From owner-freebsd-stable Wed Jan 31 9:15:37 2001 Delivered-To: freebsd-stable@freebsd.org Received: from eng05.embratel.net.br (eng05.embratel.net.br [200.255.125.133]) by hub.freebsd.org (Postfix) with ESMTP id C627637B503 for ; Wed, 31 Jan 2001 09:15:16 -0800 (PST) Received: from jonny.eng.br (willow [200.255.125.142]) by eng05.embratel.net.br (Postfix) with ESMTP id 847B824D2E for ; Wed, 31 Jan 2001 15:15:09 -0200 (BRST) Message-ID: <3A784846.27E560E9@jonny.eng.br> Date: Wed, 31 Jan 2001 15:15:51 -0200 From: Joao Carlos Mendes Luis Organization: Internet via Embratel X-Mailer: Mozilla 4.76 [en] (Win95; U) X-Accept-Language: en MIME-Version: 1.0 To: freebsd-stable@freebsd.org Subject: URG: IPFW and kernel msgbuf corruption Content-Type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: 8bit Sender: owner-freebsd-stable@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG Hi, I've seen some messages in the mail archives about this, but none got to the real problem! FreeBSD -stable from yesterday (2000.01.30) has a bug in ipfw logging that corrupts kernel msgbuf (dmesg) area. Maybe some other modules have this bug also, but I could not reproduce them. This bug is definitely not present in 4.2-RELEASE, as I have downgraded my system with cvsup and repeated the tests. My test procedure is to attack my test system with nmap, and look for the ipfw log messages. They corrupt the whole msgbuf area, like this: bash-2.04# dmesg >ipfw: 20050 Deny TCP 200.255.125.133:39372 200.255.125.137:6007 in via fxp0 bash-2.04# Only one line of messages? I have 80k of message buffer defined: options MSGBUF_SIZE=81920 If I try some other form of kernel messages, for example, a SCSI bus reset, the problem does not happen: bash-2.04# camcontrol reset 0:6:0 Reset of 0:6:0 returned error 0xb bash-2.04# dmesg .255.125.133:39371 200.255.125.137:461 in via fxp0 (pass5:ahc0:0:6:0): Bus Device Reset Message Sent ahc0: Bus Device Reset on A:6. 0 SCBs aborted (pass5:ahc0:0:6:0): SCB 0x9 - timed out while idle, SEQADDR == 0x7 STACK == 0x3, 0x10d, 0x163, 0xec SXFRCTL0 == 0x80 ahc0: Dumping Card State at SEQADDR 0x7 SCB count = 50 Kernel NEXTQSCB = 16 ... LOTS OF KERNEL MESSAGES STRIPPED OUT And after some more nmap: bash-2.04# dmesg 25.137:937 in via fxp0 bash-2.04# This is a real bug! Jonny -- João Carlos Mendes Luís jonny@embratel.net.br Networking Engineer jonny@jonny.eng.br Internet via Embratel jcml@ieee.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-stable" in the body of the message