Date: Fri, 26 Nov 2010 14:31:53 +0300 From: Dmitry Krivenok <krivenok.dmitry@gmail.com> To: Ivan Klymenko <fidaj@ukr.net> Cc: freebsd-hackers@freebsd.org Subject: Re: Simple kernel attack using socketpair. Message-ID: <AANLkTimH58340209kH3SxD_NpfjiJOai6HvL5-Vfd_=2@mail.gmail.com> In-Reply-To: <20101126124922.3947bab4@ukr.net> References: <20101126122639.4fd47cba@ukr.net> <20101126124922.3947bab4@ukr.net>
next in thread | previous in thread | raw e-mail | index | archive | help
I run it on 8.0 and CURRENT and got fatal double fault on both systems:
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D
Unread portion of the kernel message buffer:
kern.maxfiles limit exceeded by uid 1001, please see tuning(7).
Fatal double fault
rip =3D 0xffffffff80615f54
rsp =3D 0xffffff803c1fa000
rbp =3D 0xffffff803c1fa000
cpuid =3D 0; apic id =3D 00
panic: double fault
cpuid =3D 0
KDB: enter: panic
Uptime: 8d21h9m48s
Physical memory: 983 MB
Dumping 244 MB: 229 213 197 181 165 149 133 117 101 85 69 53 37 21 5
Reading symbols from /boot/modules/bwn_v4_lp_ucode.ko...done.
Loaded symbols for /boot/modules/bwn_v4_lp_ucode.ko
#0 0xffffffff805cc90a in kproc_shutdown (arg=3D0x0, howto=3DVariable
"howto" is not available.
) at /usr/src/sys/kern/kern_shutdown.c:639
639 printf("Waiting (max %d seconds) for system process
`%s' to stop...",
(kgdb) bt
#0 0xffffffff805cc90a in kproc_shutdown (arg=3D0x0, howto=3DVariable
"howto" is not available.
) at /usr/src/sys/kern/kern_shutdown.c:639
#1 0xffffffff805cce37 in kern_reboot (howto=3D260) at
/usr/src/sys/kern/kern_shutdown.c:216
#2 0xffffffff805cd2c1 in panic (fmt=3D0x1 <Address 0x1 out of bounds>)
at /usr/src/sys/kern/kern_shutdown.c:555
#3 0xffffffff808c7586 in user_ldt_free (td=3D0xffffff800021a300) at cpufun=
c.h:524
#4 0xffffffff808b24dd in Xtss () at /usr/src/sys/amd64/amd64/exception.S:1=
51
#5 0xffffffff80615f54 in db_witness_list_all (addr=3D-2137114768,
have_addr=3D1, count=3D-2137114768, modif=3D0x1 <Address 0x1 out of bounds>=
)
at /usr/src/sys/kern/subr_witness.c:2352
Previous frame inner to this frame (corrupt stack?)
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D
On Fri, Nov 26, 2010 at 1:49 PM, Ivan Klymenko <fidaj@ukr.net> wrote:
> =D0=92 Fri, 26 Nov 2010 12:26:39 +0200
> Ivan Klymenko <fidaj@ukr.net> =D0=BF=D0=B8=D1=88=D0=B5=D1=82:
>
>> Hello!
>> Rumor has it that this vulnerability applies to FreeBSD too, with the
>> replacement SOCK_SEQPACKET on SOCK_DGRAM...
> and add:
>
> #include <sys/mount.h>
> #include <sys/wait.h>
> #include <errno.h>
> #include <fcntl.h>
> #include <stdio.h>
> #include <stdlib.h>
> #include <string.h>
> #include <unistd.h>
>
>>
>> http://lkml.org/lkml/2010/11/25/8
>>
>> What do you think about this?
>>
>> Thank you!
> _______________________________________________
> freebsd-hackers@freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-hackers
> To unsubscribe, send any mail to "freebsd-hackers-unsubscribe@freebsd.org=
"
>
--=20
Sincerely yours, Dmitry V. Krivenok
e-mail: krivenok.dmitry@gmail.com
skype: krivenok_dmitry
jabber: krivenok_dmitry@jabber.ru
icq: 242-526-443
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?AANLkTimH58340209kH3SxD_NpfjiJOai6HvL5-Vfd_=2>