 53 52 51 50 49 48 47 46 45 44 43 42 41 40 39 38 37 36 35 34 33 32 31 30 29 28 27 26 25 24 23 22 21 20 19 18 17 16 15 14 13 12 11 10 9 8 7 6 5 4 3 2 1 --- #0 0xc01514ff in boot () (kgdb) bt #0 0xc01514ff in boot () #1 0xc0151784 in at_shutdown () #2 0xc0216aa5 in trap_fatal () #3 0xc0216783 in trap_pfault () #4 0xc0216426 in trap () #5 0xc014a31f in fdcopy () #6 0xc014c5f7 in fork1 () #7 0xc014c0b7 in vfork () #8 0xc0216ce7 in syscall () #9 0xc020a40c in Xint0x80_syscall () #10 0x8048509 in ?? () (kgdb) Note that maxusers is set to 128, as a side effect of this large struct filedesc are enabled. # # $Id: PAO,v 1.1 1999/12/22 11:15:51 root Exp $ machine "i386" cpu "I686_CPU" ident PAO maxusers 128 options MATH_EMULATE #Support for x87 emulation options INET #InterNETworking options FFS #Berkeley Fast Filesystem options FFS_ROOT #FFS usable as root device [keep this!] options SOFTUPDATES options MFS #Memory Filesystem options NFS #Network Filesystem options "COMPAT_43" #Compatible with BSD 4.3 [KEEP THIS!] options SCSI_DELAY=1000 #Be pessimistic about Joe SCSI device options UCONSOLE #Allow users to grab the console options FAILSAFE #Be conservative options USERCONFIG #boot -c editor options VISUAL_USERCONFIG #visual boot -c editor # This allows you to actually store this configuration file into # the kernel binary itself, where it may be later read by saying: # strings -aout -n 3 /kernel | grep ^___ | sed -e 's/^___//' > MYKERNEL # options INCLUDE_CONFIG_FILE # Include this file in kernel config kernel root on da0s1a controller isa0 controller eisa0 controller pci0 controller fdc0 at isa? port "IO_FD1" bio irq 6 drq 2 disk fd0 at fdc0 drive 0 disk fd1 at fdc0 drive 1 options ATAPI #Enable ATAPI support for IDE bus options ATAPI_STATIC #Don't do it as an LKM device acd0 #IDE CD-ROM device wfd0 #IDE Floppy (e.g. LS-120) # A single entry for any of these controllers (ncr, ahb, ahc) is # sufficient for any number of installed devices. controller ncr0 controller ahb0 controller ahc0 controller isp0 # This controller offers a number of configuration options, too many to # document here - see the LINT file in this directory and look up the # dpt0 entry there for much fuller documentation on this. controller dpt0 controller adw0 controller scbus0 device da0 device sa0 device pass0 device cd0 #Only need one of these, the code dynamically grows # atkbdc0 controlls both the keyboard and the PS/2 mouse controller atkbdc0 at isa? port IO_KBD tty device atkbd0 at isa? tty irq 1 device psm0 at isa? tty irq 12 device vga0 at isa? port ? conflicts # splash screen/screen saver pseudo-device splash # syscons is the default console driver, resembling an SCO console device sc0 at isa? tty # Enable this and PCVT_FREEBSD for pcvt vt220 compatible console driver #device vt0 at isa? tty #options XSERVER # support for X server #options FAT_CURSOR # start with block cursor # If you have a ThinkPAD, uncomment this along with the rest of the PCVT lines #options PCVT_SCANSET=2 # IBM keyboards are non-std device npx0 at isa? port IO_NPX irq 13 device sio0 at isa? port "IO_COM1" flags 0x10 tty irq 4 device sio1 at isa? port "IO_COM2" tty irq 3 device sio2 at isa? disable port "IO_COM3" tty irq 5 device sio3 at isa? disable port "IO_COM4" tty irq 9 # Parallel port device ppc0 at isa? port? net irq 7 controller ppbus0 device nlpt0 at ppbus? device plip0 at ppbus? device ppi0 at ppbus? #controller vpo0 at ppbus? # Order is important here due to intrusive probes, do *not* alphabetize # this list of network interfaces until the probes have been fixed. # Right now it appears that the ie0 must be probed before ep0. See # revision 1.20 of this file. device fxp0 pseudo-device loop pseudo-device ether pseudo-device sl 4 pseudo-device ppp 4 pseudo-device tun 4 pseudo-device pty 16 pseudo-device gzip # Exec gzipped a.out's # KTRACE enables the system-call tracing facility ktrace(2). # This adds 4 KB bloat to your kernel, and slightly increases # the costs of each syscall. options KTRACE #kernel tracing # This provides support for System V shared memory and message queues. # options SYSVSHM options SYSVMSG options SYSVSEM # The `bpfilter' pseudo-device enables the Berkeley Packet Filter. Be # aware of the legal and administrative consequences of enabling this # option. The number of devices determines the maximum number of # simultaneous BPF clients programs runnable. pseudo-device bpfilter 8 #Berkeley packet filter Cheers, Björn -- _ _ ,_______________. Bjorn Gronvall (Björn Grönvall) /_______________/| Swedish Institute of Computer Science | || PO Box 1263, S-164 29 Kista, Sweden | Schroedingers || Email: bg@sics.se, Phone +46 -8 633 15 25 | Cat |/ Cellular +46 -70 768 06 35, Fax +46 -8 751 72 30 `---------------' To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-bugs" in the body of the message