Skip site navigation (1)Skip section navigation (2) 
Date:      Sun, 4 Jun 2006 20:41:32 -0400
From:      Kris Kennaway <kris@obsecurity.org>
To:        Kris Kennaway <kris@obsecurity.org>
Cc:        net@FreeBSD.org
Subject:   Panic from osendmsg() (Re: panic: m_prepend: MH_ALIGN not PKTHDR mbuf)
Message-ID:  <20060605004132.GA39212@xor.obsecurity.org>
In-Reply-To: <20060524015826.GA54564@xor.obsecurity.org>
index | next in thread | previous in thread | raw e-mail 

[-- Attachment #1 --]
On Tue, May 23, 2006 at 09:58:26PM -0400, Kris Kennaway wrote:
> I got this panic as a non-privileged user running the stress2 test
> component that does random syscalls:
> 
> panic: m_prepend: MH_ALIGN not PKTHDR mbuf
> cpuid = 1
> KDB: enter: panic
> [thread pid 15370 tid 100536 ]
> Stopped at      kdb_enter+0x32: leave
> db> wh
> Tracing pid 15370 tid 100536 td 0xc5561000
> kdb_enter(c073c6b2,1,c0741b31,eced5be0,c5561000) at kdb_enter+0x32
> panic(c0741b31,c07199c6,2,0,e) at panic+0x1b1
> m_prepend(c4dc0300,c,2,e,eced5c58) at m_prepend+0xd8
> sendit(eced5c58,7cd3a4b7,eced5c54,28,c4beb1a0) at sendit+0x1a4
> osendmsg(c5561000,eced5d04,c,445,3) at osendmsg+0x89

Anyone looking at this?  It seems that the osendmsg() compatibility
syscall can be easily used to cause this panic.

Kris

> syscall(c54f003b,b51f003b,bfbf003b,f7a64185,bd4fa8c6) at syscall+0x163
> Xint0x80_syscall() at Xint0x80_syscall+0x1f
> --- syscall (114, FreeBSD ELF32, osendmsg), eip = 0x280a4d4d, esp = 0xbfbfeae0, ebp = 0xbfbfeb28 ---
> 
> #8  0xc053e4d5 in panic (fmt=0xc0741b31 "%s: MH_ALIGN not PKTHDR mbuf") at ../../../kern/kern_shutdown.c:549
> #9  0xc057fdc6 in m_prepend (m=0xc4dc0300, len=12, how=0) at ../../../kern/uipc_mbuf.c:500
> #10 0xc058bc16 in sendit (td=0xc5561000, s=-657691676, mp=0xeced5c58, flags=18)
>     at ../../../kern/uipc_syscalls.c:700
> #11 0xc058bd62 in osendmsg (td=0xc5561000, uap=0xeced5d04) at ../../../kern/uipc_syscalls.c:892
> #12 0xc06fa7d7 in syscall (frame=
>       {tf_fs = -984678341, tf_es = -1256259525, tf_ds = -1078001605, tf_edi = -140099195, tf_esi = -1118852922, tf_ebp = -1077941464, tf_isp = -319988380, tf_ebx = 1628509609, tf_edx = 176, tf_ecx = 134516915, tf_eax = 114, tf_trapno = 32, tf_err = 2, tf_eip = 671763789, tf_cs = 51, tf_eflags = 659, tf_esp = -1077941536, tf_ss = 59}) at ../../../i386/i386/trap.c:1016
> #13 0xc06e3daf in Xint0x80_syscall () at ../../../i386/i386/exception.s:191
> #14 0x00000033 in ?? ()
> Previous frame inner to this frame (corrupt stack?)
> 
> Core available.
> 
> Kris
> 



[-- Attachment #2 --]
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.3 (FreeBSD)

iD8DBQFEg327Wry0BWjoQKURAgl8AJwIhgimv5bwwXUJ/diptafG0O6mSwCgmFWI
L9YFP9X06GUozeOswMNRCsw=
=cCEt
-----END PGP SIGNATURE-----
home | help

Want to link to this message? Use this
URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20060605004132.GA39212>