From owner-freebsd-current@FreeBSD.ORG  Sat Feb  5 23:44:23 2005
Return-Path: <owner-freebsd-current@FreeBSD.ORG>
Delivered-To: freebsd-current@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 3C25316A4CE
	for <current@freebsd.org>; Sat,  5 Feb 2005 23:44:23 +0000 (GMT)
Received: from stephanie.unixdaemons.com (stephanie.unixdaemons.com
	[67.18.111.194])
	by mx1.FreeBSD.org (Postfix) with ESMTP id BFE3843D2D
	for <current@freebsd.org>; Sat,  5 Feb 2005 23:44:22 +0000 (GMT)
	(envelope-from bmilekic@technokratis.com)
Received: from stephanie.unixdaemons.com (bmilekic@localhost.unixdaemons.com
	[127.0.0.1])j15NiIPw084500;	Sat, 5 Feb 2005 18:44:18 -0500 (EST)
Received: (from bmilekic@localhost)
	by stephanie.unixdaemons.com (8.13.3/8.12.1/Submit) id j15NiIeV084499;
	Sat, 5 Feb 2005 18:44:18 -0500 (EST)
	(envelope-from bmilekic@technokratis.com)
X-Authentication-Warning: stephanie.unixdaemons.com: bmilekic set sender to
	bmilekic@technokratis.com using -f
Date: Sat, 5 Feb 2005 18:44:18 -0500
From: Bosko Milekic <bmilekic@technokratis.com>
To: Kris Kennaway <kris@obsecurity.org>
Message-ID: <20050205234418.GA83746@technokratis.com>
References: <20050130094616.GA76093@peter.osted.lan>
	<20050202000613.GA9758@xor.obsecurity.org>
	<20050202001230.GA21847@xor.obsecurity.org>
	<20050202011157.GA55803@technokratis.com>
	<20050202023033.GA53440@xor.obsecurity.org>
	<20050205233734.GA96752@xor.obsecurity.org>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <20050205233734.GA96752@xor.obsecurity.org>
User-Agent: Mutt/1.4.2.1i
cc: jroberson@chesapeake.net
cc: current@freebsd.org
Subject: Re: use-after-free in inodedep_lookup() (Re: Panic: Memory modified
	after free)
X-BeenThere: freebsd-current@freebsd.org
X-Mailman-Version: 2.1.1
Precedence: list
List-Id: Discussions about the use of FreeBSD-current
	<freebsd-current.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-current>,
	<mailto:freebsd-current-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-current>
List-Post: <mailto:freebsd-current@freebsd.org>
List-Help: <mailto:freebsd-current-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-current>,
	<mailto:freebsd-current-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Sat, 05 Feb 2005 23:44:23 -0000



On Sat, Feb 05, 2005 at 03:37:34PM -0800, Kris Kennaway wrote:
> On Tue, Feb 01, 2005 at 06:30:33PM -0800, Kris Kennaway wrote:
> 
> > Anyway, it panicked shortly after starting to exercise the FS, with:
> > 
> > login: panic: mutex  not owned at ../../../vm/vm_page.c:301
> > cpuid = 1
> > KDB: enter: panic
> > [thread pid 717 tid 100147 ]
> > Stopped at      kdb_enter+0x30: leave
> > db> tr
> > Tracing pid 717 tid 100147 td 0xc7f27a10
> > kdb_enter(c06fbf7a,1,c06fb4a2,eeca0968,c7f27a10) at kdb_enter+0x30
> > panic(c06fb4a2,c82cb120,c071204f,12d,c46bae28) at panic+0x13e
> > _mtx_assert(c07c4ac0,1,c071204f,12d,ffffffe2) at _mtx_assert+0x7c
> > vm_page_busy(c46bae28,0,c0710c9d,155,eeca0a2c) at vm_page_busy+0x2d
> > vm_fault(c1059000,c566a000,2,0,c7f27a10) at vm_fault+0x6c3
> > trap_pfault(eeca0b04,0,c566a008,eeca0af4,c566a008) at trap_pfault+0x166
> > trap(c0510018,c07c0010,10,c81c0800,c563638c) at trap+0x34c
> > calltrap() at calltrap+0x5
> > --- trap 0xc, eip = 0xc063af4a, esp = 0xeeca0b44, ebp = 0xeeca0b60 ---
> > inodedep_lookup(c81c0800,180803,1,eeca0b78,0) at inodedep_lookup+0x143
> 
> (kgdb) list *(inodedep_lookup+0x143)
> 0xc063c362 is in inodedep_lookup (../../../ufs/ffs/ffs_softdep.c:887).
> 882             if (inodedep_find(inodedephd, fs, inum, inodedeppp)) {
> 883                     FREE(inodedep, M_INODEDEP);
> 884                     return (1);
> 885             }
> 886             num_inodedep += 1;
> 887             inodedep->id_list.wk_type = D_INODEDEP;
> 888             inodedep->id_fs = fs;
> 889             inodedep->id_ino = inum;
> 890             inodedep->id_state = ALLCOMPLETE;
> 891             inodedep->id_nlinkdelta = 0;
> 
> This looks like a use-after-free of the inodedep.
> 
> Kris

   To elaborate a bit: the inodedep deref on line 887 triggers a fault
   because MemGuard has protected the page but the fault handling code
   panics while attempting to assert that the underlying object's mutex
   is owned.  The assertion is triggered as the mutex is not owned
   presumably because the object has been freed (it might be cached
   somewhere which explains why the deref of it did not trigger a second
   fault).

> > softdep_change_linkcnt(c8c99000,e0ccd600,4600,eeca0b9c,eeca0ba0) at softdep_change_linkcnt+0x4f
> > ufs_dirremove(c8b0b4e0,c8c99000,100800c,0,0) at ufs_dirremove+0x153
> > ufs_remove(eeca0c2c,c071c05e,2ac,c071c662,c8b0b4e0) at ufs_remove+0x60
> > VOP_REMOVE_AP(eeca0c2c,eeca0c28,2,c06fdcb8,c81b7400) at VOP_REMOVE_AP+0x78
> > kern_unlink(c7f27a10,80636a8,0,eeca0d40,c06b9eb6) at kern_unlink+0x186
> > unlink(c7f27a10,eeca0d14,3a6,c07184c4,c7f27a10) at unlink+0x22
> > syscall(2f,804002f,bfbf002f,1,804d000) at syscall+0x2c4
> > Xint0x80_syscall() at Xint0x80_syscall+0x1f
> > --- syscall (10, FreeBSD ELF32, unlink), eip = 0x280c5b63, esp = 0xbfbfec2c, ebp = 0xbfbfec58 ---
> > 
> > I don't know if this is a memguard bug or a FreeBSD bug.
> > 
> > Kris


-- 
Bosko Milekic
bmilekic@technokratis.com
bmilekic@FreeBSD.org