Date: Tue, 7 Feb 2006 00:45:02 -0500 From: Kris Kennaway <kris@obsecurity.org> To: Kris Kennaway <kris@obsecurity.org> Cc: net@FreeBSD.org Subject: Re: Changing time causes ipv6 panics Message-ID: <20060207054502.GA18560@xor.obsecurity.org> In-Reply-To: <20060116004438.GA27901@xor.obsecurity.org> References: <20060116004438.GA27901@xor.obsecurity.org>
next in thread | previous in thread | raw e-mail | index | archive | help
--azLHFNyN32YCQGCU
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable
On Sun, Jan 15, 2006 at 07:44:38PM -0500, Kris Kennaway wrote:
> I ran ntpdate on an amd64 system with ipv6 enabled and a skewed clock
> (ntpdate stepped it back by about an hour), and immediately got a
> use-after-free panic in ifaddr. When I rebooted with memguard enabled
> on this malloc type and retried, I got this panic upon changing the
> date forward, then back, then forward again (also note the garbage
> return data from ntpdate):
Has anyone looked at this? This is on the TODO list for 6.1, so the
sooner it can be resolved the better.
Kris
> # date 200606011200
> Thu Jun 1 12:00:00 UTC 2006
> # ntpdate ntp.apple.com
> 16 Jan 00:40:18 ntpdate[612]: step time server 17.254.0.28 offset -~9000p=
m6}9426375508.195959 sec
> # date 200606011200
> Thu Jun 1 12:00:00 UTC 2006
>=20
> Fatal trap 12: page fault while in kernel mode
> cpuid =3D 0; apic id =3D 00
> fault virtual address =3D 0xffffffff91bd2198
> fault code =3D supervisor write, protection violation
> instruction pointer =3D 0x8:0xffffffff80321346
> stack pointer =3D 0x10:0xffffffffbcfa1b60
> frame pointer =3D 0x10:0xffffffffbcfa1b90
> code segment =3D base 0x0, limit 0xfffff, type 0x1b
> =3D DPL 0, pres 1, long 1, def32 0, gran 1
> processor eflags =3D interrupt enabled, resume, IOPL =3D 0
> current process =3D 14 (swi4: clock sio)
> [thread pid 14 tid 100010 ]
> Stopped at nd6_timer+0x106: movl %eax,0x198(%rbx)
> db> wh
> Tracing pid 14 tid 100010 td 0xffffff03e15d6c30
> nd6_timer() at nd6_timer+0x106
> softclock() at softclock+0x279
> ithread_execute_handlers() at ithread_execute_handlers+0x12f
> ithread_loop() at ithread_loop+0x99
> fork_exit() at fork_exit+0xdf
> fork_trampoline() at fork_trampoline+0xe
> --- trap 0, rip =3D 0, rsp =3D 0xffffffffbcfa1d40, rbp =3D 0 ---
>=20
> Unfortunately I can't dump on this system, but:
>=20
> (kgdb) list *(nd6_timer+0x106)
> 0xffffffff80321346 is in nd6_timer (../../../netinet6/nd6.c:585).
> 580 goto addrloop; /* XXX: see below =
*/
> 581 }
> 582 if (IFA6_IS_DEPRECATED(ia6)) {
> 583 int oldflags =3D ia6->ia6_flags;
> 584
> 585 ia6->ia6_flags |=3D IN6_IFF_DEPRECATED;
> 586
> 587 /*
> 588 * If a temporary address has just become=
deprecated,
> 589 * regenerate a new one if possible.
>=20
> Kris
>=20
>=20
--azLHFNyN32YCQGCU
Content-Type: application/pgp-signature
Content-Disposition: inline
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (FreeBSD)
iD8DBQFD6DPeWry0BWjoQKURAv8GAJ9ec5iw0ibNl5iqLtgUBLv0RWhiFwCgh3M+
zoPesXQhYIWn11rhlkEV050=
=H1zj
-----END PGP SIGNATURE-----
--azLHFNyN32YCQGCU--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20060207054502.GA18560>