From owner-freebsd-bugs@FreeBSD.ORG Mon Oct 31 16:30:11 2011 Return-Path: Delivered-To: freebsd-bugs@hub.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 13E16106566C for ; Mon, 31 Oct 2011 16:30:11 +0000 (UTC) (envelope-from gnats@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:4f8:fff6::28]) by mx1.freebsd.org (Postfix) with ESMTP id E46718FC16 for ; Mon, 31 Oct 2011 16:30:10 +0000 (UTC) Received: from freefall.freebsd.org (localhost [127.0.0.1]) by freefall.freebsd.org (8.14.4/8.14.4) with ESMTP id p9VGUAs1062408 for ; Mon, 31 Oct 2011 16:30:10 GMT (envelope-from gnats@freefall.freebsd.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.14.4/8.14.4/Submit) id p9VGUAd9062405; Mon, 31 Oct 2011 16:30:10 GMT (envelope-from gnats) Resent-Date: Mon, 31 Oct 2011 16:30:10 GMT Resent-Message-Id: <201110311630.p9VGUAd9062405@freefall.freebsd.org> Resent-From: FreeBSD-gnats-submit@FreeBSD.org (GNATS Filer) Resent-To: freebsd-bugs@FreeBSD.org Resent-Reply-To: FreeBSD-gnats-submit@FreeBSD.org, Stevan Markovic Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 7AA9D106566B for ; Mon, 31 Oct 2011 16:22:01 +0000 (UTC) (envelope-from nobody@FreeBSD.org) Received: from red.freebsd.org (red.freebsd.org [IPv6:2001:4f8:fff6::22]) by mx1.freebsd.org (Postfix) with ESMTP id 4AA708FC0A for ; Mon, 31 Oct 2011 16:22:01 +0000 (UTC) Received: from red.freebsd.org (localhost [127.0.0.1]) by red.freebsd.org (8.14.4/8.14.4) with ESMTP id p9VGM1wa076170 for ; Mon, 31 Oct 2011 16:22:01 GMT (envelope-from nobody@red.freebsd.org) Received: (from nobody@localhost) by red.freebsd.org (8.14.4/8.14.4/Submit) id p9VGM0eK076169; Mon, 31 Oct 2011 16:22:00 GMT (envelope-from nobody) Message-Id: <201110311622.p9VGM0eK076169@red.freebsd.org> Date: Mon, 31 Oct 2011 16:22:00 GMT From: Stevan Markovic To: freebsd-gnats-submit@FreeBSD.org X-Send-Pr-Version: www-3.1 Cc: Subject: misc/162201: [patch] multicast forwarding cache hash always allocated with size 0, resulting in buffer overrun X-BeenThere: freebsd-bugs@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Bug reports List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 31 Oct 2011 16:30:11 -0000 >Number: 162201 >Category: misc >Synopsis: [patch] multicast forwarding cache hash always allocated with size 0, resulting in buffer overrun >Confidential: no >Severity: serious >Priority: medium >Responsible: freebsd-bugs >State: open >Quarter: >Keywords: >Date-Required: >Class: sw-bug >Submitter-Id: current-users >Arrival-Date: Mon Oct 31 16:30:10 UTC 2011 >Closed-Date: >Last-Modified: >Originator: Stevan Markovic >Release: 8.2.0 customized >Organization: McAfee inc >Environment: >Description: Bug is observed as kernel panic shortly after stopping XORP (www.xorp.org) configured for PIM/SM routing. Debugging discovered that at the time of MALLOC for V_nexpire in ip_mroute.c::vnet_mroute_init() size variable mfchashsize always has value 0. Why: variable mfchashsize is initialized in module event handler which is executed with SI_ORDER_ANY ordering tag which happens _after_ variable usage in MALLOC in VNET_SYSINIT with SI_ORDER_MIDDLE. Fix simply moves variable initialization before its usage in vnet_mroute_init. This bug is discovered and fixed in McAfee Inc development. >How-To-Repeat: Hard to reproduce since system behavior after memory overwrite is unpredictable. Multicast forwarding cashe hash overrun always happens after: a) configuring xorp to use PIM/SM b) starting xorp_rtrmgr c) stopping xorp_rtrmgr. >Fix: Fix simply moves mfchashsize variable initialization before its usage in vnet_mroute_init. Patch attached with submission follows: Index: ip_mroute.c =================================================================== RCS file: /projects/freebsd/src_cvsup/src/sys/netinet/ip_mroute.c,v retrieving revision 1.161 diff -u -r1.161 ip_mroute.c --- ip_mroute.c 22 Nov 2010 19:32:54 -0000 1.161 +++ ip_mroute.c 31 Oct 2011 15:54:53 -0000 @@ -2814,7 +2814,13 @@ static void vnet_mroute_init(const void *unused __unused) { - + mfchashsize = MFCHASHSIZE; + if (TUNABLE_ULONG_FETCH("net.inet.ip.mfchashsize", &mfchashsize) && + !powerof2(mfchashsize)) { + printf("WARNING: %s not a power of 2; using default\n", + "net.inet.ip.mfchashsize"); + mfchashsize = MFCHASHSIZE; + } MALLOC(V_nexpire, u_char *, mfchashsize, M_MRTABLE, M_WAITOK|M_ZERO); bzero(V_bw_meter_timers, sizeof(V_bw_meter_timers)); callout_init(&V_expire_upcalls_ch, CALLOUT_MPSAFE); @@ -2855,13 +2861,6 @@ MFC_LOCK_INIT(); VIF_LOCK_INIT(); - mfchashsize = MFCHASHSIZE; - if (TUNABLE_ULONG_FETCH("net.inet.ip.mfchashsize", &mfchashsize) && - !powerof2(mfchashsize)) { - printf("WARNING: %s not a power of 2; using default\n", - "net.inet.ip.mfchashsize"); - mfchashsize = MFCHASHSIZE; - } pim_squelch_wholepkt = 0; TUNABLE_ULONG_FETCH("net.inet.pim.squelch_wholepkt", >Release-Note: >Audit-Trail: >Unformatted: