Skip site navigation (1)Skip section navigation (2) 
Date:      Fri, 27 Mar 2009 16:10:09 -0700 (PDT)
From:      "Eugene M. Kim" <20080111.freebsd.org@ab.ote.we.lv>
To:        FreeBSD-gnats-submit@FreeBSD.org
Subject:   kern/133143: Kernel panic with ubsec and cryptodev; induced by non-root users
Message-ID:  <200903272310.n2RNA985001423@burrito.p2p.nttmcl.com>
Resent-Message-ID: <200903272320.n2RNK4nX083948@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help 

>Number:         133143
>Category:       kern
>Synopsis:       Kernel panic with ubsec and cryptodev; induced by non-root users
>Confidential:   no
>Severity:       critical
>Priority:       high
>Responsible:    freebsd-bugs
>State:          open
>Quarter:        
>Keywords:       
>Date-Required:
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Fri Mar 27 23:20:03 UTC 2009
>Closed-Date:
>Last-Modified:
>Originator:     Eugene M. Kim
>Release:        FreeBSD 6.4-RELEASE i386
>Organization:
>Environment:

System: FreeBSD paperboy.dev.p2p.nttmcl.com 6.4-RELEASE FreeBSD 6.4-RELEASE #1 r190431: Wed Mar 25 19:58:05 PDT 2009     root@burrito.p2p.nttmcl.com:/usr/obj/usr/src/sys/PAPERBOY  i386

Hardware: Dell PowerEdge R300 with:

--  Intel Xeon E3110 - dual-core, 3.0GHz
--  4GB memory (3326MB visible to the non-PAE kernel)
--  PCI-X riser card
--  Broadcom BCM95821SSN PCI-X cryptographic accelerator card

Kernel configuration:

--- BEGIN src/sys/i386/conf/PAPERBOY ---
include 	SMP

ident		PAPERBOY

makeoptions	DEBUG=-g

options 	KDB
options 	KDB_TRACE
options 	DDB
options 	GDB
options 	BREAK_TO_DEBUGGER
#options 	ALT_BREAK_TO_DEBUGGER
options 	INVARIANTS
options 	INVARIANT_SUPPORT

options 	FAST_IPSEC

device		crypto
device		cryptodev
device		ubsec
options 	UBSEC_DEBUG
--- END src/sys/i386/conf/PAPERBOY ---

>Description:

The kernel randomly panics when running a multithreaded OpenSSL performance
test program (even as a non-root user), with increasing panic probability
as the number of threads used by the test program increases.

The test program is available at (link valid for 3 years):

    http://purple.the-7.net/~ab/Temporary/GORCuns5zR/evptest.tar.bz2

--- BEGIN panic message ---
Memory modified after free 0xc9049000(4092) val=54c0f2f9 @ 0xc9049138
panic: Most recently used by devbuf

cpuid = 1
KDB: enter: panic
--- END panic message ---

The following stack trace was obtained via a remote GDB session; some argument
values do not make sense (e.g. the size argument given to mtrash_ctor(), which
should be 4092 but is negative); it might be a bug in GDB itself.

--- BEGIN stack trace ---
#0  0xc06d75bb in kdb_enter (msg=0x12 <Address 0x12 out of bounds>)
    at cpufunc.h:60
#1  0xc06beb9b in panic (fmt=0xc09f730e "Most recently used by %s\n")
    at /usr/src/sys/kern/kern_shutdown.c:550
#2  0xc084b35d in mtrash_ctor (mem=0xc9049000, size=-1052561408, arg=0x0, 
    flags=1) at /usr/src/sys/vm/uma_dbg.c:137
#3  0xc08494af in uma_zalloc_arg (zone=0xc1461b40, udata=0x0, flags=1)
    at /usr/src/sys/vm/uma_core.c:1849
#4  0xc06b3cba in malloc (size=3600, mtp=0xc0a5c100, flags=1) at uma.h:277
#5  0xc0638f4b in ubsec_newsession (arg=0xc8830000, sidp=0xeb188bfc, cri=0x12)
    at /usr/src/sys/dev/ubsec/ubsec.c:947
#6  0xc07d8c68 in crypto_newsession (sid=0xeb188c2c, cri=0xeb188c34, hard=1)
    at /usr/src/sys/opencrypto/crypto.c:354
#7  0xc07da1e5 in cryptof_ioctl (fp=0x12, cmd=3223085925, data=0x0, 
    active_cred=0xc8ef0800, td=0xc902c480)
    at /usr/src/sys/opencrypto/cryptodev.c:264
#8  0xc06e2486 in ioctl (td=0xc902c480, uap=0xeb188d04) at file.h:265
#9  0xc0948b3f in syscall (frame=
      {tf_fs = -1081147333, tf_es = 672464955, tf_ds = -1081147333, tf_edi = 135852444, tf_esi = -1128460528, tf_ebp = -1128460648, tf_isp = -350712476, tf_ebx = 672572564, tf_edx = 0, tf_ecx = 135852416, tf_eax = 54, tf_trapno = 22, tf_err = 2, tf_eip = 673530195, tf_cs = 51, tf_eflags = 2097670, tf_esp = -1128460692, tf_ss = 59}) at /usr/src/sys/i386/i386/trap.c:984
#10 0xc093369f in Xint0x80_syscall () at /usr/src/sys/i386/i386/exception.s:200
#11 0x00000033 in ?? ()
--- END stack trace ---

This could also be a security issue, as non-root users can induce kernel
panics, leading to denial of service.

>How-To-Repeat:

1.  Compile and install a modified kernel with configuration shown above.
2.  Reboot.
3.  Run the supplied test program (evptest) as any user (root or non-root):

    $ tar -xjf evptest.tar.bz2
    $ cd evptest
    $ make cleandir
    $ make depend all
    $ ./evptest -h		# for help message
    $ ./evptest -t 100		# this uses 100 threads

>Fix:

    None, other than disabling ubsec as a workaround.
>Release-Note:
>Audit-Trail:
>Unformatted:

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200903272310.n2RNA985001423>