Date: Sat, 25 Aug 2018 14:51:24 +0200 From: "Kristof Provost" <kp@FreeBSD.org> To: "Matthew Macy" <mmacy@freebsd.org> Cc: "Shawn Webb" <shawn.webb@hardenedbsd.org>, freebsd-current@freebsd.org Subject: Re: ifnet use after free Message-ID: <2287F455-EDFD-4065-BB83-33DDDF74D027@FreeBSD.org> In-Reply-To: <7A724399-B264-41A9-B85F-A49D3B0B4730@FreeBSD.org> References: <20180824221955.7hkftov25otk6bjc@mutt-hbsd> <CAPrugNqiX5udzOchu=yBAEEqnkK-LAZZhTW4poen13Gguc1Xng@mail.gmail.com> <7A724399-B264-41A9-B85F-A49D3B0B4730@FreeBSD.org>
next in thread | previous in thread | raw e-mail | index | archive | help
On 25 Aug 2018, at 0:47, Kristof Provost wrote: > On 25 Aug 2018, at 0:26, Matthew Macy wrote: >> On Fri, Aug 24, 2018 at 15:25 Shawn Webb <shawn.webb@hardenedbsd.org> >> wrote: >> >>> Hey All, >>> >>> Somewhere in the last month or so, a use after free was introduced. >>> I >>> don't have the time right now to bisect the commits and figure out >>> which commit introduced the breakage. Attached is the core.txt >>> (which >>> seems nonsensical because the dump is reporting on a different >>> thread). If the core.txt gets scrubbed, I've posted it here: >>> https://gist.github.com/796ea88cec19a1fd2a85f4913482286a >>> >> >> Do you have any guidance on how to reproduce? The hardenedbsd rev >> isn’t >> useful - the svn commit that it’s based against is what is needed. >> > For what it’s worth, it’s not a hardenedbsd thing. I’ve been > chasing the same one (same offset, same allocation size, same most > recent user). Something gets set to zero/NULL. 8 bytes on amd64, so > presumably a pointer. > > I currently only trigger it on a development branch, but I’ll see if > I can clean that up into something I can share tomorrow. > > In my test scenario it happens after shutdown of a vnet jail with a > few interfaces in it (including a pfsync interface which will > disappear with the jail), and new jails are started. It’s pretty > reliable. > > At a guess something’s wrong with the delayed cleanup of ifnets and > vnet shutdown. > I see this: Memory modified after free 0xfffff800623ab000(2040) val=0 @ 0xfffff800623ab398 panic: Most recently used by ifnet cpuid = 7 time = 1535199812 KDB: stack backtrace: db_trace_self_wrapper() at db_trace_self_wrapper+0x2b/frame 0xfffffe008c8e13c0 vpanic() at vpanic+0x1a3/frame 0xfffffe008c8e1420 panic() at panic+0x43/frame 0xfffffe008c8e1480 mtrash_ctor() at mtrash_ctor+0x81/frame 0xfffffe008c8e14a0 uma_zalloc_arg() at uma_zalloc_arg+0x72c/frame 0xfffffe008c8e1510 malloc() at malloc+0x9a/frame 0xfffffe008c8e1560 if_alloc() at if_alloc+0x23/frame 0xfffffe008c8e1590 epair_clone_create() at epair_clone_create+0x239/frame 0xfffffe008c8e1610 if_clone_createif() at if_clone_createif+0x4a/frame 0xfffffe008c8e1660 ifioctl() at ifioctl+0x852/frame 0xfffffe008c8e1750 kern_ioctl() at kern_ioctl+0x2ba/frame 0xfffffe008c8e17b0 sys_ioctl() at sys_ioctl+0x15e/frame 0xfffffe008c8e1880 amd64_syscall() at amd64_syscall+0x28c/frame 0xfffffe008c8e19b0 fast_syscall_common() at fast_syscall_common+0x101/frame 0xfffffe008c8e19b0 --- syscall (54, FreeBSD ELF64, sys_ioctl), rip = 0x80047b74a, rsp = 0x7fffffffe208, rbp = 0x7fffffffe250 --- KDB: enter: panic [ thread pid 1426 tid 100466 ] Stopped at kdb_enter+0x3b: movq $0,kdb_why db> It does require a couple of bug fixes in pfsync to trigger. You can get them from the pfsync_vnet branch in https://github.com/kprovost/freebsd/tree/pfsync_vnet After that: kldload pfsync pkg install scapy cd /usr/tests/sys/netpfil/pf kyua test It should panic reliably. Regards, Kristof From owner-freebsd-current@freebsd.org Sat Aug 25 15:33:09 2018 Return-Path: <owner-freebsd-current@freebsd.org> Delivered-To: freebsd-current@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id DBA45108DFB7 for <freebsd-current@mailman.ysv.freebsd.org>; Sat, 25 Aug 2018 15:33:09 +0000 (UTC) (envelope-from greg@unrelenting.technology) Received: from hraggstad.unrelenting.technology (hraggstad.unrelenting.technology [71.19.146.151]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "hraggstad.unrelenting.technology", Issuer "Let's Encrypt Authority X3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 29C3875658; Sat, 25 Aug 2018 15:33:08 +0000 (UTC) (envelope-from greg@unrelenting.technology) DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=unrelenting.technology; h=date:from:to:subject:message-id; s=default; bh=lXLKyfJQh08jOKpn2GuimNNoG5K//utY2+bowbIrM1Q=; b=O/IoMdD74pLE9wINq7ZJ+M5L6d86TC9dInSRKvjDnR3ME5kHf7E4Sh/bZrpJ8ngE1sfub1UsJjNQe6awCfAB23ChcJ5GknXIYj0EvzRsZYHmD9apwKSnqZdQxSO9+39wDrTphBj5tiqsEuOMgXvYj1qTT4bZJrGyrUwnotG8+Bw= Received: by hraggstad.unrelenting.technology (OpenSMTPD) with ESMTPSA id c1c04f71 TLS version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NO; Sat, 25 Aug 2018 15:32:49 +0000 (UTC) Received: from localhost (markarth.lan [local]) by markarth.lan (OpenSMTPD) with ESMTPA id 5e3fbb22; Sat, 25 Aug 2018 18:32:43 +0300 (MSK) Date: Sat, 25 Aug 2018 18:32:43 +0300 From: Greg <greg@unrelenting.technology> To: Niclas Zeising <zeising@freebsd.org> Cc: Warner Losh <imp@bsdimp.com>, "Rodney W. Grimes" <freebsd-rwg@pdx.rh.cn85.dnsmgr.net>, Kyle Evans <kevans@freebsd.org>, Johannes Lundberg <johalun0@gmail.com>, Matt Macy <mmacy@freebsd.org>, FreeBSD Current <freebsd-current@freebsd.org> Subject: Re: priority of paths to kernel modules? Message-ID: <20180825153243.7igswejbqcgqkyzg@unrelenting.technology> References: <CACNAnaGMsifVntGHQ8T4-w6jL+2dx5e1Ciw3-CQ9W2MwF38mfg@mail.gmail.com> <201808241411.w7OEBXg8095140@pdx.rh.CN85.dnsmgr.net> <CANCZdfoNdFHM6Z8KVNrUCFzASjRLsd=dkw_fZGpJjsYmFzySUg@mail.gmail.com> <a67c3e82-838f-dd09-64d3-abb7dbcdd8e7@freebsd.org> MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8; format=flowed Content-Disposition: inline In-Reply-To: <a67c3e82-838f-dd09-64d3-abb7dbcdd8e7@freebsd.org> OpenPGP: url=https://unrelenting.technology/pub/3B011BAF.asc User-Agent: the one that sucks less X-Hashcash: 1:20:180825:johalun0@gmail.com::gAJUm1jpa1hWYBDa:31Vo X-Hashcash: 1:20:180825:freebsd-current@freebsd.org::V5i88JE2y45El1G/:Iib6 X-Hashcash: 1:20:180825:freebsd-rwg@pdx.rh.cn85.dnsmgr.net::pF9RsP+89uZSmVn6:3ggZ X-Hashcash: 1:20:180825:kevans@freebsd.org::YZp24pDBSVcHOvit:8fM X-Hashcash: 1:20:180825:mmacy@freebsd.org::XQUdAYtBIpT2etql:22rA X-Hashcash: 1:20:180825:imp@bsdimp.com::AoAkZLa3IrMwlftR:0m69 X-Hashcash: 1:20:180825:zeising@freebsd.org::36mdQZFSZCMQuinr:AKfc X-BeenThere: freebsd-current@freebsd.org X-Mailman-Version: 2.1.27 Precedence: list List-Id: Discussions about the use of FreeBSD-current <freebsd-current.freebsd.org> List-Unsubscribe: <https://lists.freebsd.org/mailman/options/freebsd-current>, <mailto:freebsd-current-request@freebsd.org?subject=unsubscribe> List-Archive: <http://lists.freebsd.org/pipermail/freebsd-current/>; List-Post: <mailto:freebsd-current@freebsd.org> List-Help: <mailto:freebsd-current-request@freebsd.org?subject=help> List-Subscribe: <https://lists.freebsd.org/mailman/listinfo/freebsd-current>, <mailto:freebsd-current-request@freebsd.org?subject=subscribe> X-List-Received-Date: Sat, 25 Aug 2018 15:33:10 -0000 On 08/25, Niclas Zeising wrote: >On 08/24/18 17:20, Warner Losh wrote: >> This would allow the graphics port to have a rc script that sets >>this up so when X11 goes to automatically load the module, the right one >>gets loaded. >> > >I just want to point out that X11 doesn't load the graphics kernel >driver by default when using the drm-*-kmod ports, and I'm not sure >the hack to have the intel ddx (xf86-video-intel) load the drm2 driver >is still around. > >It doesn't really matter though, since upstream is moving away from >having X load the driver, and I'd like us to follow suit by using >devmatch (this is one of the reasons we wanted to get rid of the base >drivers, as I've stated before). X can't always know which driver to >load (when using modesetting for instance), and in my opinion, it >should be the kernel/loader that decides which drivers to load. Yes, of course X shouldn't load the driver - also because: - X is not the only display server people use (I use Weston) - the console (vt) should also run with the graphics driver! (e.g. efifb currently conflicts with radeon/amdgpu so you have to turn efifb off to get anything working on EFI + Radeon, also many ARM boards do not have any graphics support in U-Boot or whatever firmware) I'm surprised to hear anyone was relying on the X server to load the kernel module. I *always* used kld_list.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?2287F455-EDFD-4065-BB83-33DDDF74D027>