From owner-freebsd-amd64@FreeBSD.ORG Sun Aug 30 14:44:58 2009 Return-Path: Delivered-To: freebsd-amd64@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id A4764106566C; Sun, 30 Aug 2009 14:44:58 +0000 (UTC) (envelope-from kostikbel@gmail.com) Received: from mail.zoral.com.ua (skuns.zoral.com.ua [91.193.166.194]) by mx1.freebsd.org (Postfix) with ESMTP id E38D98FC17; Sun, 30 Aug 2009 14:44:57 +0000 (UTC) Received: from deviant.kiev.zoral.com.ua (root@deviant.kiev.zoral.com.ua [10.1.1.148]) by mail.zoral.com.ua (8.14.2/8.14.2) with ESMTP id n7UEiqf9009063 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Sun, 30 Aug 2009 17:44:52 +0300 (EEST) (envelope-from kostikbel@gmail.com) Received: from deviant.kiev.zoral.com.ua (kostik@localhost [127.0.0.1]) by deviant.kiev.zoral.com.ua (8.14.3/8.14.3) with ESMTP id n7UEiqfx087454; Sun, 30 Aug 2009 17:44:52 +0300 (EEST) (envelope-from kostikbel@gmail.com) Received: (from kostik@localhost) by deviant.kiev.zoral.com.ua (8.14.3/8.14.3/Submit) id n7UEiqSU087453; Sun, 30 Aug 2009 17:44:52 +0300 (EEST) (envelope-from kostikbel@gmail.com) X-Authentication-Warning: deviant.kiev.zoral.com.ua: kostik set sender to kostikbel@gmail.com using -f Date: Sun, 30 Aug 2009 17:44:52 +0300 From: Kostik Belousov To: freebsd-amd64@freebsd.org Message-ID: <20090830144452.GK1881@deviant.kiev.zoral.com.ua> References: <20090824193344.GA34949@server.vk2pj.dyndns.org> <20090829233454.GA13036@server.vk2pj.dyndns.org> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="ef8eQmdvO1j1gFMO" Content-Disposition: inline In-Reply-To: <20090829233454.GA13036@server.vk2pj.dyndns.org> User-Agent: Mutt/1.4.2.3i X-Virus-Scanned: clamav-milter 0.95.2 at skuns.kiev.zoral.com.ua X-Virus-Status: Clean X-Spam-Status: No, score=-4.4 required=5.0 tests=ALL_TRUSTED,AWL,BAYES_00 autolearn=ham version=3.2.5 X-Spam-Checker-Version: SpamAssassin 3.2.5 (2008-06-10) on skuns.kiev.zoral.com.ua Cc: freebsd-current@freebsd.org Subject: Re: sshd failing in jail X-BeenThere: freebsd-amd64@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Porting FreeBSD to the AMD64 platform List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 30 Aug 2009 14:44:58 -0000 --ef8eQmdvO1j1gFMO Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Sun, Aug 30, 2009 at 09:34:54AM +1000, Peter Jeremy wrote: > [Redirected to amd64 because this is an amd64 kernel bug] >=20 > On 2009-Aug-25 05:33:44 +1000, Peter Jeremy wrote: > >I am attempting to build an i386 jail on an amd64 box to build > >packages for my netbook. The host is running -current from just over > >two weeks ago and the jail is -current from early June. The jail was > >built by doing a dump|restore of my netbook and then tweaking various > >config files to give it a new identity. The jail's devfs is using > >"devfsrules_jail" from /etc/default/devfs.rules. > > > >The jail starts OK but when I attempt to ssh into it, I just get > >"Connection closed by ". >=20 > Turns out this is a bug in the 32-bit select(2) wrapper on 64-bit > kernels. The userland fd_set arguments are not wrapped but passed > directly to kern_select(). Unfortunately, fd_set is (effectively) an > array of longs which means kern_select() assumes fd_set is a multiple > of 8-bytes whilst userland assumes it is a multiple of 4 bytes. As a > result, the kernel can over-write an extra 4 bytes of user memory. In > the case of sshd, this causes part of the RSA host key to be trashed > when privilege separation mode is enabled. >=20 > This bug also affects linux emulation on amd64 and potentially affects > any other 64-bit kernels with 32-bit emulation modes. I have raised > amd64/138318 to cover it. I do not think that we can go the proposed route, since changing the type of __fd_mask changes the type of fd_set. The later would not affect the kernel ABI, but definitely changes the ABI of any code that passes fd_sets. Also, looking closely at the issue you found, I think that copyin is the same problematic as copyout, since we can end up reading one more word then userspace supplied. This is not a problem only because most user code keeps fd_sets on stack. Could you test that the patch below fixes real sshd issue. At least, it passes your select test from the PR. diff --git a/sys/compat/freebsd32/freebsd32_misc.c b/sys/compat/freebsd32/f= reebsd32_misc.c index 466aab4..71b22aa 100644 --- a/sys/compat/freebsd32/freebsd32_misc.c +++ b/sys/compat/freebsd32/freebsd32_misc.c @@ -589,7 +589,8 @@ freebsd32_select(struct thread *td, struct freebsd32_se= lect_args *uap) * XXX big-endian needs to convert the fd_sets too. * XXX Do pointers need PTRIN()? */ - return (kern_select(td, uap->nd, uap->in, uap->ou, uap->ex, tvp)); + return (kern_select(td, uap->nd, uap->in, uap->ou, uap->ex, tvp, + sizeof(int32_t) * 8)); } =20 /* diff --git a/sys/compat/linux/linux_misc.c b/sys/compat/linux/linux_misc.c index 267da07..1d5eaf8 100644 --- a/sys/compat/linux/linux_misc.c +++ b/sys/compat/linux/linux_misc.c @@ -522,7 +522,7 @@ linux_select(struct thread *td, struct linux_select_arg= s *args) tvp =3D NULL; =20 error =3D kern_select(td, args->nfds, args->readfds, args->writefds, - args->exceptfds, tvp); + args->exceptfds, tvp, sizeof(l_int) * 8); =20 #ifdef DEBUG if (ldebug(select)) diff --git a/sys/kern/sys_generic.c b/sys/kern/sys_generic.c index bd0f279..6831fe8 100644 --- a/sys/kern/sys_generic.c +++ b/sys/kern/sys_generic.c @@ -774,12 +774,13 @@ select(td, uap) } else tvp =3D NULL; =20 - return (kern_select(td, uap->nd, uap->in, uap->ou, uap->ex, tvp)); + return (kern_select(td, uap->nd, uap->in, uap->ou, uap->ex, tvp, + NFDBITS)); } =20 int kern_select(struct thread *td, int nd, fd_set *fd_in, fd_set *fd_ou, - fd_set *fd_ex, struct timeval *tvp) + fd_set *fd_ex, struct timeval *tvp, int abi_nfdbits) { struct filedesc *fdp; /* @@ -792,7 +793,7 @@ kern_select(struct thread *td, int nd, fd_set *fd_in, f= d_set *fd_ou, fd_mask *ibits[3], *obits[3], *selbits, *sbp; struct timeval atv, rtv, ttv; int error, timo; - u_int nbufbytes, ncpbytes, nfdbits; + u_int nbufbytes, ncpbytes, ncpubytes, nfdbits; =20 if (nd < 0) return (EINVAL); @@ -806,6 +807,7 @@ kern_select(struct thread *td, int nd, fd_set *fd_in, f= d_set *fd_ou, */ nfdbits =3D roundup(nd, NFDBITS); ncpbytes =3D nfdbits / NBBY; + ncpubytes =3D roundup(nd, abi_nfdbits) / NBBY; nbufbytes =3D 0; if (fd_in !=3D NULL) nbufbytes +=3D 2 * ncpbytes; @@ -832,9 +834,11 @@ kern_select(struct thread *td, int nd, fd_set *fd_in, = fd_set *fd_ou, ibits[x] =3D sbp + nbufbytes / 2 / sizeof *sbp; \ obits[x] =3D sbp; \ sbp +=3D ncpbytes / sizeof *sbp; \ - error =3D copyin(name, ibits[x], ncpbytes); \ + error =3D copyin(name, ibits[x], ncpubytes); \ if (error !=3D 0) \ goto done; \ + bzero((char *)ibits[x] + ncpubytes, \ + ncpbytes - ncpubytes); \ } \ } while (0) getbits(fd_in, 0); @@ -888,7 +892,7 @@ done: if (error =3D=3D EWOULDBLOCK) error =3D 0; #define putbits(name, x) \ - if (name && (error2 =3D copyout(obits[x], name, ncpbytes))) \ + if (name && (error2 =3D copyout(obits[x], name, ncpubytes))) \ error =3D error2; if (error =3D=3D 0) { int error2; diff --git a/sys/sys/syscallsubr.h b/sys/sys/syscallsubr.h index d0f209c..e1c83cc 100644 --- a/sys/sys/syscallsubr.h +++ b/sys/sys/syscallsubr.h @@ -170,7 +170,7 @@ int kern_sched_rr_get_interval(struct thread *td, pid_t= pid, int kern_semctl(struct thread *td, int semid, int semnum, int cmd, union semun *arg, register_t *rval); int kern_select(struct thread *td, int nd, fd_set *fd_in, fd_set *fd_ou, - fd_set *fd_ex, struct timeval *tvp); + fd_set *fd_ex, struct timeval *tvp, int abi_nfdbits); int kern_sendfile(struct thread *td, struct sendfile_args *uap, struct uio *hdr_uio, struct uio *trl_uio, int compat); int kern_sendit(struct thread *td, int s, struct msghdr *mp, int flags, --ef8eQmdvO1j1gFMO Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (FreeBSD) iEYEARECAAYFAkqakGMACgkQC3+MBN1Mb4hPJgCgzkRRw85CqSG0dRODxYD4h6HE bkcAn1M/oT7H9vmpIJHOTd7++i7VhKt+ =NGrs -----END PGP SIGNATURE----- --ef8eQmdvO1j1gFMO-- From owner-freebsd-amd64@FreeBSD.ORG Mon Aug 31 11:07:00 2009 Return-Path: Delivered-To: freebsd-amd64@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id AF961106568B for ; Mon, 31 Aug 2009 11:07:00 +0000 (UTC) (envelope-from owner-bugmaster@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:4f8:fff6::28]) by mx1.freebsd.org (Postfix) with ESMTP id 9D38C8FC23 for ; Mon, 31 Aug 2009 11:07:00 +0000 (UTC) Received: from freefall.freebsd.org (localhost [127.0.0.1]) by freefall.freebsd.org (8.14.3/8.14.3) with ESMTP id n7VB70m4070462 for ; Mon, 31 Aug 2009 11:07:00 GMT (envelope-from owner-bugmaster@FreeBSD.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.14.3/8.14.3/Submit) id n7VB70RR070456 for freebsd-amd64@FreeBSD.org; Mon, 31 Aug 2009 11:07:00 GMT (envelope-from owner-bugmaster@FreeBSD.org) Date: Mon, 31 Aug 2009 11:07:00 GMT Message-Id: <200908311107.n7VB70RR070456@freefall.freebsd.org> X-Authentication-Warning: freefall.freebsd.org: gnats set sender to owner-bugmaster@FreeBSD.org using -f From: FreeBSD bugmaster To: freebsd-amd64@FreeBSD.org X-Mailman-Approved-At: Mon, 31 Aug 2009 11:27:41 +0000 Cc: Subject: Current problem reports assigned to freebsd-amd64@FreeBSD.org X-BeenThere: freebsd-amd64@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Porting FreeBSD to the AMD64 platform List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 31 Aug 2009 11:07:00 -0000 Note: to view an individual PR, use: http://www.freebsd.org/cgi/query-pr.cgi?pr=(number). The following is a listing of current problems submitted by FreeBSD users. These represent problem reports covering all versions including experimental development code and obsolete releases. S Tracker Resp. Description -------------------------------------------------------------------------------- o amd64/138318 amd64 [libc] [patch] select(2) in i386 emulation can overwri o amd64/138220 amd64 [patch] FreeBSD/amd64 can't see all system memory o amd64/138029 amd64 [panic] periodically kernel panic and reboot o amd64/137942 amd64 8.0-BETA2 having problems with Asus M2N-SLI-deluxe mot o amd64/136814 amd64 [mxge] mxge driver error s i386/135447 amd64 [i386] [request] Intel Core i7 and Nehalem-EP new feat o amd64/135265 amd64 [install] Boot from install cd hangs on HP DL160 G5 wi o amd64/135040 amd64 [ata] FreeBSD/amd64 does not (always) detect disk on S o amd64/134978 amd64 [panic] g_up pmap amd64 panic o amd64/134757 amd64 32 bit processes on 64 bit platforms occasionally drop o amd64/133977 amd64 [panic] [ffs] "panic: ffs_blkfree: freeing free block" o amd64/133701 amd64 Recompiling the kernel with k8temp or smbios break GEO o amd64/132574 amd64 [boot] [hang] Freeze on bootstrap loader (CD) using AT o amd64/132372 amd64 [ata] No disks found (nVidia nForce MCP55 sata control o amd64/132019 amd64 [install] kernel trap 12 while installation o amd64/131906 amd64 [ata] SATA data corruption with Promise PDC20378 (amd6 o amd64/131456 amd64 ACPI & ATA problems o amd64/131314 amd64 [modules] [panic] large modules fail to load on amd64 o amd64/131209 amd64 [panic] [bce] 7.1-STABLE amd64 crash - m0 NULL f amd64/130885 amd64 sockstat(1) on amd64 does not work o amd64/130864 amd64 [hang] Problem with copying files to a large partition o amd64/130817 amd64 FreeBSD does not support HP DL160G5 [regression] o amd64/130494 amd64 [boot] netbooting BTX fails on amd64 o amd64/130483 amd64 [mxge] MSI must be disabled when Myricom 10Gbps Card i o amd64/130368 amd64 [hang] Switching from xorg to console locks up compute o amd64/129889 amd64 [boot] [hang] The booting process stops at the line mo o amd64/129721 amd64 [hang] Motherboard K9N2G Neo-FD hangs on boot of 7.0-R o amd64/129667 amd64 [ata] Elitegroup A780GM-A IDE controller not recognize o amd64/129426 amd64 [panic] FreeBSD 7.0 crash after subdiskXX: detached o amd64/129315 amd64 [boot] [reboot] amd64 motherboard: Intel DG965WH mothe o amd64/128978 amd64 [install] FreeBSD 6.3 64-bit panics at boot time duri o amd64/128810 amd64 AMD 64 port installation o amd64/128765 amd64 [install] Install CD loads to Install choices but stop o amd64/128686 amd64 [ata] can't detect SATA Disk on 8.0-Current with NF550 o amd64/128263 amd64 [panic] 2 amd64 dl380 g5 with dual quadcore xeons, 8 a o amd64/128259 amd64 csh(1): "`" crashes csh o amd64/127640 amd64 gcc(1) will not build shared libraries with -fprofile- o amd64/127484 amd64 [timecounters] Drift problem with FreeBSD 7.0 and 7.1 o amd64/127451 amd64 [scheduler] incorrect load on quad core o amd64/127397 amd64 [amd64] 32bit application on FreeBSD-6.3 amd64 gets SI s amd64/127276 amd64 ldd(1) invokes linux yes o amd64/127129 amd64 mdconfig(8) is core dumping with Segmentation Fault 11 o amd64/125873 amd64 [smbd] [panic] Repeated kernel panics, trap 12 page fa o amd64/125002 amd64 [install] amd64, SATA hard disks not detected o amd64/124432 amd64 [panic] 7.0-STABLE panic: invalbuf: dirty bufs o amd64/124134 amd64 [kernel] The kernel doesn't follow the calling convent o amd64/123562 amd64 [install] FreeBSD amd64 not installs o amd64/123520 amd64 [ahd] unable to boot from net while using ahd o amd64/123456 amd64 fstat(1): /usr/bin/fstat shows error messages and hang f amd64/123275 amd64 [cbb] [pcmcia] cbb/pcmcia drivers on amd64 failure [re o kern/122782 amd64 [modules] accf_http.ko kernel module is not loadable o amd64/122695 amd64 [cpufreq] Lack of cpufreq control using amd64 eith cor o amd64/122624 amd64 unusable minimal installation of FreeBSD-7.0 o amd64/122549 amd64 7.0-RELEASE-amd64-bootonly.iso doesn't work w/ serial o amd64/122468 amd64 Compile problems after upgrading to 7.0 o amd64/122174 amd64 [panic] 7.0 no longer includes "device atpic" so fails o amd64/121590 amd64 [est] [p4tcc] [acpi_perf] setting dev.cpu.0.freq somet o amd64/120202 amd64 [amd64] [patch] [panic] kernel panic at start_all_aps, o amd64/119591 amd64 [amd64] [patch] time_t on 64-bit architecture o amd64/117418 amd64 [hang] FreeBSD 6.2 crash on amd64 4400+ with ssh o amd64/117316 amd64 [acpi] ACPI lockups on SuperMicro motherboard o amd64/117296 amd64 [ata] I don`t see second SATA IDE on VIA VT8237A a amd64/117186 amd64 [modules] kldload Unsupported file type on STABLE amd6 s amd64/116689 amd64 [request] support for MSI K9MM-V o amd64/116620 amd64 [hang] ifconfig spins when creating carp(4) device on o amd64/116322 amd64 [panic] At start fsck on current, the system panics o amd64/116159 amd64 [panic] Panic while debugging on CURRENT s amd64/115815 amd64 [ata] [request] Gigabyte GA-M61P-S3 Motherboard unsupp o amd64/115581 amd64 [Makefile] [patch] -mfancy-math-387 has no effect o amd64/115194 amd64 LCD screen remains blank after Dell XPS M1210 lid is c o amd64/114270 amd64 [cpufreq] cpufreq doesnt work when compiled in to kern o amd64/112222 amd64 [libc] 32-bit libc incorrectly converts some FP number o amd64/110599 amd64 [geli] geli attach to gmirror device hangs and cannot s amd64/108861 amd64 [nve] nve(4) driver on FreeBSD 6.2 AMD64 does not work o amd64/106186 amd64 [panic] panic in swap_pager_swap_init (amd64/smp/6.2-p f amd64/105531 amd64 [ata] gigabyte GA-M51GM-S2G / nVidia nForce 430 - does f amd64/105514 amd64 [boot] FreeBSD/amd64 - Fails to boot on HP Pavilion dv o amd64/102716 amd64 ex with no argument in an xterm gets SIGSEGV o amd64/97337 amd64 [dri] xorg reboots system if dri module is enabled o amd64/95888 amd64 [ata] kernel: ad2: TIMEOUT - WRITE_DMA retrying on HP o amd64/94677 amd64 [panic] panic in amd64 install at non-root user creati o amd64/93961 amd64 [busdma] Problem in bounce buffer handling in sys/amd6 o amd64/92337 amd64 [em] FreeBSD 6.0 Release Intel Pro 1000 MT em1 no buff o amd64/91405 amd64 [asr] [panic] Kernel panic caused by asr on 6.0-amd64 o amd64/89501 amd64 [install] System crashes on install using ftp on local o amd64/88790 amd64 [panic] kernel panic on first boot (after the FreeBSD o amd64/88568 amd64 [panic] 6.0-RELEASE install cd does not boot with usb o amd64/87689 amd64 [powerd] [hang] powerd hangs SMP Opteron 244 5-STABLE o amd64/87316 amd64 [vge] "vge0 attach returned 6" on FreeBSD 6.0-RC1 amd6 o amd64/87305 amd64 [smp] Dual Opteron / FreeBSD 5 & 6 / powerd results in s amd64/85273 amd64 [install] FreeBSD (NetBSD or OpenBSD) not install on l o amd64/78406 amd64 [panic]AMD64 w/ SCSI: issue 'rm -r /usr/ports' and sys o amd64/76136 amd64 [hang] system halts before reboot o amd64/74747 amd64 [panic] System panic on shutdown when process will not 94 problems total. From owner-freebsd-amd64@FreeBSD.ORG Mon Aug 31 12:23:59 2009 Return-Path: Delivered-To: freebsd-amd64@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 64D94106566C; Mon, 31 Aug 2009 12:23:59 +0000 (UTC) (envelope-from jhb@freebsd.org) Received: from cyrus.watson.org (cyrus.watson.org [65.122.17.42]) by mx1.freebsd.org (Postfix) with ESMTP id 252AB8FC19; Mon, 31 Aug 2009 12:23:59 +0000 (UTC) Received: from bigwig.baldwin.cx (66.111.2.69.static.nyinternet.net [66.111.2.69]) by cyrus.watson.org (Postfix) with ESMTPSA id CA16E46B29; Mon, 31 Aug 2009 08:23:58 -0400 (EDT) Received: from jhbbsd.hudson-trading.com (unknown [209.249.190.8]) by bigwig.baldwin.cx (Postfix) with ESMTPA id 8F4DF8A040; Mon, 31 Aug 2009 08:23:57 -0400 (EDT) From: John Baldwin To: freebsd-amd64@freebsd.org, Peter Jeremy Date: Mon, 31 Aug 2009 08:23:27 -0400 User-Agent: KMail/1.9.7 References: <200908292303.n7TN3WLe081443@server.vk2pj.dyndns.org> In-Reply-To: <200908292303.n7TN3WLe081443@server.vk2pj.dyndns.org> MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit Content-Disposition: inline Message-Id: <200908310823.27390.jhb@freebsd.org> X-Greylist: Sender succeeded SMTP AUTH, not delayed by milter-greylist-4.0.1 (bigwig.baldwin.cx); Mon, 31 Aug 2009 08:23:57 -0400 (EDT) X-Virus-Scanned: clamav-milter 0.95.1 at bigwig.baldwin.cx X-Virus-Status: Clean X-Spam-Status: No, score=-1.3 required=4.2 tests=AWL,BAYES_00,RDNS_NONE autolearn=no version=3.2.5 X-Spam-Checker-Version: SpamAssassin 3.2.5 (2008-06-10) on bigwig.baldwin.cx Cc: FreeBSD-gnats-submit@freebsd.org Subject: Re: amd64/138318: [patch] select(2) in i386 emulation can overwrite user data X-BeenThere: freebsd-amd64@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Porting FreeBSD to the AMD64 platform List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 31 Aug 2009 12:23:59 -0000 On Saturday 29 August 2009 7:03:32 pm Peter Jeremy wrote: > > >Number: 138318 > >Category: amd64 > >Synopsis: [patch] select(2) in i386 emulation can overwrite user data > >Confidential: no > >Severity: critical > >Priority: high > >Responsible: freebsd-amd64 > >State: open > >Quarter: > >Keywords: > >Date-Required: > >Class: sw-bug > >Submitter-Id: current-users > >Arrival-Date: Sat Aug 29 23:10:01 UTC 2009 > >Closed-Date: > >Last-Modified: > >Originator: Peter Jeremy > >Release: FreeBSD 8.0-BETA2 amd64 > >Organization: > n/a > >Environment: > System: FreeBSD server.vk2pj.dyndns.org 8.0-BETA2 FreeBSD 8.0-BETA2 #8: Sat Aug 8 21:54:17 EST 2009 root@server.vk2pj.dyndns.org:/var/obj/usr/src/sys/server amd64 > > Code inspection shows that this bug still exists in 9-current. > > >Description: > The select() wrapper for freebsd32 and linux32 emulation does not > wrap the fd_set arguments. fd_set is an array of fd_mask - which > is 'long' on all architectures. This means that kern_select() on > 64-bit kernels expects that the fd_set arguments are arrays of > 8-byte objects whilst 32-bit code passes arrays of 4-byte objects. > As a result, the kernel can overwrite 4-bytes more than userland > expects. > > This obviously breaks 32-bit sshd with PrivilegeSeparation enabled > but may have other less-obvious breakage. > > >How-To-Repeat: > > Run a FreeBSD/i386 sshd on FreeBSD/amd64: > > server# file /tank/aspire/usr/sbin/sshd > /tank/aspire/usr/sbin/sshd: ELF 32-bit LSB executable, Intel 80386, version 1 (FreeBSD), dynamically linked (uses shared libs), for FreeBSD 8.0 (800096), stripped > server# /tank/aspire/usr/sbin/sshd -p 8022 -d -o UsePrivilegeSeparation=yes > debug1: sshd version OpenSSH_5.1p1 FreeBSD-20080801 > ... > debug1: SSH2_MSG_KEX_DH_GEX_REQUEST received > debug1: SSH2_MSG_KEX_DH_GEX_GROUP sent > debug1: expecting SSH2_MSG_KEX_DH_GEX_INIT > buffer_put_bignum2_ret: BN too small > buffer_put_bignum2: buffer error > debug1: do_cleanup > debug1: do_cleanup > server# > > As a more contrived (but more obvious) example, compile the following > code on i386 and run it on amd64: > > ---- 8-< ---- 8-< ---- 8-< ---- 8-< ---- 8-< ---- 8-< ---- 8-< ---- > #include > #include > #include > #include > > int main(void) > { > fd_set *fd, *rd, *wr, *ex; > int r; > fd = malloc(sizeof(fd_mask) * 3 * 4); > memset(fd, 0xa5, sizeof(fd_mask) * 3 * 4); > rd = (fd_set *)&fd->fds_bits[1]; > wr = (fd_set *)&fd->fds_bits[5]; > ex = (fd_set *)&fd->fds_bits[9]; > rd->fds_bits[0] = wr->fds_bits[0] = ex->fds_bits[0] = 0; > FD_SET(0, rd); > FD_SET(1, wr); > FD_SET(2, wr); > FD_SET(0, ex); > FD_SET(1, ex); > FD_SET(2, ex); > printf("read: %08lx %08lx %08lx %08lx\n", > fd->fds_bits[0], fd->fds_bits[1], fd->fds_bits[2], fd->fds_bits[3]); > printf("write: %08lx %08lx %08lx %08lx\n", > fd->fds_bits[4], fd->fds_bits[5], fd->fds_bits[6], fd->fds_bits[7]); > printf("except: %08lx %08lx %08lx %08lx\n", > fd->fds_bits[8], fd->fds_bits[9], fd->fds_bits[10], fd->fds_bits[11]); > r = select(3, rd, wr, ex, NULL); > printf("select returns %d:\n", r); > printf("read: %08lx %08lx %08lx %08lx\n", > fd->fds_bits[0], fd->fds_bits[1], fd->fds_bits[2], fd->fds_bits[3]); > printf("write: %08lx %08lx %08lx %08lx\n", > fd->fds_bits[4], fd->fds_bits[5], fd->fds_bits[6], fd->fds_bits[7]); > printf("except: %08lx %08lx %08lx %08lx\n", > fd->fds_bits[8], fd->fds_bits[9], fd->fds_bits[10], fd->fds_bits[11]); > return 0; > } > ---- 8-< ---- 8-< ---- 8-< ---- 8-< ---- 8-< ---- 8-< ---- 8-< ---- > server# /tank/aspire/root/seltest > read: a5a5a5a5 00000001 a5a5a5a5 a5a5a5a5 > write: a5a5a5a5 00000006 a5a5a5a5 a5a5a5a5 > except: a5a5a5a5 00000007 a5a5a5a5 a5a5a5a5 > read: a5a5a5a5 00000000 00000000 a5a5a5a5 > write: a5a5a5a5 00000006 00000000 a5a5a5a5 > except: a5a5a5a5 00000000 00000000 a5a5a5a5 > server# > > >Fix: > Either: > 1) Change the definition of fd_mask from ulong to uint32 (at least within > the kernel) > 2) Wrap the fd_set arguments on freebsd32 and linux for 64-bit kernels. > > The latter may appear stylistically cleaner but requires significantly > more effort because the fd_set copyin()s are all currently done within > kern_select() and are non-trivial blocks of code to optimise performance > whilst minimising kvm usage. The attached patch therefore implements > the former behaviour: > Index: select.h > =================================================================== > RCS file: /usr/ncvs/src/sys/sys/select.h,v > retrieving revision 1.20 > diff -u -r1.20 select.h > --- select.h 6 Jan 2006 22:12:46 -0000 1.20 > +++ select.h 29 Aug 2009 23:00:08 -0000 > @@ -39,7 +39,7 @@ > #include > #include > > -typedef unsigned long __fd_mask; > +typedef __uint32_t __fd_mask; > #if __BSD_VISIBLE > typedef __fd_mask fd_mask; > #endif I think this would break the ABI of select() for old binaries (compiled with fd_mask == long) on 64-bit big-endian archs (i.e. sparc64). I think you could manage 2) by having kern_select() accept an 'int nfdbits' parameter that replaces 'NFDBITS' when computing nfdbits. That will work fine for now as all our COMPAT32 archs are little-endian. If we wanted to support COMPAT32 on big endian then you could pass an operations vector to kern_select() that has wrappers for copying in/out fd_set lists similar to what is done with kern_kevent(). -- John Baldwin From owner-freebsd-amd64@FreeBSD.ORG Mon Aug 31 12:30:09 2009 Return-Path: Delivered-To: freebsd-amd64@hub.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id D1D6F1065679 for ; Mon, 31 Aug 2009 12:30:09 +0000 (UTC) (envelope-from gnats@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:4f8:fff6::28]) by mx1.freebsd.org (Postfix) with ESMTP id B241F8FC32 for ; Mon, 31 Aug 2009 12:30:09 +0000 (UTC) Received: from freefall.freebsd.org (gnats@localhost [127.0.0.1]) by freefall.freebsd.org (8.14.3/8.14.3) with ESMTP id n7VCU9QH056715 for ; Mon, 31 Aug 2009 12:30:09 GMT (envelope-from gnats@freefall.freebsd.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.14.3/8.14.3/Submit) id n7VCU97q056712; Mon, 31 Aug 2009 12:30:09 GMT (envelope-from gnats) Date: Mon, 31 Aug 2009 12:30:09 GMT Message-Id: <200908311230.n7VCU97q056712@freefall.freebsd.org> To: freebsd-amd64@FreeBSD.org From: John Baldwin Cc: Subject: Re: amd64/138318: [patch] select(2) in i386 emulation can overwrite user data X-BeenThere: freebsd-amd64@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: John Baldwin List-Id: Porting FreeBSD to the AMD64 platform List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 31 Aug 2009 12:30:09 -0000 The following reply was made to PR amd64/138318; it has been noted by GNATS. From: John Baldwin To: freebsd-amd64@freebsd.org, Peter Jeremy Cc: FreeBSD-gnats-submit@freebsd.org Subject: Re: amd64/138318: [patch] select(2) in i386 emulation can overwrite user data Date: Mon, 31 Aug 2009 08:23:27 -0400 On Saturday 29 August 2009 7:03:32 pm Peter Jeremy wrote: > > >Number: 138318 > >Category: amd64 > >Synopsis: [patch] select(2) in i386 emulation can overwrite user data > >Confidential: no > >Severity: critical > >Priority: high > >Responsible: freebsd-amd64 > >State: open > >Quarter: > >Keywords: > >Date-Required: > >Class: sw-bug > >Submitter-Id: current-users > >Arrival-Date: Sat Aug 29 23:10:01 UTC 2009 > >Closed-Date: > >Last-Modified: > >Originator: Peter Jeremy > >Release: FreeBSD 8.0-BETA2 amd64 > >Organization: > n/a > >Environment: > System: FreeBSD server.vk2pj.dyndns.org 8.0-BETA2 FreeBSD 8.0-BETA2 #8: Sat Aug 8 21:54:17 EST 2009 root@server.vk2pj.dyndns.org:/var/obj/usr/src/sys/server amd64 > > Code inspection shows that this bug still exists in 9-current. > > >Description: > The select() wrapper for freebsd32 and linux32 emulation does not > wrap the fd_set arguments. fd_set is an array of fd_mask - which > is 'long' on all architectures. This means that kern_select() on > 64-bit kernels expects that the fd_set arguments are arrays of > 8-byte objects whilst 32-bit code passes arrays of 4-byte objects. > As a result, the kernel can overwrite 4-bytes more than userland > expects. > > This obviously breaks 32-bit sshd with PrivilegeSeparation enabled > but may have other less-obvious breakage. > > >How-To-Repeat: > > Run a FreeBSD/i386 sshd on FreeBSD/amd64: > > server# file /tank/aspire/usr/sbin/sshd > /tank/aspire/usr/sbin/sshd: ELF 32-bit LSB executable, Intel 80386, version 1 (FreeBSD), dynamically linked (uses shared libs), for FreeBSD 8.0 (800096), stripped > server# /tank/aspire/usr/sbin/sshd -p 8022 -d -o UsePrivilegeSeparation=yes > debug1: sshd version OpenSSH_5.1p1 FreeBSD-20080801 > ... > debug1: SSH2_MSG_KEX_DH_GEX_REQUEST received > debug1: SSH2_MSG_KEX_DH_GEX_GROUP sent > debug1: expecting SSH2_MSG_KEX_DH_GEX_INIT > buffer_put_bignum2_ret: BN too small > buffer_put_bignum2: buffer error > debug1: do_cleanup > debug1: do_cleanup > server# > > As a more contrived (but more obvious) example, compile the following > code on i386 and run it on amd64: > > ---- 8-< ---- 8-< ---- 8-< ---- 8-< ---- 8-< ---- 8-< ---- 8-< ---- > #include > #include > #include > #include > > int main(void) > { > fd_set *fd, *rd, *wr, *ex; > int r; > fd = malloc(sizeof(fd_mask) * 3 * 4); > memset(fd, 0xa5, sizeof(fd_mask) * 3 * 4); > rd = (fd_set *)&fd->fds_bits[1]; > wr = (fd_set *)&fd->fds_bits[5]; > ex = (fd_set *)&fd->fds_bits[9]; > rd->fds_bits[0] = wr->fds_bits[0] = ex->fds_bits[0] = 0; > FD_SET(0, rd); > FD_SET(1, wr); > FD_SET(2, wr); > FD_SET(0, ex); > FD_SET(1, ex); > FD_SET(2, ex); > printf("read: %08lx %08lx %08lx %08lx\n", > fd->fds_bits[0], fd->fds_bits[1], fd->fds_bits[2], fd->fds_bits[3]); > printf("write: %08lx %08lx %08lx %08lx\n", > fd->fds_bits[4], fd->fds_bits[5], fd->fds_bits[6], fd->fds_bits[7]); > printf("except: %08lx %08lx %08lx %08lx\n", > fd->fds_bits[8], fd->fds_bits[9], fd->fds_bits[10], fd->fds_bits[11]); > r = select(3, rd, wr, ex, NULL); > printf("select returns %d:\n", r); > printf("read: %08lx %08lx %08lx %08lx\n", > fd->fds_bits[0], fd->fds_bits[1], fd->fds_bits[2], fd->fds_bits[3]); > printf("write: %08lx %08lx %08lx %08lx\n", > fd->fds_bits[4], fd->fds_bits[5], fd->fds_bits[6], fd->fds_bits[7]); > printf("except: %08lx %08lx %08lx %08lx\n", > fd->fds_bits[8], fd->fds_bits[9], fd->fds_bits[10], fd->fds_bits[11]); > return 0; > } > ---- 8-< ---- 8-< ---- 8-< ---- 8-< ---- 8-< ---- 8-< ---- 8-< ---- > server# /tank/aspire/root/seltest > read: a5a5a5a5 00000001 a5a5a5a5 a5a5a5a5 > write: a5a5a5a5 00000006 a5a5a5a5 a5a5a5a5 > except: a5a5a5a5 00000007 a5a5a5a5 a5a5a5a5 > read: a5a5a5a5 00000000 00000000 a5a5a5a5 > write: a5a5a5a5 00000006 00000000 a5a5a5a5 > except: a5a5a5a5 00000000 00000000 a5a5a5a5 > server# > > >Fix: > Either: > 1) Change the definition of fd_mask from ulong to uint32 (at least within > the kernel) > 2) Wrap the fd_set arguments on freebsd32 and linux for 64-bit kernels. > > The latter may appear stylistically cleaner but requires significantly > more effort because the fd_set copyin()s are all currently done within > kern_select() and are non-trivial blocks of code to optimise performance > whilst minimising kvm usage. The attached patch therefore implements > the former behaviour: > Index: select.h > =================================================================== > RCS file: /usr/ncvs/src/sys/sys/select.h,v > retrieving revision 1.20 > diff -u -r1.20 select.h > --- select.h 6 Jan 2006 22:12:46 -0000 1.20 > +++ select.h 29 Aug 2009 23:00:08 -0000 > @@ -39,7 +39,7 @@ > #include > #include > > -typedef unsigned long __fd_mask; > +typedef __uint32_t __fd_mask; > #if __BSD_VISIBLE > typedef __fd_mask fd_mask; > #endif I think this would break the ABI of select() for old binaries (compiled with fd_mask == long) on 64-bit big-endian archs (i.e. sparc64). I think you could manage 2) by having kern_select() accept an 'int nfdbits' parameter that replaces 'NFDBITS' when computing nfdbits. That will work fine for now as all our COMPAT32 archs are little-endian. If we wanted to support COMPAT32 on big endian then you could pass an operations vector to kern_select() that has wrappers for copying in/out fd_set lists similar to what is done with kern_kevent(). -- John Baldwin From owner-freebsd-amd64@FreeBSD.ORG Tue Sep 1 15:30:11 2009 Return-Path: Delivered-To: freebsd-amd64@hub.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 749691065698 for ; Tue, 1 Sep 2009 15:30:11 +0000 (UTC) (envelope-from gnats@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:4f8:fff6::28]) by mx1.freebsd.org (Postfix) with ESMTP id 1425F8FC21 for ; Tue, 1 Sep 2009 15:30:07 +0000 (UTC) Received: from freefall.freebsd.org (gnats@localhost [127.0.0.1]) by freefall.freebsd.org (8.14.3/8.14.3) with ESMTP id n81FU6Oq025542 for ; Tue, 1 Sep 2009 15:30:06 GMT (envelope-from gnats@freefall.freebsd.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.14.3/8.14.3/Submit) id n81FU60E025541; Tue, 1 Sep 2009 15:30:06 GMT (envelope-from gnats) Resent-Date: Tue, 1 Sep 2009 15:30:06 GMT Resent-Message-Id: <200909011530.n81FU60E025541@freefall.freebsd.org> Resent-From: FreeBSD-gnats-submit@FreeBSD.org (GNATS Filer) Resent-To: freebsd-amd64@FreeBSD.org Resent-Reply-To: FreeBSD-gnats-submit@FreeBSD.org, Khee Chin Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 8596D106568D for ; Tue, 1 Sep 2009 15:25:04 +0000 (UTC) (envelope-from nobody@FreeBSD.org) Received: from www.freebsd.org (www.freebsd.org [IPv6:2001:4f8:fff6::21]) by mx1.freebsd.org (Postfix) with ESMTP id 750448FC17 for ; Tue, 1 Sep 2009 15:25:04 +0000 (UTC) Received: from www.freebsd.org (localhost [127.0.0.1]) by www.freebsd.org (8.14.3/8.14.3) with ESMTP id n81FP4B1087755 for ; Tue, 1 Sep 2009 15:25:04 GMT (envelope-from nobody@www.freebsd.org) Received: (from nobody@localhost) by www.freebsd.org (8.14.3/8.14.3/Submit) id n81FP4hb087754; Tue, 1 Sep 2009 15:25:04 GMT (envelope-from nobody) Message-Id: <200909011525.n81FP4hb087754@www.freebsd.org> Date: Tue, 1 Sep 2009 15:25:04 GMT From: Khee Chin To: freebsd-gnats-submit@FreeBSD.org X-Send-Pr-Version: www-3.1 X-Mailman-Approved-At: Tue, 01 Sep 2009 15:34:25 +0000 Cc: Subject: amd64/138446: UPDATE: databases/skytools X-BeenThere: freebsd-amd64@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Porting FreeBSD to the AMD64 platform List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 01 Sep 2009 15:30:11 -0000 >Number: 138446 >Category: amd64 >Synopsis: UPDATE: databases/skytools >Confidential: no >Severity: non-critical >Priority: medium >Responsible: freebsd-amd64 >State: open >Quarter: >Keywords: >Date-Required: >Class: update >Submitter-Id: current-users >Arrival-Date: Tue Sep 01 15:30:06 UTC 2009 >Closed-Date: >Last-Modified: >Originator: Khee Chin >Release: 7.1 >Organization: >Environment: >Description: Update to /usr/ports/databases/skytools to 2.1.10 >How-To-Repeat: >Fix: Patch attached. Patch attached with submission follows: diff -ruN /usr/ports/databases/skytools/Makefile skytools/Makefile --- /usr/ports/databases/skytools/Makefile 2009-06-09 09:15:56.000000000 +0800 +++ skytools/Makefile 2009-09-01 21:27:19.000000000 +0800 @@ -6,10 +6,10 @@ # PORTNAME= skytools -PORTVERSION= 2.1.7 +PORTVERSION= 2.1.10 PORTREVISION= 1 CATEGORIES= databases -MASTER_SITES= http://pgfoundry.org/frs/download.php/1813/ +MASTER_SITES= http://pgfoundry.org/frs/download.php/2370/ MAINTAINER= skv@FreeBSD.org COMMENT= PostgreSQL tools from Skype: walshipping, queueing, replication diff -ruN /usr/ports/databases/skytools/distinfo skytools/distinfo --- /usr/ports/databases/skytools/distinfo 2008-09-05 09:06:20.000000000 +0800 +++ skytools/distinfo 2009-09-01 21:28:30.000000000 +0800 @@ -1,3 +1,3 @@ -MD5 (skytools-2.1.7.tar.gz) = e2d1c55dd8aea00e1b20e921e5ec3e87 -SHA256 (skytools-2.1.7.tar.gz) = c2db6b02ffb8aeb56bffdc1b490fb2f490905143a6f496dbea35d8eb0815c0bd -SIZE (skytools-2.1.7.tar.gz) = 238045 +MD5 (skytools-2.1.10.tar.gz) = 1fe735f5599f479ba0a52b222f3100b2 +SHA256 (skytools-2.1.10.tar.gz) = 1e61993ca6b62dd1d36bbc6bb7add9d08951ef6364a8714c0985c7de91f811e0 +SIZE (skytools-2.1.10.tar.gz) = 257629 diff -ruN /usr/ports/databases/skytools/pkg-plist skytools/pkg-plist --- /usr/ports/databases/skytools/pkg-plist 2009-06-09 09:15:56.000000000 +0800 +++ skytools/pkg-plist 2009-09-01 21:29:17.000000000 +0800 @@ -112,6 +112,7 @@ %%DATADIR%%/upgrade/final/v2.1.6_pgq_ext.sql %%DATADIR%%/upgrade/final/v2.1.7_londiste.sql %%DATADIR%%/upgrade/final/v2.1.7_pgq_core.sql +%%DATADIR%%/upgrade/final/v2.1.8_pgq_core.sql @dirrm %%DATADIR%%/upgrade/final @dirrm %%DATADIR%%/upgrade @dirrm %%DATADIR%% >Release-Note: >Audit-Trail: >Unformatted: From owner-freebsd-amd64@FreeBSD.ORG Tue Sep 1 18:28:29 2009 Return-Path: Delivered-To: freebsd-amd64@hub.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id A69B8106568F; Tue, 1 Sep 2009 18:28:29 +0000 (UTC) (envelope-from gavin@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:4f8:fff6::28]) by mx1.freebsd.org (Postfix) with ESMTP id 6DB3C8FC22; Tue, 1 Sep 2009 18:28:29 +0000 (UTC) Received: from freefall.freebsd.org (gavin@localhost [127.0.0.1]) by freefall.freebsd.org (8.14.3/8.14.3) with ESMTP id n81ISTCv007706; Tue, 1 Sep 2009 18:28:29 GMT (envelope-from gavin@freefall.freebsd.org) Received: (from gavin@localhost) by freefall.freebsd.org (8.14.3/8.14.3/Submit) id n81ISTdf007702; Tue, 1 Sep 2009 18:28:29 GMT (envelope-from gavin) Date: Tue, 1 Sep 2009 18:28:29 GMT Message-Id: <200909011828.n81ISTdf007702@freefall.freebsd.org> To: gavin@FreeBSD.org, freebsd-amd64@FreeBSD.org, freebsd-ports-bugs@FreeBSD.org From: gavin@FreeBSD.org Cc: Subject: Re: ports/138446: UPDATE: databases/skytools X-BeenThere: freebsd-amd64@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Porting FreeBSD to the AMD64 platform List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 01 Sep 2009 18:28:29 -0000 Synopsis: UPDATE: databases/skytools Responsible-Changed-From-To: freebsd-amd64->freebsd-ports-bugs Responsible-Changed-By: gavin Responsible-Changed-When: Tue Sep 1 18:27:54 UTC 2009 Responsible-Changed-Why: Ports bug http://www.freebsd.org/cgi/query-pr.cgi?pr=138446 From owner-freebsd-amd64@FreeBSD.ORG Fri Sep 4 13:50:02 2009 Return-Path: Delivered-To: freebsd-amd64@hub.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 6293A1065693 for ; Fri, 4 Sep 2009 13:50:02 +0000 (UTC) (envelope-from gnats@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:4f8:fff6::28]) by mx1.freebsd.org (Postfix) with ESMTP id 4040F8FC1E for ; Fri, 4 Sep 2009 13:50:02 +0000 (UTC) Received: from freefall.freebsd.org (gnats@localhost [127.0.0.1]) by freefall.freebsd.org (8.14.3/8.14.3) with ESMTP id n84Do2JT072211 for ; Fri, 4 Sep 2009 13:50:02 GMT (envelope-from gnats@freefall.freebsd.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.14.3/8.14.3/Submit) id n84Do2UG072210; Fri, 4 Sep 2009 13:50:02 GMT (envelope-from gnats) Resent-Date: Fri, 4 Sep 2009 13:50:02 GMT Resent-Message-Id: <200909041350.n84Do2UG072210@freefall.freebsd.org> Resent-From: FreeBSD-gnats-submit@FreeBSD.org (GNATS Filer) Resent-To: freebsd-amd64@FreeBSD.org Resent-Reply-To: FreeBSD-gnats-submit@FreeBSD.org, Alphazo Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 32E361065670 for ; Fri, 4 Sep 2009 13:42:49 +0000 (UTC) (envelope-from nobody@FreeBSD.org) Received: from www.freebsd.org (www.freebsd.org [IPv6:2001:4f8:fff6::21]) by mx1.freebsd.org (Postfix) with ESMTP id 21FE28FC12 for ; Fri, 4 Sep 2009 13:42:49 +0000 (UTC) Received: from www.freebsd.org (localhost [127.0.0.1]) by www.freebsd.org (8.14.3/8.14.3) with ESMTP id n84Dgmq3037762 for ; Fri, 4 Sep 2009 13:42:48 GMT (envelope-from nobody@www.freebsd.org) Received: (from nobody@localhost) by www.freebsd.org (8.14.3/8.14.3/Submit) id n84DgmEg037761; Fri, 4 Sep 2009 13:42:48 GMT (envelope-from nobody) Message-Id: <200909041342.n84DgmEg037761@www.freebsd.org> Date: Fri, 4 Sep 2009 13:42:48 GMT From: Alphazo To: freebsd-gnats-submit@FreeBSD.org X-Send-Pr-Version: www-3.1 X-Mailman-Approved-At: Fri, 04 Sep 2009 15:24:47 +0000 Cc: Subject: amd64/138531: Error message while fetching package after fresh 8.0 beta 3 install X-BeenThere: freebsd-amd64@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Porting FreeBSD to the AMD64 platform List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 04 Sep 2009 13:50:02 -0000 >Number: 138531 >Category: amd64 >Synopsis: Error message while fetching package after fresh 8.0 beta 3 install >Confidential: no >Severity: non-critical >Priority: medium >Responsible: freebsd-amd64 >State: open >Quarter: >Keywords: >Date-Required: >Class: sw-bug >Submitter-Id: current-users >Arrival-Date: Fri Sep 04 13:50:01 UTC 2009 >Closed-Date: >Last-Modified: >Originator: Alphazo >Release: 8.0 Beta 3 >Organization: >Environment: FreeBSD freebsd.test.internal 8.0-BETA3 FreeBSD 8.0-BETA3 #0: Sat Aug 22 02:00:45 UTC 2009 root@mason.cse.buffalo.edu:/usr/obj/usr/src/sys/GENERIC amd64 >Description: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 I installed the 8.0 Beta 3 release using the USB image on an Intel D945GCLF2 board with 2GB RAM and Hyperthreading disabled in the bios. The first thing I did was to setenv to change the PACKAGESITE to packages-8-stable. I then issued the following command to install "mc" : "pkg_add -r mc". While the system was fetching the binary from FTP site I got the following message on the console. Sep 4 14:40:06 freebsd kernel: lock order reversal: Sep 4 14:40:06 freebsd kernel: 1st 0xffffff80292aa908 bufwait (bufwait) @ /usr/src/sys/kern/vfs_bio.c:2559 Sep 4 14:40:06 freebsd kernel: 2nd 0xffffff0002a08c00 dirhash (dirhash) @ /usr/src/sys/ufs/ufs/ufs_dirhash.c:285 Sep 4 14:40:06 freebsd kernel: KDB: stack backtrace: Sep 4 14:40:06 freebsd kernel: db_trace_self_wrapper() at db_trace_self_wrapper+0x2a Sep 4 14:40:06 freebsd kernel: _witness_debugger() at _witness_debugger+0x2e Sep 4 14:40:06 freebsd kernel: witness_checkorder() at witness_checkorder+0x81e Sep 4 14:40:06 freebsd kernel: _sx_xlock() at _sx_xlock+0x55 Sep 4 14:40:06 freebsd kernel: ufsdirhash_acquire() at ufsdirhash_acquire+0x33 Sep 4 14:40:06 freebsd kernel: ufsdirhash_add() at ufsdirhash_add+0x19 Sep 4 14:40:06 freebsd kernel: ufs_direnter() at ufs_direnter+0x88b Sep 4 14:40:06 freebsd kernel: ufs_makeinode() at ufs_makeinode+0x2a7 Sep 4 14:40:06 freebsd kernel: VOP_CREATE_APV() at VOP_CREATE_APV+0x8d Sep 4 14:40:06 freebsd kernel: vn_open_cred() at vn_open_cred+0x468 Sep 4 14:40:06 freebsd kernel: kern_openat() at kern_openat+0x179 Sep 4 14:40:06 freebsd kernel: syscall() at syscall+0x1af Sep 4 14:40:06 freebsd kernel: Xfast_syscall() at Xfast_syscall+0xe1 Sep 4 14:40:06 freebsd kernel: --- syscall (5, FreeBSD ELF64, open), rip = 0x800e32dfc, rsp = 0x7fffffffe6e8, rbp = 0x1a4 --- Although the installation went fine and "mc" appears to be installed. Alphazo -----BEGIN PGP SIGNATURE----- iEYEAREKAAYFAkqhGN8ACgkQYzj0vCQtTfttgQCcCPEjNE8RLj6l1xHBVpQiBL4J dQMAnidJrFOaXn1WQF/0Gjr0QWX60Yl3 =PIcV -----END PGP SIGNATURE----- >How-To-Repeat: Install a fresh 8.0 Beta 3 # setenv PACKAGESITE=ftp://ftp.freebsd.org/pub/FreeBSD/ports/amd64/packages-8-stable/Latest/ # pkg_add -r mc >Fix: >Release-Note: >Audit-Trail: >Unformatted: