Skip site navigation (1)Skip section navigation (2)
Date:      Thu, 1 Jun 2000 21:05:18 +0200 (CEST)
From:      Christian Weisgerber <naddy@mips.inka.de>
To:        FreeBSD-gnats-submit@freebsd.org
Subject:   kern/18952: fdesc-related panic
Message-ID:  <200006011905.VAA01256@bigeye.mips.inka.de>

next in thread | raw e-mail | index | archive | help

>Number:         18952
>Category:       kern
>Synopsis:       fdesc-related panic
>Confidential:   no
>Severity:       serious
>Priority:       low
>Responsible:    freebsd-bugs
>State:          open
>Quarter:        
>Keywords:       
>Date-Required:
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Thu Jun 01 12:10:00 PDT 2000
>Closed-Date:
>Last-Modified:
>Originator:     Christian Weisgerber
>Release:        FreeBSD 5.0-CURRENT i386
>Organization:
UUGRN
>Environment:

fdesc mounted on /dev/fd. fdesc was loaded as a module.
Tested for 5.0-CURRENT i386 from May 18 and May 30.

>Description:

An unpriviledged user can accidentally panic the system with a
completely innocuous command.

----------------
#0  boot (howto=256) at ../../kern/kern_shutdown.c:303
#1  0xc0164599 in panic (fmt=0xc0267e4f "page fault")
    at ../../kern/kern_shutdown.c:553
#2  0xc023333e in trap_fatal (frame=0xc6155d74, eva=52)
    at ../../i386/i386/trap.c:927
#3  0xc0232ff1 in trap_pfault (frame=0xc6155d74, usermode=0, eva=52)
    at ../../i386/i386/trap.c:820
#4  0xc0232b7f in trap (frame={tf_fs = 16, tf_es = 16, tf_ds = 16,
      tf_edi = -976731072, tf_esi = -971678188, tf_ebp = -971678248,
      tf_isp = -971678304, tf_ebx = -971678208, tf_edx = 0, tf_ecx = 13,
      tf_eax = -971678268, tf_trapno = 12, tf_err = 0, tf_eip = -1063880518,
      tf_cs = 8, tf_eflags = 66195, tf_esp = -971678268, tf_ss = -971678208})
    at ../../i386/i386/trap.c:426
#5  0xc09678ba in ?? ()
#6  0xc01995ea in vn_open (ndp=0xc6155ecc, fmode=1026, cmode=420)
    at vnode_if.h:305
#7  0xc019561d in open (p=0xc5c84440, uap=0xc6155f80)
    at ../../kern/vfs_syscalls.c:995
#8  0xc02335f1 in syscall2 (frame={tf_fs = 47, tf_es = 47, tf_ds = 47,
      tf_edi = 8, tf_esi = 672161560, tf_ebp = -1077937912,
      tf_isp = -971677740, tf_ebx = 672096100, tf_edx = 672161560,
      tf_ecx = 15, tf_eax = 5, tf_trapno = 12, tf_err = 2, tf_eip = 672013048,
      tf_cs = 31, tf_eflags = 643, tf_esp = -1077937956, tf_ss = 47})
    at ../../i386/i386/trap.c:1126
#9  0xc02278a8 in Xint0x80_syscall ()
----------------
#
# BIGEYE -- bigeye.rhein-neckar.de (5.0-CURRENT)
#
# $FreeBSD: src/sys/i386/conf/GENERIC,v 1.246 2000/03/09 16:32:55 jlemon Exp $
#
# 2000-03-25 naddy

machine		i386
cpu		I586_CPU
ident		BIGEYE
maxusers	32

makeoptions	DEBUG=-g		#Build kernel with gdb(1) debug symbols

options 	INCLUDE_CONFIG_FILE     # Include this file in kernel

options 	AUTO_EOI_1
options 	AUTO_EOI_2

options 	INET			#InterNETworking
options 	FFS			#Berkeley Fast Filesystem
options 	FFS_ROOT		#FFS usable as root device [keep this!]
options 	SOFTUPDATES
options 	MFS			#Memory Filesystem
options 	NFS			#Network Filesystem
options 	CD9660			#ISO 9660 Filesystem
options 	PROCFS			#Process filesystem
options 	KERNFS			#Kernel filesystem
options 	COMPAT_43		#Compatible with BSD 4.3 [KEEP THIS!]
options 	SCSI_DELAY=10000	#Delay (in ms) before probing SCSI
options 	UCONSOLE		#Allow users to grab the console
options 	KTRACE			#ktrace(1) support
options 	DDB			#Enable the kernel debugger
options 	DDB_UNATTENDED		#Don't drop into DDB for a panic
options 	SYSVSHM			#SYSV-style shared memory
options 	SYSVMSG			#SYSV-style message queues
options 	SYSVSEM			#SYSV-style semaphores
options 	P1003_1B		#Posix P1003_1B real-time extentions
options 	_KPOSIX_PRIORITY_SCHEDULING
options 	ICMP_BANDLIM		#Rate limit bad replies

device		isa
device		pci

# Floppy drives
device		fdc0	at isa? port IO_FD1 irq 6 drq 2
device		fd0	at fdc0 drive 0

# SCSI Controllers
device		sym		# NCR/Symbios Logic (newer chipsets)

# SCSI peripherals
device		scbus		# SCSI bus (required)
device		da		# Direct Access (disks)
device		sa		# Sequential Access (tape etc)
device		cd		# CD
device		pass		# Passthrough device (direct SCSI access)

# atkbdc0 controls both the keyboard and the PS/2 mouse
device		atkbdc0	at isa? port IO_KBD
device		atkbd0	at atkbdc? irq 1
device		psm0	at atkbdc? irq 12

device		vga0	at isa?

# splash screen/screen saver
pseudo-device	splash

# syscons is the default console driver, resembling an SCO console
device		sc0	at isa?
options 	SC_ALT_MOUSE_IMAGE	# simplified mouse cursor in text mode
options 	SC_DISABLE_REBOOT	# disable reboot key sequence

# Floating point support - do not disable.
device		npx0	at nexus? port IO_NPX irq 13

# Serial (COM) ports
device		sio0	at isa? port IO_COM1 flags 0x10 irq 4
device		sio1	at isa? port IO_COM2 irq 3

# Parallel port
device		ppc0	at isa? irq 7
device		ppbus		# Parallel port bus (required)
device		lpt		# Printer

# PCI Ethernet NICs.
device		fxp		# Intel EtherExpress PRO/100B (82557, 82558)

# Sound
device		pcm		# For PnP/PCI sound cards

# Pseudo devices - the number indicates how many units to allocated.
pseudo-device	loop		# Network loopback
pseudo-device	ether		# Ethernet support
pseudo-device	tun		# Packet tunnel.
pseudo-device	pty		# Pseudo-ttys (telnet etc)
pseudo-device	vn		#Vnode driver (turns a file into a device)

# The `bpf' pseudo-device enables the Berkeley Packet Filter.
# Be aware of the administrative consequences of enabling this!
pseudo-device	bpf		#Berkeley packet filter
----------------

>How-To-Repeat:

$ fetch -o - http://sites.inka.de/mips/unix/freebsd/xterm.shar | sh

>Fix:


>Release-Note:
>Audit-Trail:
>Unformatted:


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-bugs" in the body of the message




Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200006011905.VAA01256>