From owner-freebsd-bugs@FreeBSD.ORG Fri Mar 20 22:40:02 2009 Return-Path: Delivered-To: freebsd-bugs@hub.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 63D3D1065678 for ; Fri, 20 Mar 2009 22:40:02 +0000 (UTC) (envelope-from gnats@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:4f8:fff6::28]) by mx1.freebsd.org (Postfix) with ESMTP id 3F0B48FC16 for ; Fri, 20 Mar 2009 22:40:02 +0000 (UTC) (envelope-from gnats@FreeBSD.org) Received: from freefall.freebsd.org (gnats@localhost [127.0.0.1]) by freefall.freebsd.org (8.14.3/8.14.3) with ESMTP id n2KMe2tV033231 for ; Fri, 20 Mar 2009 22:40:02 GMT (envelope-from gnats@freefall.freebsd.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.14.3/8.14.3/Submit) id n2KMe27t033230; Fri, 20 Mar 2009 22:40:02 GMT (envelope-from gnats) Resent-Date: Fri, 20 Mar 2009 22:40:02 GMT Resent-Message-Id: <200903202240.n2KMe27t033230@freefall.freebsd.org> Resent-From: FreeBSD-gnats-submit@FreeBSD.org (GNATS Filer) Resent-To: freebsd-bugs@FreeBSD.org Resent-Reply-To: FreeBSD-gnats-submit@FreeBSD.org, Chris Palmer Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id D79C31065676 for ; Fri, 20 Mar 2009 22:34:18 +0000 (UTC) (envelope-from nobody@FreeBSD.org) Received: from www.freebsd.org (www.freebsd.org [IPv6:2001:4f8:fff6::21]) by mx1.freebsd.org (Postfix) with ESMTP id C59668FC17 for ; Fri, 20 Mar 2009 22:34:18 +0000 (UTC) (envelope-from nobody@FreeBSD.org) Received: from www.freebsd.org (localhost [127.0.0.1]) by www.freebsd.org (8.14.3/8.14.3) with ESMTP id n2KMYI5j058456 for ; Fri, 20 Mar 2009 22:34:18 GMT (envelope-from nobody@www.freebsd.org) Received: (from nobody@localhost) by www.freebsd.org (8.14.3/8.14.3/Submit) id n2KMYI5G058455; Fri, 20 Mar 2009 22:34:18 GMT (envelope-from nobody) Message-Id: <200903202234.n2KMYI5G058455@www.freebsd.org> Date: Fri, 20 Mar 2009 22:34:18 GMT From: Chris Palmer To: freebsd-gnats-submit@FreeBSD.org X-Send-Pr-Version: www-3.1 Cc: Subject: kern/132886: Trivially fuzzed executables panic the kernel X-BeenThere: freebsd-bugs@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Bug reports List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 20 Mar 2009 22:40:02 -0000 >Number: 132886 >Category: kern >Synopsis: Trivially fuzzed executables panic the kernel >Confidential: no >Severity: serious >Priority: high >Responsible: freebsd-bugs >State: open >Quarter: >Keywords: >Date-Required: >Class: sw-bug >Submitter-Id: current-users >Arrival-Date: Fri Mar 20 22:40:01 UTC 2009 >Closed-Date: >Last-Modified: >Originator: Chris Palmer >Release: FreeBSD 7.1-STABLE >Organization: >Environment: FreeBSD blueberry 7.1-STABLE FreeBSD 7.1-STABLE #1: Fri Feb 6 13:24:55 PST 2009 root@blueberry:/local/src/sys/i386/compile/GENERIC i386 >Description: I used iSEC's file fuzzer: https://www.isecpartners.com/file_fuzzers.html to generate 20 fuzzed versions of /bin/ls. The 12th (attached) reliably panics my kernel. I have not yet tried any of the others. The crash appears to be due to an invalid memory access, but I have not spend very much time tracking down the root cause. Other bugs may exist, and some may be exploitable --- but I don't know for sure. Here is a backtrace. blueberry# kgdb kernel.debug /var/crash/vmcore.0 GNU gdb 6.1.1 [FreeBSD] Copyright 2004 Free Software Foundation, Inc. GDB is free software, covered by the GNU General Public License, and you are welcome to change it and/or distribute copies of it under certain conditions. Type "show copying" to see the conditions. There is absolutely no warranty for GDB. Type "show warranty" for details. This GDB was configured as "i386-marcel-freebsd"... Unread portion of the kernel message buffer: Fatal trap 12: page fault while in kernel mode cpuid = 0; apic id = 00 fault virtual address = 0x98bd2a54 fault code = supervisor read, page not present instruction pointer = 0x20:0xc0758413 stack pointer = 0x28:0xd623ea58 frame pointer = 0x28:0xd623eae0 code segment = base 0x0, limit 0xfffff, type 0x1b = DPL 0, pres 1, def32 1, gran 1 processor eflags = interrupt enabled, resume, IOPL = 0 current process = 36581 (isolate) trap number = 12 panic: page fault cpuid = 0 Uptime: 6h15m3s Physical memory: 499 MB Dumping 107 MB: 92 76 60 44 28 12 Reading symbols from /boot/kernel/snd_es137x.ko...Reading symbols from /boot/kernel/snd_es137x.ko.symbols...done. done. Loaded symbols for /boot/kernel/snd_es137x.ko Reading symbols from /boot/kernel/sound.ko...Reading symbols from /boot/kernel/sound.ko.symbols...done. done. Loaded symbols for /boot/kernel/sound.ko Reading symbols from /boot/kernel/acpi.ko...Reading symbols from /boot/kernel/acpi.ko.symbols...done. done. Loaded symbols for /boot/kernel/acpi.ko #0 doadump () at pcpu.h:196 196 __asm __volatile("movl %%fs:0,%0" : "=r" (td)); (kgdb) bt #0 doadump () at pcpu.h:196 #1 0xc0799667 in boot (howto=260) at /local/src/sys/kern/kern_shutdown.c:418 #2 0xc0799939 in panic (fmt=Variable "fmt" is not available. ) at /local/src/sys/kern/kern_shutdown.c:574 #3 0xc0aaba8c in trap_fatal (frame=0xd623ea18, eva=2562533972) at /local/src/sys/i386/i386/trap.c:939 #4 0xc0aabd10 in trap_pfault (frame=0xd623ea18, usermode=0, eva=2562533972) at /local/src/sys/i386/i386/trap.c:852 #5 0xc0aac6cc in trap (frame=0xd623ea18) at /local/src/sys/i386/i386/trap.c:530 #6 0xc0a9253b in calltrap () at /local/src/sys/i386/i386/exception.s:159 #7 0xc0758413 in exec_elf32_imgact (imgp=0xd623ebe0) at /local/src/sys/kern/imgact_elf.c:867 #8 0xc0771412 in kern_execve (td=0xc3434d20, args=0xd623ec5c, mac_p=0x0) at /local/src/sys/kern/kern_exec.c:432 #9 0xc07723cc in execve (td=0xc3434d20, uap=0xd623ecfc) at /local/src/sys/kern/kern_exec.c:201 #10 0xc0aac065 in syscall (frame=0xd623ed38) at /local/src/sys/i386/i386/trap.c:1090 #11 0xc0a925a0 in Xint0x80_syscall () at /local/src/sys/i386/i386/exception.s:255 #12 0x00000033 in ?? () Previous frame inner to this frame (corrupt stack?) >How-To-Repeat: Run the attached executable. Crashes for me on 7.1-STABLE, i386. Run the fuzzer to generate more candidates, and fuzz some other executables too. >Fix: In general, do not trust pointers and offsets provided by the user. The includes normal dereferences as well as pointer arithmetic and integer arithmetic in which the result will be used later to subscript an array, or the like. >From imgact_elf.c: 865 if (pnote != NULL && pnote->p_offset < PAGE_SIZE && 866 pnote->p_offset + pnote->p_filesz < PAGE_SIZE ) { 867 note = (const Elf_Note *)(imgp->image_header + pnote->p_offset); 868 if (!aligned(note, Elf32_Addr)) { Line 867 could be where it all went wrong. Patch attached with submission follows: ELF t/uput4 $$Et$D$$7tN tI9t'f~2;EvE(Q4;UċA0|;EvEUċ(@8,@  C$+fC$iD$C@$FD$8$(9$DED$!ML$$$ Ћt E]uӉT$ $Ut%[t8{ tN؋V$t$ uL$މ$렋UU؋M9M2u5BBx9ƃE]9]<[^_]á$ t& [^_]á1$ D$ B(L$$D$8֋t-M Q$ 1҉D$lU:\Dž`xT$$p< ZT$<$R$U뎍pD$tT$$lUWVST$ $z;B`T$$\T$ $:;B| T$ $tx < T$4$$UkpD$vls: %s: %s nr t v*:JZjzʐڐ *:JZjzʑڑ *:JZjzʒڒ *:JZjz >Release-Note: >Audit-Trail: >Unformatted: