Date: Fri, 7 Sep 2018 10:38:23 -0400 From: Shawn Webb <shawn.webb@hardenedbsd.org> To: freebsd-current@freebsd.org Subject: Re: ifnet use after free Message-ID: <20180907143823.m6ek7adw27e5u3nk@mutt-hbsd> In-Reply-To: <20180824221955.7hkftov25otk6bjc@mutt-hbsd> References: <20180824221955.7hkftov25otk6bjc@mutt-hbsd>
next in thread | previous in thread | raw e-mail | index | archive | help
--ysli7rp2ut2dj6ul Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Fri, Aug 24, 2018 at 06:19:55PM -0400, Shawn Webb wrote: > Hey All, >=20 > Somewhere in the last month or so, a use after free was introduced. I > don't have the time right now to bisect the commits and figure out > which commit introduced the breakage. Attached is the core.txt (which > seems nonsensical because the dump is reporting on a different > thread). If the core.txt gets scrubbed, I've posted it here: > https://gist.github.com/796ea88cec19a1fd2a85f4913482286a >=20 > I'm running HardenedBSD 12-CURRENT/amd64, commit 6091fec317a. >=20 > FreeBSD hbsd-dev-laptop 12.0-ALPHA2 FreeBSD 12.0-ALPHA2 #4 > 6091fec317a(hardened/current/master)-dirty: Thu Aug 23 18:37:45 EDT > 2018 > shawn@hbsd-dev-laptop:/usr/obj/usr/src/amd64.amd64/sys/LATT-SEC amd64 New core.txt: https://gist.github.com/d1ee63e578c09f35d40c977093b402d6 I'm not sure if it's the same issue, but at least I'm getting a proper backtrace. I wonder if ifp or ifp->if_xname is already freed by the time ifunit_ref is called. FreeBSD hbsd-dev-laptop 12.0-ALPHA4 FreeBSD 12.0-ALPHA4 #6 a581146ba17(har= dened/current/master)-dirty: Mon Sep 3 12:51:49 EDT 2018 shawn@hbsd-de= v-laptop:/usr/obj/usr/src/amd64.amd64/sys/LATT-SEC amd64 panic: vm_fault_hold: fault on nofault entry, addr: 0xfffffe0000685000 GNU gdb (GDB) 8.1.1 [GDB v8.1.1 for FreeBSD] Copyright (C) 2018 Free Software Foundation, Inc. License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.htm= l> This is free software: you are free to change and redistribute it. There is NO WARRANTY, to the extent permitted by law. Type "show copying" and "show warranty" for details. This GDB was configured as "x86_64-portbld-freebsd12.0". Type "show configuration" for configuration details. For bug reporting instructions, please see: <http://www.gnu.org/software/gdb/bugs/>. Find the GDB manual and other documentation resources online at: <http://www.gnu.org/software/gdb/documentation/>. For help, type "help". Type "apropos word" to search for commands related to "word"... Reading symbols from /boot/kernel/kernel...Reading symbols from /usr/lib/de= bug//boot/kernel/kernel.debug...done. done. Unread portion of the kernel message buffer: [12101] panic: vm_fault_hold: fault on nofault entry, addr: 0xfffffe0000685= 000 [12101] cpuid =3D 3 [12101] time =3D 1536281241 [12101] __HardenedBSD_version =3D 1200058 __FreeBSD_version =3D 1200083 [12101] version =3D FreeBSD 12.0-ALPHA4 #6 a581146ba17(hardened/current/ma= ster)-dirty: Mon Sep 3 12:51:49 EDT 2018 [12101] shawn@hbsd-dev-laptop:/usr/obj/usr/src/amd64.amd64/sys/LATT-SEC [12101] KDB: stack backtrace: [12101] db_trace_self_wrapper() at db_trace_self_wrapper+0x2b/frame 0xfffff= e1fef53d1c0 [12101] vpanic() at vpanic+0x1a8/frame 0xfffffe1fef53d220 [12101] panic() at panic+0x43/frame 0xfffffe1fef53d280 [12101] vm_fault_hold() at vm_fault_hold+0x1faf/frame 0xfffffe1fef53d3d0 [12101] vm_fault() at vm_fault+0x60/frame 0xfffffe1fef53d410 [12101] trap_pfault() at trap_pfault+0x188/frame 0xfffffe1fef53d460 [12101] trap() at trap+0x560/frame 0xfffffe1fef53d570 [12101] calltrap() at calltrap+0x8/frame 0xfffffe1fef53d570 [12101] --- trap 0xc, rip =3D 0xffffffff80bd5455, rsp =3D 0xfffffe1fef53d64= 0, rbp =3D 0xfffffe1fef53d640 --- [12101] strncmp() at strncmp+0x15/frame 0xfffffe1fef53d640 [12101] ifunit_ref() at ifunit_ref+0x51/frame 0xfffffe1fef53d680 [12101] ifioctl() at ifioctl+0x7bd/frame 0xfffffe1fef53d750 [12101] kern_ioctl() at kern_ioctl+0x2c0/frame 0xfffffe1fef53d7b0 [12101] sys_ioctl() at sys_ioctl+0x16e/frame 0xfffffe1fef53d880 [12101] amd64_syscall() at amd64_syscall+0x29e/frame 0xfffffe1fef53d9b0 [12101] fast_syscall_common() at fast_syscall_common+0x101/frame 0xfffffe1f= ef53d9b0 [12101] --- syscall (54, FreeBSD ELF64, sys_ioctl), rip =3D 0x3c2595b7f8a, = rsp =3D 0x7461b1772838, rbp =3D 0x7461b17728a0 --- [12101] Uptime: 3h21m41s [12101] Dumping 8310 out of 65330 MB:..1%..11%..21%..31%..41%..51%..61%..71= %..81%..91% __curthread () at ./machine/pcpu.h:230 230 __asm("movq %%gs:%1,%0" : "=3Dr" (td) (kgdb) #0 __curthread () at ./machine/pcpu.h:230 #1 doadump (textdump=3D1) at /usr/src/sys/kern/kern_shutdown.c:368 #2 0xffffffff80aec5b6 in kern_reboot (howto=3D260) at /usr/src/sys/kern/kern_shutdown.c:448 #3 0xffffffff80aeca08 in vpanic (fmt=3D<optimized out>, ap=3D0xfffffe1fef5= 3d260) at /usr/src/sys/kern/kern_shutdown.c:877 #4 0xffffffff80aec763 in panic (fmt=3D<unavailable>) at /usr/src/sys/kern/kern_shutdown.c:801 #5 0xffffffff80e285cf in vm_fault_hold (map=3D0xfffff80005001000,=20 vaddr=3D<optimized out>, fault_type=3D1 '\001', fault_flags=3D<optimize= d out>,=20 m_hold=3D0x0) at /usr/src/sys/vm/vm_fault.c:585 #6 0xffffffff80e265d0 in vm_fault (map=3D0xfffff80005001000,=20 vaddr=3D<optimized out>, fault_type=3D1 '\001', fault_flags=3D0) at /usr/src/sys/vm/vm_fault.c:536 #7 0xffffffff80fc0648 in trap_pfault (frame=3D0xfffffe1fef53d580,=20 usermode=3D<optimized out>) at /usr/src/sys/amd64/amd64/trap.c:829 #8 0xffffffff80fbfcd0 in trap (frame=3D0xfffffe1fef53d580) at /usr/src/sys/amd64/amd64/trap.c:441 #9 <signal handler called> #10 0xffffffff80bd5455 in strncmp (s1=3D0xfffffe1fef53d7d0 "epair5b",=20 s2=3D0xfffffe0000685b28 <error: Cannot access memory at address 0xfffff= e0000685b28>, n=3D16) at /usr/src/sys/libkern/strncmp.c:44 #11 0xffffffff80be9c11 in ifunit_ref (name=3D0xfffffe1fef53d7d0 "epair5b") at /usr/src/sys/net/if.c:2419 #12 0xffffffff80bea4bd in ifioctl (so=3D0xfffff804c8cbc368, cmd=3D322334953= 6,=20 data=3D0xfffffe1fef53d7d0 "epair5b", td=3D0xfffff8006298d580) at /usr/src/sys/net/if.c:3076 #13 0xffffffff80b58ee0 in fo_ioctl (fp=3D<optimized out>, com=3D<optimized = out>,=20 active_cred=3D0x0, td=3D<optimized out>, data=3D<optimized out>) at /usr/src/sys/sys/file.h:330 #14 kern_ioctl (td=3D0xfffff8006298d580, fd=3D3, com=3D<optimized out>,=20 data=3D0x10 <error: Cannot access memory at address 0x10>) at /usr/src/sys/kern/sys_generic.c:800 #15 0xffffffff80b58b9e in sys_ioctl (td=3D0xfffff8006298d580,=20 uap=3D0xfffff8006298d948) at /usr/src/sys/kern/sys_generic.c:712 #16 0xffffffff80fc0e5e in syscallenter (td=3D0xfffff8006298d580) at /usr/src/sys/amd64/amd64/../../kern/subr_syscall.c:135 #17 amd64_syscall (td=3D0xfffff8006298d580, traced=3D0) at /usr/src/sys/amd64/amd64/trap.c:1043 #18 <signal handler called> #19 0x000003c2595b7f8a in ?? () Backtrace stopped: Cannot access memory at address 0x7461b1772838 Thanks, --=20 Shawn Webb Cofounder and Security Engineer HardenedBSD Tor-ified Signal: +1 443-546-8752 Tor+XMPP+OTR: lattera@is.a.hacker.sx GPG Key ID: 0x6A84658F52456EEE GPG Key Fingerprint: 2ABA B6BD EF6A F486 BE89 3D9E 6A84 658F 5245 6EEE --ysli7rp2ut2dj6ul Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQIzBAEBCAAdFiEEKrq2ve9q9Ia+iT2eaoRlj1JFbu4FAluSjVoACgkQaoRlj1JF bu4cCw//UvZoz6R+gH5P9EIaF82NQYjJI0kjyYN57miEWzaA9q2Ay2BnA5E6z3zv N6oiUXV0vT2nGnlPb3bD1l1gsT4rBnVuxa/0dD2RbKM2v5FOOosiaOVKj3y5GQlw WLQwEdLU+stXvrv0MztuBSRyYG/N6NHHXfklHaoXB8eF1qq98G3wD1EhvzSziaCK RRQ6c4yWLOEe9y1YWnNxA0QMJWmMVpLZj99+1qPpcy5sSpnzxKgoy4tZynANDT38 3DQaBINp/fY8i1bJhJU2TpG7fGz4PBH58/DOip+yUPBlxb+7mqfqQdG4Y3AWv5OX 5crYSshmnuVj4bV7xjZXVHcT8Q8xL8U8+sIeHaacHcfXIUATgkd4fzDD82rRZNJV YtCJagOJydVjyXNcUn572MwYvzS77nH34QDUbQUIHE5rORePWSlysXpxLpc+OGKs VZdwMccpcvdT7u3g77m9OMbOC6MVJdiMA2UJIZjI4ruyEJsNcVodZAWfoeGgDP9J nevoFOWysj0z4Qgjdse8lKxJDSzGzJOOKCLdRD6nbToBpC8s4+Uf4xIKpUl4coVE p9hYaQm9mpba72nM0cnD5eEznnik3WPg9j2ps+/g5UZioNXC8cIfRrhunVMytrDx RRNuScdpn2KOHeffQBgWlrheIInIosqjXZfj4BaK9H8QsDxepgs= =R/5K -----END PGP SIGNATURE----- --ysli7rp2ut2dj6ul--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20180907143823.m6ek7adw27e5u3nk>