Date: Mon, 31 Oct 2011 16:22:00 GMT From: Stevan Markovic <stevan_markovic@mcafee.com> To: freebsd-gnats-submit@FreeBSD.org Subject: misc/162201: [patch] multicast forwarding cache hash always allocated with size 0, resulting in buffer overrun Message-ID: <201110311622.p9VGM0eK076169@red.freebsd.org> Resent-Message-ID: <201110311630.p9VGUAd9062405@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help
>Number: 162201
>Category: misc
>Synopsis: [patch] multicast forwarding cache hash always allocated with size 0, resulting in buffer overrun
>Confidential: no
>Severity: serious
>Priority: medium
>Responsible: freebsd-bugs
>State: open
>Quarter:
>Keywords:
>Date-Required:
>Class: sw-bug
>Submitter-Id: current-users
>Arrival-Date: Mon Oct 31 16:30:10 UTC 2011
>Closed-Date:
>Last-Modified:
>Originator: Stevan Markovic
>Release: 8.2.0 customized
>Organization:
McAfee inc
>Environment:
>Description:
Bug is observed as kernel panic shortly after stopping XORP (www.xorp.org) configured for PIM/SM routing. Debugging discovered that at the time of MALLOC for V_nexpire in ip_mroute.c::vnet_mroute_init() size variable mfchashsize always has value 0.
Why: variable mfchashsize is initialized in module event handler which is executed with SI_ORDER_ANY ordering tag which happens _after_ variable usage in MALLOC in VNET_SYSINIT with SI_ORDER_MIDDLE.
Fix simply moves variable initialization before its usage in vnet_mroute_init.
This bug is discovered and fixed in McAfee Inc development.
>How-To-Repeat:
Hard to reproduce since system behavior after memory overwrite is unpredictable. Multicast forwarding cashe hash overrun always happens after:
a) configuring xorp to use PIM/SM
b) starting xorp_rtrmgr
c) stopping xorp_rtrmgr.
>Fix:
Fix simply moves mfchashsize variable initialization before its usage in vnet_mroute_init.
Patch attached with submission follows:
Index: ip_mroute.c
===================================================================
RCS file: /projects/freebsd/src_cvsup/src/sys/netinet/ip_mroute.c,v
retrieving revision 1.161
diff -u -r1.161 ip_mroute.c
--- ip_mroute.c 22 Nov 2010 19:32:54 -0000 1.161
+++ ip_mroute.c 31 Oct 2011 15:54:53 -0000
@@ -2814,7 +2814,13 @@
static void
vnet_mroute_init(const void *unused __unused)
{
-
+ mfchashsize = MFCHASHSIZE;
+ if (TUNABLE_ULONG_FETCH("net.inet.ip.mfchashsize", &mfchashsize) &&
+ !powerof2(mfchashsize)) {
+ printf("WARNING: %s not a power of 2; using default\n",
+ "net.inet.ip.mfchashsize");
+ mfchashsize = MFCHASHSIZE;
+ }
MALLOC(V_nexpire, u_char *, mfchashsize, M_MRTABLE, M_WAITOK|M_ZERO);
bzero(V_bw_meter_timers, sizeof(V_bw_meter_timers));
callout_init(&V_expire_upcalls_ch, CALLOUT_MPSAFE);
@@ -2855,13 +2861,6 @@
MFC_LOCK_INIT();
VIF_LOCK_INIT();
- mfchashsize = MFCHASHSIZE;
- if (TUNABLE_ULONG_FETCH("net.inet.ip.mfchashsize", &mfchashsize) &&
- !powerof2(mfchashsize)) {
- printf("WARNING: %s not a power of 2; using default\n",
- "net.inet.ip.mfchashsize");
- mfchashsize = MFCHASHSIZE;
- }
pim_squelch_wholepkt = 0;
TUNABLE_ULONG_FETCH("net.inet.pim.squelch_wholepkt",
>Release-Note:
>Audit-Trail:
>Unformatted:
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201110311622.p9VGM0eK076169>