Site Navigation

Date:      Sun, 4 Jun 2006 20:41:32 -0400
From:      Kris Kennaway <kris@obsecurity.org>
To:        Kris Kennaway <kris@obsecurity.org>
Cc:        net@FreeBSD.org
Subject:   Panic from osendmsg() (Re: panic: m_prepend: MH_ALIGN not PKTHDR mbuf)
Message-ID:  <20060605004132.GA39212@xor.obsecurity.org>
In-Reply-To: <20060524015826.GA54564@xor.obsecurity.org>
References:  <20060524015826.GA54564@xor.obsecurity.org>

---

next in thread | previous in thread | raw e-mail | index | archive | help

---

--17pEHd4RhPHOinZp
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

On Tue, May 23, 2006 at 09:58:26PM -0400, Kris Kennaway wrote:
> I got this panic as a non-privileged user running the stress2 test
> component that does random syscalls:
>=20
> panic: m_prepend: MH_ALIGN not PKTHDR mbuf
> cpuid =3D 1
> KDB: enter: panic
> [thread pid 15370 tid 100536 ]
> Stopped at      kdb_enter+0x32: leave
> db> wh
> Tracing pid 15370 tid 100536 td 0xc5561000
> kdb_enter(c073c6b2,1,c0741b31,eced5be0,c5561000) at kdb_enter+0x32
> panic(c0741b31,c07199c6,2,0,e) at panic+0x1b1
> m_prepend(c4dc0300,c,2,e,eced5c58) at m_prepend+0xd8
> sendit(eced5c58,7cd3a4b7,eced5c54,28,c4beb1a0) at sendit+0x1a4
> osendmsg(c5561000,eced5d04,c,445,3) at osendmsg+0x89

Anyone looking at this?  It seems that the osendmsg() compatibility
syscall can be easily used to cause this panic.

Kris

> syscall(c54f003b,b51f003b,bfbf003b,f7a64185,bd4fa8c6) at syscall+0x163
> Xint0x80_syscall() at Xint0x80_syscall+0x1f
> --- syscall (114, FreeBSD ELF32, osendmsg), eip =3D 0x280a4d4d, esp =3D 0=
xbfbfeae0, ebp =3D 0xbfbfeb28 ---
>=20
> #8  0xc053e4d5 in panic (fmt=3D0xc0741b31 "%s: MH_ALIGN not PKTHDR mbuf")=
 at ../../../kern/kern_shutdown.c:549
> #9  0xc057fdc6 in m_prepend (m=3D0xc4dc0300, len=3D12, how=3D0) at ../../=
../kern/uipc_mbuf.c:500
> #10 0xc058bc16 in sendit (td=3D0xc5561000, s=3D-657691676, mp=3D0xeced5c5=
8, flags=3D18)
>     at ../../../kern/uipc_syscalls.c:700
> #11 0xc058bd62 in osendmsg (td=3D0xc5561000, uap=3D0xeced5d04) at ../../.=
./kern/uipc_syscalls.c:892
> #12 0xc06fa7d7 in syscall (frame=3D
>       {tf_fs =3D -984678341, tf_es =3D -1256259525, tf_ds =3D -1078001605=
, tf_edi =3D -140099195, tf_esi =3D -1118852922, tf_ebp =3D -1077941464, tf=
_isp =3D -319988380, tf_ebx =3D 1628509609, tf_edx =3D 176, tf_ecx =3D 1345=
16915, tf_eax =3D 114, tf_trapno =3D 32, tf_err =3D 2, tf_eip =3D 671763789=
, tf_cs =3D 51, tf_eflags =3D 659, tf_esp =3D -1077941536, tf_ss =3D 59}) a=
t ../../../i386/i386/trap.c:1016
> #13 0xc06e3daf in Xint0x80_syscall () at ../../../i386/i386/exception.s:1=
91
> #14 0x00000033 in ?? ()
> Previous frame inner to this frame (corrupt stack?)
>=20
> Core available.
>=20
> Kris
>=20



--17pEHd4RhPHOinZp
Content-Type: application/pgp-signature
Content-Disposition: inline

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.3 (FreeBSD)

iD8DBQFEg327Wry0BWjoQKURAgl8AJwIhgimv5bwwXUJ/diptafG0O6mSwCgmFWI
L9YFP9X06GUozeOswMNRCsw=
=cCEt
-----END PGP SIGNATURE-----

--17pEHd4RhPHOinZp--

---

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20060605004132.GA39212>

Legal Notices | © 1995-2024 The FreeBSD Project. All rights reserved.

Contact