Date: Wed, 16 Feb 2000 15:30:06 -0800 (PST) From: Bjoern Groenvall <bg@sics.se> To: freebsd-bugs@FreeBSD.org Subject: Re: kern/16568: How to crash FreeBSD 4.4 Message-ID: <200002162330.PAA96866@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help
The following reply was made to PR kern/16568; it has been noted by GNATS.
From: Bjoern Groenvall <bg@sics.se>
To: Sheldon Hearn <sheldonh@uunet.co.za>
Cc: FreeBSD-gnats-submit@FreeBSD.ORG, tege@swox.se
Subject: Re: kern/16568: How to crash FreeBSD 4.4
Date: 16 Feb 2000 14:50:44 +0100
Hi Sheldon,
First off I would like to apologize for the "FreeBSD 4.4" typo, this
is about *3.4*. I'm sorry about that!
Sheldon Hearn <sheldonh@uunet.co.za> writes:
> On Mon, 07 Feb 2000 20:07:43 +0100, Bjoern Groenvall wrote:
>
> > Compile and run the following program. If you don't get a panic on the
> > first try, Ctrl-C and rerun.
>
> It looks like an obfuscated fork-bomb, which is nothing new and can be
> controlled with the maxproc capability in login.conf(5).
Please note that there is a wait(0) under case 0: it's not a fork
bomb. The problem seems to be related to trashing the struct filedesc
and only happens when it is large. I.e, have at least one large
numbered file descriptor.
> Could you please try this in a session for which "max user processes"
> (as reported by ulimit -a) is limited to some sane number and provide
> feedback?
Now limited with ulimit -u 50 as per example below. Note that it took
three tries before it paniced.
Script started on Wed Feb 16 14:32:51 2000
mummel$ telnet pao
Trying 193.10.66.61...
Connected to pao.sics.se.
Escape character is '^]'.
[ Trying mutual KERBEROS4 ... ]
[ Kerberos V4 accepts you ]
[ Kerberos V4 challenge successful ]
pao$ ulimit -u 50
pao$ a.out
fd = 4126
...........................................................<deleted>
pao$ a.out
fd = 4126
...........................................................<deleted>
pao$ a.out
fd = 4126
............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................... ................................................................................................................................................................................................................................................................................................................................................................Connection closed by foreign host.
mummel$ exit
exit
script done on Wed Feb 16 14:36:06 2000
bash# gdb -k kernel.6 vmcore.6
GNU gdb 4.18
Copyright 1998 Free Software Foundation, Inc.
GDB is free software, covered by the GNU General Public License, and you are
welcome to change it and/or distribute copies of it under certain conditions.
Type "show copying" to see the conditions.
There is absolutely no warranty for GDB. Type "show warranty" for details.
This GDB was configured as "i386-unknown-freebsd"...
(no debugging symbols found)...
IdlePTD 2977792
initial pcb at 2646a4
panicstr: page fault
panic messages:
---
Fatal trap 12: page fault while in kernel mode
fault virtual address = 0x181b0
fault code = supervisor write, page not present
instruction pointer = 0x8:0xc014a31f
stack pointer = 0x10:0xc7260f08
frame pointer = 0x10:0xc7260f2c
code segment = base 0x0, limit 0xfffff, type 0x1b
= DPL 0, pres 1, def32 1, gran 1
processor eflags = interrupt enabled, resume, IOPL = 0
current process = 14828 (a.out)
interrupt mask =
trap number = 12
panic: page fault
syncing disks... 26 25 20 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 giving up
dumping to dev 40401, offset 316196
dump 128 127 126 125 124 123 122 121 120 119 118 117 116 115 114 113 112 111 110 109 108 107 106 105 104 103 102 101 100 99 98 97 96 95 94 93 92 91 90 89 88 87 86 85 84 83 82 81 80 79 78 77 76 75 74 73 72 71 70 69 68 67 66 65 64 63 62 61 60 59 58 57 56 55 54 53 52 51 50 49 48 47 46 45 44 43 42 41 40 39 38 37 36 35 34 33 32 31 30 29 28 27 26 25 24 23 22 21 20 19 18 17 16 15 14 13 12 11 10 9 8 7 6 5 4 3 2 1
---
#0 0xc01514ff in boot ()
(kgdb) bt
#0 0xc01514ff in boot ()
#1 0xc0151784 in at_shutdown ()
#2 0xc0216aa5 in trap_fatal ()
#3 0xc0216783 in trap_pfault ()
#4 0xc0216426 in trap ()
#5 0xc014a31f in fdcopy ()
#6 0xc014c5f7 in fork1 ()
#7 0xc014c0b7 in vfork ()
#8 0xc0216ce7 in syscall ()
#9 0xc020a40c in Xint0x80_syscall ()
#10 0x8048509 in ?? ()
(kgdb)
Note that maxusers is set to 128, as a side effect of this large
struct filedesc are enabled.
#
# $Id: PAO,v 1.1 1999/12/22 11:15:51 root Exp $
machine "i386"
cpu "I686_CPU"
ident PAO
maxusers 128
options MATH_EMULATE #Support for x87 emulation
options INET #InterNETworking
options FFS #Berkeley Fast Filesystem
options FFS_ROOT #FFS usable as root device [keep this!]
options SOFTUPDATES
options MFS #Memory Filesystem
options NFS #Network Filesystem
options "COMPAT_43" #Compatible with BSD 4.3 [KEEP THIS!]
options SCSI_DELAY=1000 #Be pessimistic about Joe SCSI device
options UCONSOLE #Allow users to grab the console
options FAILSAFE #Be conservative
options USERCONFIG #boot -c editor
options VISUAL_USERCONFIG #visual boot -c editor
# This allows you to actually store this configuration file into
# the kernel binary itself, where it may be later read by saying:
# strings -aout -n 3 /kernel | grep ^___ | sed -e 's/^___//' > MYKERNEL
#
options INCLUDE_CONFIG_FILE # Include this file in kernel
config kernel root on da0s1a
controller isa0
controller eisa0
controller pci0
controller fdc0 at isa? port "IO_FD1" bio irq 6 drq 2
disk fd0 at fdc0 drive 0
disk fd1 at fdc0 drive 1
options ATAPI #Enable ATAPI support for IDE bus
options ATAPI_STATIC #Don't do it as an LKM
device acd0 #IDE CD-ROM
device wfd0 #IDE Floppy (e.g. LS-120)
# A single entry for any of these controllers (ncr, ahb, ahc) is
# sufficient for any number of installed devices.
controller ncr0
controller ahb0
controller ahc0
controller isp0
# This controller offers a number of configuration options, too many to
# document here - see the LINT file in this directory and look up the
# dpt0 entry there for much fuller documentation on this.
controller dpt0
controller adw0
controller scbus0
device da0
device sa0
device pass0
device cd0 #Only need one of these, the code dynamically grows
# atkbdc0 controlls both the keyboard and the PS/2 mouse
controller atkbdc0 at isa? port IO_KBD tty
device atkbd0 at isa? tty irq 1
device psm0 at isa? tty irq 12
device vga0 at isa? port ? conflicts
# splash screen/screen saver
pseudo-device splash
# syscons is the default console driver, resembling an SCO console
device sc0 at isa? tty
# Enable this and PCVT_FREEBSD for pcvt vt220 compatible console driver
#device vt0 at isa? tty
#options XSERVER # support for X server
#options FAT_CURSOR # start with block cursor
# If you have a ThinkPAD, uncomment this along with the rest of the PCVT lines
#options PCVT_SCANSET=2 # IBM keyboards are non-std
device npx0 at isa? port IO_NPX irq 13
device sio0 at isa? port "IO_COM1" flags 0x10 tty irq 4
device sio1 at isa? port "IO_COM2" tty irq 3
device sio2 at isa? disable port "IO_COM3" tty irq 5
device sio3 at isa? disable port "IO_COM4" tty irq 9
# Parallel port
device ppc0 at isa? port? net irq 7
controller ppbus0
device nlpt0 at ppbus?
device plip0 at ppbus?
device ppi0 at ppbus?
#controller vpo0 at ppbus?
# Order is important here due to intrusive probes, do *not* alphabetize
# this list of network interfaces until the probes have been fixed.
# Right now it appears that the ie0 must be probed before ep0. See
# revision 1.20 of this file.
device fxp0
pseudo-device loop
pseudo-device ether
pseudo-device sl 4
pseudo-device ppp 4
pseudo-device tun 4
pseudo-device pty 16
pseudo-device gzip # Exec gzipped a.out's
# KTRACE enables the system-call tracing facility ktrace(2).
# This adds 4 KB bloat to your kernel, and slightly increases
# the costs of each syscall.
options KTRACE #kernel tracing
# This provides support for System V shared memory and message queues.
#
options SYSVSHM
options SYSVMSG
options SYSVSEM
# The `bpfilter' pseudo-device enables the Berkeley Packet Filter. Be
# aware of the legal and administrative consequences of enabling this
# option. The number of devices determines the maximum number of
# simultaneous BPF clients programs runnable.
pseudo-device bpfilter 8 #Berkeley packet filter
Cheers,
Björn
--
_ _ ,_______________.
Bjorn Gronvall (Björn Grönvall) /_______________/|
Swedish Institute of Computer Science | ||
PO Box 1263, S-164 29 Kista, Sweden | Schroedingers ||
Email: bg@sics.se, Phone +46 -8 633 15 25 | Cat |/
Cellular +46 -70 768 06 35, Fax +46 -8 751 72 30 `---------------'
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-bugs" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200002162330.PAA96866>