Date: Sat, 3 Apr 2004 14:21:08 -0700 (MST) From: "Ryan Sommers" <ryans@gamersimpact.com> To: current@freebsd.org Subject: Panic from bad length parameter in bind (Possible DOS attack) Message-ID: <49165.65.103.5.228.1081027268.squirrel@www2.neuroflux.com>
next in thread | raw e-mail | index | archive | help
------=_20040403142108_17620
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: 8bit
Whenever I supply a length of 4 as the final bind parameter I get the
following panic. Looks like bind returns fine, however, when the program
exits it stumbles over some mutex associated with the descriptor. The
mutex passed to mtx_destroy() has MTX_RECURSED set. I attempted to find
where the call to bind was clobbering the mutex but couldn't. I attached
the simple program to exploit this. I was able to do it as a regular user.
panic: Assertion (m->mtx_lock & (MTX_RECURSED|MTX_CONTESTED)) == 0 failed
at /usr/src/sys/kern/kern_mutex.c:848
panic messages:
---
panic: Assertion (m->mtx_lock & (MTX_RECURSED|MTX_CONTESTED)) == 0 failed
at /usr/src/sys/kern/kern_mutex.c:848
at line 848 in file /usr/src/sys/kern/kern_mutex.c
Debugger("panic")
Dumping 511 MB
16 32 48 64 80 96 112 128 144 160 176 192 208 224 240 256 272 288 304 320
336 352 368 384 400 416 432 448 464 480 496
---
Reading symbols from /boot/kernel/radeon.ko...done.
Loaded symbols for /boot/kernel/radeon.ko
Reading symbols from /boot/kernel/acpi.ko...done.
Loaded symbols for /boot/kernel/acpi.ko
Reading symbols from
/usr/obj/usr/src/sys/LILSHADOW/modules/usr/src/sys/modules/linux/linux.ko.debug...done.
Loaded symbols for
/usr/obj/usr/src/sys/LILSHADOW/modules/usr/src/sys/modules/linux/linux.ko.debug
#0 doadump () at /usr/src/sys/kern/kern_shutdown.c:240
240 dumping++;
(kgdb) bt
#0 doadump () at /usr/src/sys/kern/kern_shutdown.c:240
#1 0xc042b962 in db_fncall (dummy1=0, dummy2=0, dummy3=-1067086860,
dummy4=0xdc56f924 " ìfÀXùVÜ\026\032[ÀXùVÜ\203\032[À\220\a")
at /usr/src/sys/ddb/db_command.c:551
#2 0xc042b768 in db_command (last_cmdp=0xc0645640, cmd_table=0x0,
aux_cmd_tablep=0xc0615ef0, aux_cmd_tablep_end=0xc0615ef4)
at /usr/src/sys/ddb/db_command.c:348
#3 0xc042b848 in db_command_loop () at /usr/src/sys/ddb/db_command.c:475
#4 0xc042dfdd in db_trap (type=3, code=0) at /usr/src/sys/ddb/db_trap.c:73
#5 0xc05b7d41 in kdb_trap (type=3, code=0, regs=0xdc56fa50)
at /usr/src/sys/i386/i386/db_interface.c:172
#6 0xc05c7b0c in trap (frame=
{tf_fs = -1067515880, tf_es = -1068695536, tf_ds = 16, tf_edi = 1,
tf_esi = -1067469665, tf_ebp = -598279532, tf_isp = -598279556,
tf_ebx = 0, tf_edx = 0, tf_ecx = -1061076992, tf_eax = 18, tf_trapno
= 3, tf_err = 0, tf_eip = -1067745359, tf_cs = 8, tf_eflags = 662,
tf_esp = -598279480, tf_ss = -598279500}) at
/usr/src/sys/i386/i386/trap.c:579
#7 0xc05b7fb1 in Debugger (msg=0xc05fc09b "panic") at machine/cpufunc.h:60
#8 0xc04bec03 in __panic (file=0xc05fb46e
"/usr/src/sys/kern/kern_mutex.c", line=848,
fmt=0xc05fb49f "Assertion %s failed at %s:%d")
at /usr/src/sys/kern/kern_shutdown.c:536
#9 0xc04b7706 in mtx_destroy (m=0x0) at /usr/src/sys/kern/kern_mutex.c:848
#10 0xc052b554 in in_pcbdetach (inp=0xc4257ca8) at
/usr/src/sys/netinet/in_pcb.c:697
#11 0xc053807a in tcp_close (tp=0x0) at /usr/src/sys/netinet/tcp_subr.c:746
#12 0xc053c152 in tcp_disconnect (tp=0xc42598b8)
at /usr/src/sys/netinet/tcp_usrreq.c:1251
#13 0xc053b164 in tcp_usr_detach (so=0x0) at
/usr/src/sys/netinet/tcp_usrreq.c:179
#14 0xc04f0d0c in soclose (so=0xc4238e10) at
/usr/src/sys/kern/uipc_socket.c:380
#15 0xc04e3cea in soo_close (fp=0x0, td=0xc41b2690) at
/usr/src/sys/kern/sys_socket.c:244
#16 0xc04a7c7f in fdrop_locked (fp=0xc41dc7f8, td=0xc41b2690)
at /usr/src/sys/sys/file.h:292
#17 0xc04a7078 in fdrop (fp=0xc41dc7f8, td=0xc41b2690)
at /usr/src/sys/kern/kern_descrip.c:1883
#18 0xc04a704b in closef (fp=0xc41dc7f8, td=0xc41b2690)
at /usr/src/sys/kern/kern_descrip.c:1869
#19 0xc04a68f3 in fdfree (td=0xc41b2690) at
/usr/src/sys/kern/kern_descrip.c:1586
#20 0xc04abf73 in exit1 (td=0xc41b2690, rv=-256) at
/usr/src/sys/kern/kern_exit.c:253
#21 0xc04abb14 in exit1 (td=0xc41b2690, rv=277) at
/usr/src/sys/kern/kern_exit.c:98
#22 0xc05c8277 in syscall (frame=
{tf_fs = 47, tf_es = 47, tf_ds = 47, tf_edi = -1077940988, tf_esi =
-1077940980, tf_---Type <return> to continue, or q <return> to
quit---
ebp = -1077941044, tf_isp = -598278796, tf_ebx = 672344908, tf_edx =
672417764, tf_ecx = 671526944, tf_eax = 1, tf_trapno = 12, tf_err = 2,
tf_eip = 671871511, tf_cs = 31, tf_eflags = 662, tf_esp = -1077941072,
tf_ss = 47}) at /usr/src/sys/i386/i386/trap.c:1004
#23 0x280bf217 in ?? ()
---Can't read userspace from dump, or kernel process---
(kgdb) up 10
#10 0xc052b554 in in_pcbdetach (inp=0xc4257ca8) at
/usr/src/sys/netinet/in_pcb.c:697
697 INP_LOCK_DESTROY(inp);
(kgdb) list
692 }
693 if (inp->inp_options)
694 (void)m_free(inp->inp_options);
695 ip_freemoptions(inp->inp_moptions);
696 inp->inp_vflag = 0;
697 INP_LOCK_DESTROY(inp);
698 #ifdef MAC
699 mac_destroy_inpcb(inp);
700 #endif
701 uma_zfree(ipi->ipi_zone, inp);
(kgdb) print inp->inp_mtx
$1 = {mtx_object = {lo_class = 0xc062933c, lo_name = 0xc060548b "inp",
lo_type = 0xc06064c4 "tcpinp", lo_flags = 4915200, lo_list = {tqe_next
= 0x0,
tqe_prev = 0x0}, lo_witness = 0x0}, mtx_lock = 3290113681,
mtx_recurse = 1}
(kgdb) print *inp
$2 = {inp_hash = {le_next = 0x0, le_prev = 0x0}, inp_list = {le_next =
0xc4258000,
le_prev = 0xc0655f7c}, inp_flow = 0, inp_inc = {inc_flags = 0 '\0',
inc_len = 0 '\0', inc_pad = 0, inc_ie = {ie_fport = 0, ie_lport = 0,
ie_dependfaddr = {ie46_foreign = {ia46_pad32 = {0, 0, 0}, ia46_addr4
= {
s_addr = 0}}, ie6_foreign = {__u6_addr = {
__u6_addr8 = '\0' <repeats 15 times>, __u6_addr16 = {0, 0, 0,
0, 0, 0, 0,
0}, __u6_addr32 = {0, 0, 0, 0}}}}, ie_dependladdr =
{ie46_local = {
ia46_pad32 = {0, 0, 0}, ia46_addr4 = {s_addr = 0}}, ie6_local =
{__u6_addr = {
__u6_addr8 = '\0' <repeats 15 times>, __u6_addr16 = {0, 0, 0,
0, 0, 0, 0,
0}, __u6_addr32 = {0, 0, 0, 0}}}}}}, inp_ppcb = 0x0,
inp_pcbinfo = 0xc0655f80, inp_socket = 0xc4238e10, inp_label = 0x0,
inp_flags = 0,
inp_sp = 0x0, inp_vflag = 0 '\0', inp_ip_ttl = 64 '@', inp_ip_p = 0 '\0',
inp_depend4 = {inp4_ip_tos = 0 '\0', inp4_options = 0x0, inp4_moptions =
0x0},
inp_depend6 = {inp6_options = 0x0, inp6_outputopts = 0x0, inp6_moptions
= 0x0,
inp6_icmp6filt = 0x0, inp6_cksum = 0, inp6_ifindex = 0, inp6_hops = 0},
inp_portlist = {le_next = 0x0, le_prev = 0x0}, inp_phd = 0x0, inp_gencnt
= 13,
inp_mtx = {mtx_object = {lo_class = 0xc062933c, lo_name = 0xc060548b "inp",
lo_type = 0xc06064c4 "tcpinp", lo_flags = 4915200, lo_list =
{tqe_next = 0x0,
tqe_prev = 0x0}, lo_witness = 0x0}, mtx_lock = 3290113681,
mtx_recurse = 1}}
(kgdb) down
#9 0xc04b7706 in mtx_destroy (m=0x0) at /usr/src/sys/kern/kern_mutex.c:848
848 MPASS((m->mtx_lock & (MTX_RECURSED|MTX_CONTESTED)) == 0);
(kgdb) list
843 LOCK_LOG_DESTROY(&m->mtx_object, 0);
844
845 if (!mtx_owned(m))
846 MPASS(mtx_unowned(m));
847 else {
848 MPASS((m->mtx_lock & (MTX_RECURSED|MTX_CONTESTED)) == 0);
849
850 /* Tell witness this isn't locked to make it happy. */
851 WITNESS_UNLOCK(&m->mtx_object, LOP_EXCLUSIVE, __FILE__,
852 __LINE__);
(kgdb) info args
m = (struct mtx *) 0x0
(kgdb) info locals
No locals.
(kgdb) up
#10 0xc052b554 in in_pcbdetach (inp=0xc4257ca8) at
/usr/src/sys/netinet/in_pcb.c:697
697 INP_LOCK_DESTROY(inp);
(kgdb) info args
inp = (struct inpcb *) 0xc4257ca8
(kgdb) info locals
so = (struct socket *) 0xc4238e10
ipi = (struct inpcbinfo *) 0xc0655f80
(kgdb) quit
--
Ryan "leadZERO" Sommers
Gamer's Impact President
ryans@gamersimpact.com
ICQ: 1019590
AIM/MSN: leadZERO
-= http://www.gamersimpact.com =-
------=_20040403142108_17620
Content-Type: application/octet-stream; name="serv.c"
Content-Transfer-Encoding: base64
Content-Disposition: attachment; filename="serv.c"
I2luY2x1ZGUgPHN0ZGlvLmg+CiNpbmNsdWRlIDxzeXMvc29ja2V0Lmg+CiNpbmNsdWRlIDxuZXRp
bmV0L2luLmg+CiNpbmNsdWRlIDxzeXMvdHlwZXMuaD4KCmludAptYWluKCkKewoJc3RydWN0IHNv
Y2thZGRyX2luIHNlcnZzYWRkcjsKCWludCBmZDsKCglmZD1zb2NrZXQoQUZfSU5FVCwgU09DS19T
VFJFQU0sIDApOwoJYmluZChmZCwgKHN0cnVjdCBzb2NrYWRkciAqKSZzZXJ2c2FkZHIsIDQpOwp9
Cg==
------=_20040403142108_17620--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?49165.65.103.5.228.1081027268.squirrel>