From owner-freebsd-net@FreeBSD.ORG Mon Jun 5 00:41:34 2006 Return-Path: X-Original-To: net@FreeBSD.org Delivered-To: freebsd-net@FreeBSD.ORG Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 9161416A931 for ; Mon, 5 Jun 2006 00:41:34 +0000 (UTC) (envelope-from kris@obsecurity.org) Received: from elvis.mu.org (elvis.mu.org [192.203.228.196]) by mx1.FreeBSD.org (Postfix) with ESMTP id 8409A43D53 for ; Mon, 5 Jun 2006 00:41:33 +0000 (GMT) (envelope-from kris@obsecurity.org) Received: from obsecurity.dyndns.org (elvis.mu.org [192.203.228.196]) by elvis.mu.org (Postfix) with ESMTP id 5D7DD1A3C2B for ; Sun, 4 Jun 2006 17:41:33 -0700 (PDT) Received: by obsecurity.dyndns.org (Postfix, from userid 1000) id C58545134C; Sun, 4 Jun 2006 20:41:32 -0400 (EDT) Date: Sun, 4 Jun 2006 20:41:32 -0400 From: Kris Kennaway To: Kris Kennaway Message-ID: <20060605004132.GA39212@xor.obsecurity.org> References: <20060524015826.GA54564@xor.obsecurity.org> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="17pEHd4RhPHOinZp" Content-Disposition: inline In-Reply-To: <20060524015826.GA54564@xor.obsecurity.org> User-Agent: Mutt/1.4.2.1i Cc: net@FreeBSD.org Subject: Panic from osendmsg() (Re: panic: m_prepend: MH_ALIGN not PKTHDR mbuf) X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 05 Jun 2006 00:41:34 -0000 --17pEHd4RhPHOinZp Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Tue, May 23, 2006 at 09:58:26PM -0400, Kris Kennaway wrote: > I got this panic as a non-privileged user running the stress2 test > component that does random syscalls: >=20 > panic: m_prepend: MH_ALIGN not PKTHDR mbuf > cpuid =3D 1 > KDB: enter: panic > [thread pid 15370 tid 100536 ] > Stopped at kdb_enter+0x32: leave > db> wh > Tracing pid 15370 tid 100536 td 0xc5561000 > kdb_enter(c073c6b2,1,c0741b31,eced5be0,c5561000) at kdb_enter+0x32 > panic(c0741b31,c07199c6,2,0,e) at panic+0x1b1 > m_prepend(c4dc0300,c,2,e,eced5c58) at m_prepend+0xd8 > sendit(eced5c58,7cd3a4b7,eced5c54,28,c4beb1a0) at sendit+0x1a4 > osendmsg(c5561000,eced5d04,c,445,3) at osendmsg+0x89 Anyone looking at this? It seems that the osendmsg() compatibility syscall can be easily used to cause this panic. Kris > syscall(c54f003b,b51f003b,bfbf003b,f7a64185,bd4fa8c6) at syscall+0x163 > Xint0x80_syscall() at Xint0x80_syscall+0x1f > --- syscall (114, FreeBSD ELF32, osendmsg), eip =3D 0x280a4d4d, esp =3D 0= xbfbfeae0, ebp =3D 0xbfbfeb28 --- >=20 > #8 0xc053e4d5 in panic (fmt=3D0xc0741b31 "%s: MH_ALIGN not PKTHDR mbuf")= at ../../../kern/kern_shutdown.c:549 > #9 0xc057fdc6 in m_prepend (m=3D0xc4dc0300, len=3D12, how=3D0) at ../../= ../kern/uipc_mbuf.c:500 > #10 0xc058bc16 in sendit (td=3D0xc5561000, s=3D-657691676, mp=3D0xeced5c5= 8, flags=3D18) > at ../../../kern/uipc_syscalls.c:700 > #11 0xc058bd62 in osendmsg (td=3D0xc5561000, uap=3D0xeced5d04) at ../../.= ./kern/uipc_syscalls.c:892 > #12 0xc06fa7d7 in syscall (frame=3D > {tf_fs =3D -984678341, tf_es =3D -1256259525, tf_ds =3D -1078001605= , tf_edi =3D -140099195, tf_esi =3D -1118852922, tf_ebp =3D -1077941464, tf= _isp =3D -319988380, tf_ebx =3D 1628509609, tf_edx =3D 176, tf_ecx =3D 1345= 16915, tf_eax =3D 114, tf_trapno =3D 32, tf_err =3D 2, tf_eip =3D 671763789= , tf_cs =3D 51, tf_eflags =3D 659, tf_esp =3D -1077941536, tf_ss =3D 59}) a= t ../../../i386/i386/trap.c:1016 > #13 0xc06e3daf in Xint0x80_syscall () at ../../../i386/i386/exception.s:1= 91 > #14 0x00000033 in ?? () > Previous frame inner to this frame (corrupt stack?) >=20 > Core available. >=20 > Kris >=20 --17pEHd4RhPHOinZp Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.3 (FreeBSD) iD8DBQFEg327Wry0BWjoQKURAgl8AJwIhgimv5bwwXUJ/diptafG0O6mSwCgmFWI L9YFP9X06GUozeOswMNRCsw= =cCEt -----END PGP SIGNATURE----- --17pEHd4RhPHOinZp--