From owner-freebsd-bugs@FreeBSD.ORG  Fri Mar 27 23:20:04 2009
Return-Path: <owner-freebsd-bugs@FreeBSD.ORG>
Delivered-To: freebsd-bugs@hub.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id 99A37106564A
	for <freebsd-bugs@hub.freebsd.org>;
	Fri, 27 Mar 2009 23:20:04 +0000 (UTC)
	(envelope-from gnats@FreeBSD.org)
Received: from freefall.freebsd.org (freefall.freebsd.org
	[IPv6:2001:4f8:fff6::28])
	by mx1.freebsd.org (Postfix) with ESMTP id 713848FC22
	for <freebsd-bugs@hub.freebsd.org>;
	Fri, 27 Mar 2009 23:20:04 +0000 (UTC)
	(envelope-from gnats@FreeBSD.org)
Received: from freefall.freebsd.org (gnats@localhost [127.0.0.1])
	by freefall.freebsd.org (8.14.3/8.14.3) with ESMTP id n2RNK4Vl083949
	for <freebsd-bugs@freefall.freebsd.org>; Fri, 27 Mar 2009 23:20:04 GMT
	(envelope-from gnats@freefall.freebsd.org)
Received: (from gnats@localhost)
	by freefall.freebsd.org (8.14.3/8.14.3/Submit) id n2RNK4nX083948;
	Fri, 27 Mar 2009 23:20:04 GMT (envelope-from gnats)
Resent-Date: Fri, 27 Mar 2009 23:20:04 GMT
Resent-Message-Id: <200903272320.n2RNK4nX083948@freefall.freebsd.org>
Resent-From: FreeBSD-gnats-submit@FreeBSD.org (GNATS Filer)
Resent-To: freebsd-bugs@FreeBSD.org
Resent-Reply-To: FreeBSD-gnats-submit@FreeBSD.org,
	"Eugene M. Kim" <20080111.freebsd.org@ab.ote.we.lv>
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id 2991A1065673
	for <FreeBSD-gnats-submit@freebsd.org>;
	Fri, 27 Mar 2009 23:16:48 +0000 (UTC)
	(envelope-from root@burrito.p2p.nttmcl.com)
Received: from burrito.p2p.nttmcl.com (burrito.p2p.nttmcl.com
	[IPv6:2001:418:200:105::39])
	by mx1.freebsd.org (Postfix) with ESMTP id 050D78FC0A
	for <FreeBSD-gnats-submit@freebsd.org>;
	Fri, 27 Mar 2009 23:16:47 +0000 (UTC)
	(envelope-from root@burrito.p2p.nttmcl.com)
Received: from burrito.p2p.nttmcl.com (localhost.p2p.nttmcl.com [127.0.0.1])
	by burrito.p2p.nttmcl.com (8.14.3/8.14.3) with ESMTP id n2RNA9Ik001424
	for <FreeBSD-gnats-submit@freebsd.org>;
	Fri, 27 Mar 2009 16:10:09 -0700 (PDT)
	(envelope-from root@burrito.p2p.nttmcl.com)
Received: (from root@localhost)
	by burrito.p2p.nttmcl.com (8.14.3/8.14.3/Submit) id n2RNA985001423;
	Fri, 27 Mar 2009 16:10:09 -0700 (PDT) (envelope-from root)
Message-Id: <200903272310.n2RNA985001423@burrito.p2p.nttmcl.com>
Date: Fri, 27 Mar 2009 16:10:09 -0700 (PDT)
From: "Eugene M. Kim" <20080111.freebsd.org@ab.ote.we.lv>
To: FreeBSD-gnats-submit@FreeBSD.org
X-Send-Pr-Version: 3.113
Cc: 
Subject: kern/133143: Kernel panic with ubsec and cryptodev;
	induced by non-root users
X-BeenThere: freebsd-bugs@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
Reply-To: "Eugene M. Kim" <20080111.freebsd.org@ab.ote.we.lv>
List-Id: Bug reports <freebsd-bugs.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-bugs>,
	<mailto:freebsd-bugs-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-bugs>
List-Post: <mailto:freebsd-bugs@freebsd.org>
List-Help: <mailto:freebsd-bugs-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-bugs>,
	<mailto:freebsd-bugs-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Fri, 27 Mar 2009 23:20:04 -0000


>Number:         133143
>Category:       kern
>Synopsis:       Kernel panic with ubsec and cryptodev; induced by non-root users
>Confidential:   no
>Severity:       critical
>Priority:       high
>Responsible:    freebsd-bugs
>State:          open
>Quarter:        
>Keywords:       
>Date-Required:
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Fri Mar 27 23:20:03 UTC 2009
>Closed-Date:
>Last-Modified:
>Originator:     Eugene M. Kim
>Release:        FreeBSD 6.4-RELEASE i386
>Organization:
>Environment:

System: FreeBSD paperboy.dev.p2p.nttmcl.com 6.4-RELEASE FreeBSD 6.4-RELEASE #1 r190431: Wed Mar 25 19:58:05 PDT 2009     root@burrito.p2p.nttmcl.com:/usr/obj/usr/src/sys/PAPERBOY  i386

Hardware: Dell PowerEdge R300 with:

--  Intel Xeon E3110 - dual-core, 3.0GHz
--  4GB memory (3326MB visible to the non-PAE kernel)
--  PCI-X riser card
--  Broadcom BCM95821SSN PCI-X cryptographic accelerator card

Kernel configuration:

--- BEGIN src/sys/i386/conf/PAPERBOY ---
include 	SMP

ident		PAPERBOY

makeoptions	DEBUG=-g

options 	KDB
options 	KDB_TRACE
options 	DDB
options 	GDB
options 	BREAK_TO_DEBUGGER
#options 	ALT_BREAK_TO_DEBUGGER
options 	INVARIANTS
options 	INVARIANT_SUPPORT

options 	FAST_IPSEC

device		crypto
device		cryptodev
device		ubsec
options 	UBSEC_DEBUG
--- END src/sys/i386/conf/PAPERBOY ---

>Description:

The kernel randomly panics when running a multithreaded OpenSSL performance
test program (even as a non-root user), with increasing panic probability
as the number of threads used by the test program increases.

The test program is available at (link valid for 3 years):

    http://purple.the-7.net/~ab/Temporary/GORCuns5zR/evptest.tar.bz2

--- BEGIN panic message ---
Memory modified after free 0xc9049000(4092) val=54c0f2f9 @ 0xc9049138
panic: Most recently used by devbuf

cpuid = 1
KDB: enter: panic
--- END panic message ---

The following stack trace was obtained via a remote GDB session; some argument
values do not make sense (e.g. the size argument given to mtrash_ctor(), which
should be 4092 but is negative); it might be a bug in GDB itself.

--- BEGIN stack trace ---
#0  0xc06d75bb in kdb_enter (msg=0x12 <Address 0x12 out of bounds>)
    at cpufunc.h:60
#1  0xc06beb9b in panic (fmt=0xc09f730e "Most recently used by %s\n")
    at /usr/src/sys/kern/kern_shutdown.c:550
#2  0xc084b35d in mtrash_ctor (mem=0xc9049000, size=-1052561408, arg=0x0, 
    flags=1) at /usr/src/sys/vm/uma_dbg.c:137
#3  0xc08494af in uma_zalloc_arg (zone=0xc1461b40, udata=0x0, flags=1)
    at /usr/src/sys/vm/uma_core.c:1849
#4  0xc06b3cba in malloc (size=3600, mtp=0xc0a5c100, flags=1) at uma.h:277
#5  0xc0638f4b in ubsec_newsession (arg=0xc8830000, sidp=0xeb188bfc, cri=0x12)
    at /usr/src/sys/dev/ubsec/ubsec.c:947
#6  0xc07d8c68 in crypto_newsession (sid=0xeb188c2c, cri=0xeb188c34, hard=1)
    at /usr/src/sys/opencrypto/crypto.c:354
#7  0xc07da1e5 in cryptof_ioctl (fp=0x12, cmd=3223085925, data=0x0, 
    active_cred=0xc8ef0800, td=0xc902c480)
    at /usr/src/sys/opencrypto/cryptodev.c:264
#8  0xc06e2486 in ioctl (td=0xc902c480, uap=0xeb188d04) at file.h:265
#9  0xc0948b3f in syscall (frame=
      {tf_fs = -1081147333, tf_es = 672464955, tf_ds = -1081147333, tf_edi = 135852444, tf_esi = -1128460528, tf_ebp = -1128460648, tf_isp = -350712476, tf_ebx = 672572564, tf_edx = 0, tf_ecx = 135852416, tf_eax = 54, tf_trapno = 22, tf_err = 2, tf_eip = 673530195, tf_cs = 51, tf_eflags = 2097670, tf_esp = -1128460692, tf_ss = 59}) at /usr/src/sys/i386/i386/trap.c:984
#10 0xc093369f in Xint0x80_syscall () at /usr/src/sys/i386/i386/exception.s:200
#11 0x00000033 in ?? ()
--- END stack trace ---

This could also be a security issue, as non-root users can induce kernel
panics, leading to denial of service.

>How-To-Repeat:

1.  Compile and install a modified kernel with configuration shown above.
2.  Reboot.
3.  Run the supplied test program (evptest) as any user (root or non-root):

    $ tar -xjf evptest.tar.bz2
    $ cd evptest
    $ make cleandir
    $ make depend all
    $ ./evptest -h		# for help message
    $ ./evptest -t 100		# this uses 100 threads

>Fix:

    None, other than disabling ubsec as a workaround.
>Release-Note:
>Audit-Trail:
>Unformatted: