https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=246182
Bug ID: 246182
Summary: Kernel panic with sendfile() on ext2fs mounted
filesystems
Product: Base System
Version: 12.1-RELEASE
Hardware: Any
OS: Any
Status: New
Severity: Affects Only Me
Priority: ---
Component: kern
Assignee: b...@freebsd.org
Reporter: seg...@go-beyond.org
sendfile() with ext2fs can cause a kernel panic.
Tested on 12.1-RELEASE with x86_64 and ARMv7.
Steps:
1. Mount a filesystem with ext2fs.
2. open() a file under the mount point. Bigger files seem to work best, like
1GiB or so.
3. sendfile() that filedescriptor to the socket of your choice (127.0.0.1 on
some listening port that won't disconnect is fine, like nc -l 1234 >
/dev/null).
It seems to be kind of random for when the kernel panics, but it happens
inevitably. I've had it take anywhere from a second to maybe 10-20. Data
speed seems to have an effect, but maybe it's just the total amount
transferred. I'm not sure.
A web server like nginx that gives access to files mounted with ext2fs can
trigger this if it's setup to use sendfile (I think most are). Or any user
with access to an ext2fs mounted partition can trigger it. Does not have
to be ran as root.
I don't know if this can be skillfully exploited to give something more
interesting than a kernel panic or not.
Sample code to help with testing:
#include <stdio.h>
#include <string.h>
#include <unistd.h>
#include <sys/types.h>
#include <sys/uio.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include <netinet/tcp.h>
#include <fcntl.h>
char *self;
#define destinationPort 1234
int main(int argc, char **argv) {
self=argv[0];
if (argc != 2) {
fprintf(stderr, "Usage: %s <file>\n", self);
return(2);
}
int srcfp = open(argv[1], O_RDONLY);
if (srcfp < 0) {
perror("open");
return(1);
}
int destinationSocket;
if ((destinationSocket = socket(PF_INET, SOCK_STREAM, 0)) < 0) {
perror("socket");
return(1);
}
struct sockaddr_in sa;
bzero(&sa, sizeof(sa));
sa.sin_addr.s_addr = htonl(INADDR_LOOPBACK);
sa.sin_family = AF_INET;
sa.sin_port = htons(destinationPort);
if (connect(destinationSocket, (struct sockaddr *)&sa, sizeof(sa)) < 0) {
perror("connect");
return(1);
}
if (sendfile(srcfp, destinationSocket, 0, 0, NULL, 0, 0) != 0) {
perror("sendfile");
return(1);
}
close(srcfp);
close(destinationSocket);
return(0);
}
--
You are receiving this mail because:
You are the assignee for the bug.
_______________________________________________
freebsd-bugs@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-bugs
To unsubscribe, send any mail to "freebsd-bugs-unsubscr...@freebsd.org"
