Skip site navigation (1)Skip section navigation (2) 
Date:      Fri, 20 Mar 2009 22:34:18 GMT
From:      Chris Palmer <chris@noncombatant.org>
To:        freebsd-gnats-submit@FreeBSD.org
Subject:   kern/132886: Trivially fuzzed executables panic the kernel
Message-ID:  <200903202234.n2KMYI5G058455@www.freebsd.org>
Resent-Message-ID: <200903202240.n2KMe27t033230@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help 

>Number:         132886
>Category:       kern
>Synopsis:       Trivially fuzzed executables panic the kernel
>Confidential:   no
>Severity:       serious
>Priority:       high
>Responsible:    freebsd-bugs
>State:          open
>Quarter:        
>Keywords:       
>Date-Required:
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Fri Mar 20 22:40:01 UTC 2009
>Closed-Date:
>Last-Modified:
>Originator:     Chris Palmer
>Release:        FreeBSD 7.1-STABLE
>Organization:
>Environment:
FreeBSD blueberry 7.1-STABLE FreeBSD 7.1-STABLE #1: Fri Feb  6 13:24:55 PST 2009     root@blueberry:/local/src/sys/i386/compile/GENERIC  i386

>Description:
I used iSEC's file fuzzer:

https://www.isecpartners.com/file_fuzzers.html

to generate 20 fuzzed versions of /bin/ls. The 12th (attached) reliably panics my kernel. I have not yet tried any of the others. The crash appears to be due to an invalid memory access, but I have not spend very much time tracking down the root cause. Other bugs may exist, and some may be exploitable --- but I don't know for sure.

Here is a backtrace.

blueberry# kgdb kernel.debug /var/crash/vmcore.0
GNU gdb 6.1.1 [FreeBSD]
Copyright 2004 Free Software Foundation, Inc.
GDB is free software, covered by the GNU General Public License, and you are
welcome to change it and/or distribute copies of it under certain conditions.
Type "show copying" to see the conditions.
There is absolutely no warranty for GDB.  Type "show warranty" for details.
This GDB was configured as "i386-marcel-freebsd"...

Unread portion of the kernel message buffer:


Fatal trap 12: page fault while in kernel mode
cpuid = 0; apic id = 00
fault virtual address   = 0x98bd2a54
fault code              = supervisor read, page not present
instruction pointer     = 0x20:0xc0758413
stack pointer           = 0x28:0xd623ea58
frame pointer           = 0x28:0xd623eae0
code segment            = base 0x0, limit 0xfffff, type 0x1b
                        = DPL 0, pres 1, def32 1, gran 1
processor eflags        = interrupt enabled, resume, IOPL = 0
current process         = 36581 (isolate)
trap number             = 12
panic: page fault
cpuid = 0
Uptime: 6h15m3s
Physical memory: 499 MB
Dumping 107 MB: 92 76 60 44 28 12

Reading symbols from /boot/kernel/snd_es137x.ko...Reading symbols from /boot/kernel/snd_es137x.ko.symbols...done.
done.
Loaded symbols for /boot/kernel/snd_es137x.ko
Reading symbols from /boot/kernel/sound.ko...Reading symbols from /boot/kernel/sound.ko.symbols...done.
done.
Loaded symbols for /boot/kernel/sound.ko
Reading symbols from /boot/kernel/acpi.ko...Reading symbols from /boot/kernel/acpi.ko.symbols...done.
done.
Loaded symbols for /boot/kernel/acpi.ko
#0  doadump () at pcpu.h:196
196             __asm __volatile("movl %%fs:0,%0" : "=r" (td));
(kgdb) bt
#0  doadump () at pcpu.h:196
#1  0xc0799667 in boot (howto=260) at /local/src/sys/kern/kern_shutdown.c:418
#2  0xc0799939 in panic (fmt=Variable "fmt" is not available.
) at /local/src/sys/kern/kern_shutdown.c:574
#3  0xc0aaba8c in trap_fatal (frame=0xd623ea18, eva=2562533972) at /local/src/sys/i386/i386/trap.c:939
#4  0xc0aabd10 in trap_pfault (frame=0xd623ea18, usermode=0, eva=2562533972) at /local/src/sys/i386/i386/trap.c:852
#5  0xc0aac6cc in trap (frame=0xd623ea18) at /local/src/sys/i386/i386/trap.c:530
#6  0xc0a9253b in calltrap () at /local/src/sys/i386/i386/exception.s:159
#7  0xc0758413 in exec_elf32_imgact (imgp=0xd623ebe0) at /local/src/sys/kern/imgact_elf.c:867
#8  0xc0771412 in kern_execve (td=0xc3434d20, args=0xd623ec5c, mac_p=0x0) at /local/src/sys/kern/kern_exec.c:432
#9  0xc07723cc in execve (td=0xc3434d20, uap=0xd623ecfc) at /local/src/sys/kern/kern_exec.c:201
#10 0xc0aac065 in syscall (frame=0xd623ed38) at /local/src/sys/i386/i386/trap.c:1090
#11 0xc0a925a0 in Xint0x80_syscall () at /local/src/sys/i386/i386/exception.s:255
#12 0x00000033 in ?? ()
Previous frame inner to this frame (corrupt stack?)

>How-To-Repeat:
Run the attached executable. Crashes for me on 7.1-STABLE, i386.

Run the fuzzer to generate more candidates, and fuzz some other executables too.
>Fix:
In general, do not trust pointers and offsets provided by the user. The includes normal dereferences as well as pointer arithmetic and integer arithmetic in which the result will be used later to subscript an array, or the like.

>From imgact_elf.c:

865    if (pnote != NULL && pnote->p_offset < PAGE_SIZE &&
866        pnote->p_offset + pnote->p_filesz < PAGE_SIZE ) {
867        note = (const Elf_Note *)(imgp->image_header + pnote->p_offset);
868        if (!aligned(note, Elf32_Addr)) {

Line 867 could be where it all went wrong.

Patch attached with submission follows:

ELF	t/uput4$$Et$D$$7tN
tI9t'f~2;EvE(Q4;UċA0|;EvEUċ(@8,@

C$+fC$iD$C@$FD$8$(9$DED$!ML$$$	Ћt	E]uӉT$$Ut%[t8{tN؋V$t$
uL$މ$렋UU؋M9M2u5BBx9ƃE]9]<[^_]á$
t&[^_]á1$
D$B(L$$D$8֋t-MQ$1҉D$lU:\Dž`xT$$p<
ZT$<$R$U뎍pD$tT$$lUWVST$$z;B`T$$\T$$:;B|	
T$$tx<
T$4$$UkpD$vls: %s: %s
nr	tv*:JZjzʐڐ
*:JZjzʑڑ
*:JZjzʒڒ
*:JZjz
>Release-Note:
>Audit-Trail:
>Unformatted:

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200903202234.n2KMYI5G058455>