Date: Wed, 25 Sep 1996 04:55:13 +0200 (MET DST) From: Tor Egge <Tor.Egge@idt.ntnu.no> To: FreeBSD-gnats-submit@freebsd.org Subject: kern/1677: read from /dev/kmem may crash system Message-ID: <199609250255.EAA00645@ikke.idt.unit.no> Resent-Message-ID: <199609250300.UAA19434@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help
>Number: 1677
>Category: kern
>Synopsis: read from /dev/kmem may crash system
>Confidential: no
>Severity: serious
>Priority: medium
>Responsible: freebsd-bugs
>State: open
>Class: sw-bug
>Submitter-Id: current-users
>Arrival-Date: Tue Sep 24 20:00:03 PDT 1996
>Last-Modified:
>Originator: Tor Egge
>Organization:
Norwegian University of Science and Technology, Trondheim, Norway
>Release: FreeBSD 2.2-CURRENT i386
>Environment:
FreeBSD ikke.idt.unit.no 2.2-CURRENT FreeBSD 2.2-CURRENT #1: Sat Sep 21 21:36:42 MET DST 1996 root@ikke.idt.unit.no:/usr/src/sys/compile/TEGGE i386
>Description:
Seeking to far beyond the end of the kernel virtual memory area
and then reading from /dev/kmem triggers a panic.
>How-To-Repeat:
Compile and execute this program:
-----
#include <sys/types.h>
#include <stdio.h>
#include <assert.h>
#include <fcntl.h>
main()
{
off_t off=0xffff0000u;
off_t noff;
int fd;
char buf[36];
int got;
fd = open("/dev/kmem",O_RDONLY,0);
printf("fd=%d\n",fd);
noff = lseek(fd,off,SEEK_SET);
printf("noff = %qd\n",noff);
got = read(fd,buf,sizeof(buf));
printf("got=%d\n",got);
}
----
And the result:
ikke:/export/akg5/crash$ gdb -k /TEGGE/kernel vmcore.3
GDB is free software and you are welcome to distribute copies of it
under certain conditions; type "show copying" to see the conditions.
There is absolutely no warranty for GDB; type "show warranty" for details.
GDB 4.13 (i386-unknown-freebsd),
Copyright 1994 Free Software Foundation, Inc...
IdlePTD 204000
current pcb at 1e0f38
panic: page fault
#0 boot (howto=256) at ../../kern/kern_shutdown.c:237
237 dumppcb.pcb_cr3 = rcr3();
(kgdb) where
#0 boot (howto=256) at ../../kern/kern_shutdown.c:237
#1 0xf0112206 in panic (fmt=0xf01bb90f "page fault")
at ../../kern/kern_shutdown.c:361
#2 0xf01bc46a in trap_fatal (frame=0xefbffde0) at ../../i386/i386/trap.c:741
#3 0xf01bbf5c in trap_pfault (frame=0xefbffde0, usermode=0)
at ../../i386/i386/trap.c:652
#4 0xf01bbc3f in trap (frame={tf_es = 16, tf_ds = 16, tf_edi = -65536,
tf_esi = -65536, tf_ebp = -272630228, tf_isp = -272630264,
tf_ebx = -266447080, tf_edx = 1048560, tf_ecx = 2113536,
tf_eax = -272629760, tf_trapno = 12, tf_err = 0, tf_eip = -266633792,
tf_cs = 8, tf_eflags = 66070, tf_esp = -266447080, tf_ss = -272629964})
at ../../i386/i386/trap.c:311
#5 0xf01b3801 in calltrap ()
#6 0xf01b6dd0 in mmrw (dev=513, uio=0xefbfff34, flags=0)
at ../../i386/i386/mem.c:241
#7 0xf0138c77 in spec_read (ap=0xefbffee8)
at ../../miscfs/specfs/spec_vnops.c:261
#8 0xf01a2cb9 in ufsspec_read (ap=0xefbffee8)
at ../../ufs/ufs/ufs_vnops.c:1858
#9 0xf0134d26 in vn_read (fp=0xf40b6b80, uio=0xefbfff34, cred=0xf3fdaa00)
at ./vnode_if.h:255
#10 0xf0119027 in read (p=0xf40af600, uap=0xefbfff94, retval=0xefbfff84)
at ../../kern/sys_generic.c:116
---Type <return> to continue, or q <return> to quit---qQuit
(kgdb) up 6
#6 0xf01b6dd0 in mmrw (dev=513, uio=0xefbfff34, flags=0)
at ../../i386/i386/mem.c:241
241 if (pmap_extract(kernel_pmap, addr) == 0)
(kgdb) print *uio
$1 = {uio_iov = 0xefbfff2c, uio_iovcnt = 1, uio_offset = 0x00000000ffff0000,
uio_resid = 36, uio_segflg = UIO_USERSPACE, uio_rw = UIO_READ,
uio_procp = 0xf40af600}
(kgdb) list
236 * that we don't create any zero-fill pages.
237 */
238 addr = trunc_page(uio->uio_offset);
239 eaddr = round_page(uio->uio_offset + c);
240 for (; addr < eaddr; addr += PAGE_SIZE)
241 if (pmap_extract(kernel_pmap, addr) == 0)
242 return EFAULT;
243
244 if (!kernacc((caddr_t)(int)uio->uio_offset, c,
245 uio->uio_rw == UIO_READ ? B_READ : B_WRITE))
-----
>Fix:
>Audit-Trail:
>Unformatted:
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199609250255.EAA00645>