From owner-freebsd-bugs@FreeBSD.ORG Tue Jul 4 12:20:25 2006 Return-Path: X-Original-To: freebsd-bugs@hub.freebsd.org Delivered-To: freebsd-bugs@hub.freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 89C2916A4E1 for ; Tue, 4 Jul 2006 12:20:25 +0000 (UTC) (envelope-from gnats@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [216.136.204.21]) by mx1.FreeBSD.org (Postfix) with ESMTP id BDDB843D55 for ; Tue, 4 Jul 2006 12:20:24 +0000 (GMT) (envelope-from gnats@FreeBSD.org) Received: from freefall.freebsd.org (gnats@localhost [127.0.0.1]) by freefall.freebsd.org (8.13.4/8.13.4) with ESMTP id k64CKO35088434 for ; Tue, 4 Jul 2006 12:20:24 GMT (envelope-from gnats@freefall.freebsd.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.13.4/8.13.4/Submit) id k64CKOal088431; Tue, 4 Jul 2006 12:20:24 GMT (envelope-from gnats) Resent-Date: Tue, 4 Jul 2006 12:20:24 GMT Resent-Message-Id: <200607041220.k64CKOal088431@freefall.freebsd.org> Resent-From: FreeBSD-gnats-submit@FreeBSD.org (GNATS Filer) Resent-To: freebsd-bugs@FreeBSD.org Resent-Reply-To: FreeBSD-gnats-submit@FreeBSD.org, JINMEI Tatuya Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 1239916A4E7 for ; Tue, 4 Jul 2006 12:12:26 +0000 (UTC) (envelope-from jinmei@opera.isl.rdc.toshiba.co.jp) Received: from shuttle.wide.toshiba.co.jp (shuttle.wide.toshiba.co.jp [202.249.10.124]) by mx1.FreeBSD.org (Postfix) with ESMTP id A287843D5C for ; Tue, 4 Jul 2006 12:12:25 +0000 (GMT) (envelope-from jinmei@opera.isl.rdc.toshiba.co.jp) Received: from opera.isl.rdc.toshiba.co.jp (localhost [::1]) by shuttle.wide.toshiba.co.jp (Postfix) with ESMTP id 5EF2815267 for ; Tue, 4 Jul 2006 21:12:23 +0900 (JST) Received: (from jinmei@localhost) by opera.isl.rdc.toshiba.co.jp (8.13.6/8.13.4/Submit) id k64CCMtE000910; Tue, 4 Jul 2006 21:12:22 +0900 (JST) (envelope-from jinmei) Message-Id: <200607041212.k64CCMtE000910@opera.isl.rdc.toshiba.co.jp> Date: Tue, 4 Jul 2006 21:12:22 +0900 (JST) From: JINMEI Tatuya To: FreeBSD-gnats-submit@FreeBSD.org X-Send-Pr-Version: 3.113 Cc: Subject: kern/99779: kernel panic due to Invlalid next packet identification in soreceive() X-BeenThere: freebsd-bugs@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: JINMEI Tatuya List-Id: Bug reports List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 04 Jul 2006 12:20:25 -0000 >Number: 99779 >Category: kern >Synopsis: kernel panic due to Invlalid next packet identification in soreceive() >Confidential: no >Severity: critical >Priority: high >Responsible: freebsd-bugs >State: open >Quarter: >Keywords: >Date-Required: >Class: sw-bug >Submitter-Id: current-users >Arrival-Date: Tue Jul 04 12:20:23 GMT 2006 >Closed-Date: >Last-Modified: >Originator: JINMEI Tatuya >Release: FreeBSD 6.1-RELEASE-p2 i386 >Organization: Toshiba Corporation / KAME Project >Environment: System: FreeBSD opera.isl.rdc.toshiba.co.jp 6.1-RELEASE-p2 FreeBSD 6.1-RELEASE-p2 #2: Tue Jul 4 20:29:29 JST 2006 jinmei@opera.isl.rdc.toshiba.co.jp:/local/usr.local/freebsd/src/sys/i386/compile/GENERIC i386 Intel Pentium 4 1.7GHZ, FreeBSD 6.1R, no particular patch >Description: If an AF_INET6 socket receives an empty packet with ancillary data object, soreceive() will point to a bogus place in the socket buffer, which can subsequenlty causes kernel panic. Such an empty packet can be sent to the socket by the use of the IPv6 IPV6_RECVPATHMTU socket option. Any non-privileged user can (potentially) trigger this bug. >How-To-Repeat: Compile the following code, set the MTU of the loopback interface to some small value (e.g., 1500) by # ifconfig lo0 mtu 1500 and then run this program. #include #include #include #include main() { int cc, s, on, error; char buf[4096]; struct addrinfo *res, hints; struct sockaddr_in6 from; socklen_t fromlen; memset(&hints, 0, sizeof(hints)); hints.ai_family = AF_INET6; hints.ai_socktype = SOCK_DGRAM; hints.ai_protocol = IPPROTO_UDP; getaddrinfo("::1", "5000", &hints, &res); s = socket(res->ai_family, res->ai_socktype, res->ai_protocol); on = 1; if (setsockopt(s, IPPROTO_IPV6, IPV6_RECVPATHMTU, &on, sizeof(on)) != 0) { perror("setsockopt(IPV6_RECVPATHMTU)"); exit(1); } on = 1; if (setsockopt(s, IPPROTO_IPV6, IPV6_DONTFRAG, &on, sizeof(on)) != 0) { perror("setsockopt(IPV6_DONTFRAG)"); exit(1); } if (bind(s, res->ai_addr, res->ai_addrlen) < 0) { perror("bind"); exit(1); } cc = sendto(s, buf, sizeof(buf), 0, res->ai_addr, res->ai_addrlen); if (cc < 0) perror("sendto"); fromlen = sizeof(from); cc = recvfrom(s, buf, sizeof(buf), 0, (struct sockaddr *)&from, &fromlen); if (cc < 0) perror("recvfrom"); exit(0); } >Fix: A patch that fixes the problem is attached below. FreeBSD 5.x also seems to have the same bug. --- uipc_socket.c Tue Jul 4 20:29:16 2006 +++ uipc_socket.c.new Mon Jul 3 14:04:42 2006 @@ -1169,7 +1169,10 @@ } cm = cmn; } - nextrecord = so->so_rcv.sb_mb->m_nextpkt; + if (m != NULL) + nextrecord = so->so_rcv.sb_mb->m_nextpkt; + else + nextrecord = so->so_rcv.sb_mb; orig_resid = 0; } if (m != NULL) { >Release-Note: >Audit-Trail: >Unformatted: