Date: Sat, 11 Feb 2006 01:12:18 -0500 (EST) From: Kris Kennaway <kris@FreeBSD.org> To: FreeBSD-gnats-submit@FreeBSD.org Subject: kern/93170: Changing system date causes panic in nd6_timer Message-ID: <20060211061218.D34635152B@obsecurity.dyndns.org> Resent-Message-ID: <200602110620.k1B6K7x5056965@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help
>Number: 93170 >Category: kern >Synopsis: Changing system date causes panic in nd6_timer >Confidential: no >Severity: serious >Priority: high >Responsible: freebsd-bugs >State: open >Quarter: >Keywords: >Date-Required: >Class: sw-bug >Submitter-Id: current-users >Arrival-Date: Sat Feb 11 06:20:07 GMT 2006 >Closed-Date: >Last-Modified: >Originator: Kris Kennaway >Release: FreeBSD 7.0-CURRENT amd64 >Organization: >Environment: FreeBSD/amd64 >Description: I ran ntpdate on an amd64 system with ipv6 enabled and a skewed clock (ntpdate stepped it back by about an hour), and immediately got a use-after-free panic in ifaddr. When I rebooted with memguard enabled on this malloc type and retried, I got this panic upon changing the date forward, then back, then forward again (also note the garbage return data from ntpdate): # date 200606011200 Thu Jun 1 12:00:00 UTC 2006 # ntpdate ntp.apple.com 16 Jan 00:40:18 ntpdate[612]: step time server 17.254.0.28 offset -~9000pm6}9426375508.195959 sec # date 200606011200 Thu Jun 1 12:00:00 UTC 2006 Fatal trap 12: page fault while in kernel mode cpuid = 0; apic id = 00 fault virtual address = 0xffffffff91bd2198 fault code = supervisor write, protection violation instruction pointer = 0x8:0xffffffff80321346 stack pointer = 0x10:0xffffffffbcfa1b60 frame pointer = 0x10:0xffffffffbcfa1b90 code segment = base 0x0, limit 0xfffff, type 0x1b = DPL 0, pres 1, long 1, def32 0, gran 1 processor eflags = interrupt enabled, resume, IOPL = 0 current process = 14 (swi4: clock sio) [thread pid 14 tid 100010 ] Stopped at nd6_timer+0x106: movl %eax,0x198(%rbx) db> wh Tracing pid 14 tid 100010 td 0xffffff03e15d6c30 nd6_timer() at nd6_timer+0x106 softclock() at softclock+0x279 ithread_execute_handlers() at ithread_execute_handlers+0x12f ithread_loop() at ithread_loop+0x99 fork_exit() at fork_exit+0xdf fork_trampoline() at fork_trampoline+0xe --- trap 0, rip = 0, rsp = 0xffffffffbcfa1d40, rbp = 0 --- Unfortunately I can't dump on this system, but: (kgdb) list *(nd6_timer+0x106) 0xffffffff80321346 is in nd6_timer (../../../netinet6/nd6.c:585). 580 goto addrloop; /* XXX: see below */ 581 } 582 if (IFA6_IS_DEPRECATED(ia6)) { 583 int oldflags = ia6->ia6_flags; 584 585 ia6->ia6_flags |= IN6_IFF_DEPRECATED; 586 587 /* 588 * If a temporary address has just become deprecated, 589 * regenerate a new one if possible. >How-To-Repeat: Run the above two commands in a loop >Fix: >Release-Note: >Audit-Trail: >Unformatted:
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20060211061218.D34635152B>