Date: Fri, 8 Apr 2005 12:55:35 -0700 From: Kris Kennaway <kris@obsecurity.org> To: Kris Kennaway <kris@obsecurity.org> Cc: phk@freeBSD.org Subject: Re: NULL pointer deref in ptcread() Message-ID: <20050408195535.GA10868@xor.obsecurity.org> In-Reply-To: <20050405174344.GA86957@xor.obsecurity.org> References: <20050405174344.GA86957@xor.obsecurity.org>
next in thread | previous in thread | raw e-mail | index | archive | help
--OXfL5xGRrasGEqWY Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Tue, Apr 05, 2005 at 10:43:44AM -0700, Kris Kennaway wrote: > HEAD from yesterday on a SMP machine. >=20 > Kris FYI (well, slightly different panic), this was caused by resizing the xterm that connected via ssh to screen running on this machine: panic: clist reservation botch cpuid =3D 1 KDB: enter: panic [thread pid 720 tid 100222 ] Stopped at kdb_enter+0x30: leave db> wh Tracing pid 720 tid 100222 td 0xc5c0e170 kdb_enter(c06fa3a6,1,c06ff6b5,f7d31b30,c5c0e170) at kdb_enter+0x30 panic(c06ff6b5,c8951778,8,0,0) at panic+0x13e b_to_q(f7d31b8c,7,c5864838,3f,f7d31b88) at b_to_q+0xd3 ttwrite(c5864800,f7d31c68,4,f7d31c40,c04e2fdd) at ttwrite+0x4a7 ptswrite(c5cfb600,f7d31c68,4,557,c5cfb600) at ptswrite+0x38 devfs_write_f(c5bb4438,f7d31c68,c5d2a200,0,c5c0e170) at devfs_write_f+0xc7 dofilewrite(c5c0e170,c5bb4438,3,809f000,100) at dofilewrite+0xb6 write(c5c0e170,f7d31d14,3a6,c0715405,c5c0e170) at write+0x6a syscall(2f,2f,bfbf002f,0,100) at syscall+0x2c4 Xint0x80_syscall() at Xint0x80_syscall+0x1f --- syscall (4, FreeBSD ELF32, write), eip =3D 0x2816fbb7, esp =3D 0xbfbfe3= ec, ebp =3D 0xbfbfe408 --- Process 720 is screen. Looks like there's a race condition here. Kris > Fatal trap 12: page fault while in kernel mode > cpuid =3D 1; apic id =3D 06 > fault virtual address =3D 0x0 > fault code =3D supervisor read, page not present > instruction pointer =3D 0x8:0xc06b4b02 > stack pointer =3D 0x10:0xf7cb6b4c > frame pointer =3D 0x10:0xf7cb6b78 > code segment =3D base 0x0, limit 0xfffff, type 0x1b > =3D DPL 0, pres 1, def32 1, gran 1 > processor eflags =3D interrupt enabled, resume, IOPL =3D 0 > current process =3D 1182 (screen) > [thread pid 1182 tid 100239 ] > Stopped at generic_bcopy+0x1a: repe movsl (%esi),%es:(%edi) > db> wh > Tracing pid 1182 tid 100239 td 0xc5a92b80 > generic_bcopy(c59aa438,f7cb6bb8,40,c0758280,1) at generic_bcopy+0x1a > ptcread(c69b3d00,f7cb6c68,4,3ae,1000) at ptcread+0x180 > devfs_read_f(c5d8e558,f7cb6c68,c605e100,0,c5a92b80) at devfs_read_f+0xa7 > dofileread(c5a92b80,c5d8e558,7,bfbfd3f0,1000) at dofileread+0xc3 > read(c5a92b80,f7cb6d14,3a6,c0715022,c5a92b80) at read+0x6c > syscall(2f,2f,bfbf002f,80aa050,0) at syscall+0x2c4 > Xint0x80_syscall() at Xint0x80_syscall+0x1f > --- syscall (3, FreeBSD ELF32, read), eip =3D 0x2816fbd7, esp =3D 0xbfbfd= 3cc, ebp =3D 0xbfbfe408 --- > db> --OXfL5xGRrasGEqWY Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.0 (FreeBSD) iD8DBQFCVuG2Wry0BWjoQKURAurrAKC/Nzq4r8POnT1zbOgfAOfvTmKRGgCgs1hz KLoFwitpRDP128zDbjXemxE= =KtyK -----END PGP SIGNATURE----- --OXfL5xGRrasGEqWY--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20050408195535.GA10868>