From owner-freebsd-security@FreeBSD.ORG  Fri Jan 28 16:09:02 2011
Return-Path: <owner-freebsd-security@FreeBSD.ORG>
Delivered-To: freebsd-security@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id 1364A106566C
	for <freebsd-security@freebsd.org>;
	Fri, 28 Jan 2011 16:09:02 +0000 (UTC)
	(envelope-from tom@tomjudge.com)
Received: from eu1sys200aog101.obsmtp.com (eu1sys200aog101.obsmtp.com
	[207.126.144.111])
	by mx1.freebsd.org (Postfix) with SMTP id 499F38FC16
	for <freebsd-security@freebsd.org>;
	Fri, 28 Jan 2011 16:09:00 +0000 (UTC)
Received: from source ([63.174.175.251]) by eu1sys200aob101.postini.com
	([207.126.147.11]) with SMTP
	ID DSNKTULqG55dwSLNHNDbeHF5cdXHrXDwqpDF@postini.com;
	Fri, 28 Jan 2011 16:09:01 UTC
Received: from [172.17.10.53] (unknown [172.17.10.53])
	by bbbx3.usdmm.com (Postfix) with ESMTP id 771ADFD01A
	for <freebsd-security@freebsd.org>;
	Fri, 28 Jan 2011 16:08:59 +0000 (UTC)
Message-ID: <4D42EA05.2070707@tomjudge.com>
Date: Fri, 28 Jan 2011 10:08:37 -0600
From: Tom Judge <tom@tomjudge.com>
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US;
	rv:1.9.2.13) Gecko/20101208 Lightning/1.0b2 Thunderbird/3.1.7
MIME-Version: 1.0
To: freebsd-security@freebsd.org
References: <4D42D2B2.4030806@tomjudge.com>
In-Reply-To: <4D42D2B2.4030806@tomjudge.com>
X-Enigmail-Version: 1.1.1
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: 7bit
Subject: Re: Recent full disclosure post - Local DOS
X-BeenThere: freebsd-security@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: "Security issues \[members-only posting\]"
	<freebsd-security.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-security>, 
	<mailto:freebsd-security-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-security>
List-Post: <mailto:freebsd-security@freebsd.org>
List-Help: <mailto:freebsd-security-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-security>, 
	<mailto:freebsd-security-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Fri, 28 Jan 2011 16:09:02 -0000

On 01/28/2011 08:29 AM, Tom Judge wrote:
> 
> Has anyone looked at this:
> 
> [Full-disclosure] FreeBSD local denial of service - forced reboot
> 
> http://lists.grok.org.uk/pipermail/full-disclosure/2011-January/078836.html
> 

I have done some simple tests on ESXi 4.1.0, 260247.

releng/8.1 - i386 - Not repeatable.

releng/8.2-RC1 - amd64 - Not repeatable.


current 9.0-CURRENT-201011 - i386 - Repeatable:

Unread portion of the kernel message buffer:
panic: tcp_output: mbuf chain shorter than expected
cpuid = 0
KDB: enter: panic
Physical memory: 239 MB
Dumping 99 MB: 84 68 52 36 20 4


(kgdb) bt
#0  doadump () at pcpu.h:231
#1  0xc04d5809 in db_fncall (dummy1=1, dummy2=0, dummy3=-1057111072,
dummy4=0xcd0cc78c "") at /usr/src/sys/ddb/db_command.c:548
#2  0xc04d5c01 in db_command (last_cmdp=0xc0e0e27c, cmd_table=0x0,
dopager=1) at /usr/src/sys/ddb/db_command.c:445
#3  0xc04d5d5a in db_command_loop () at /usr/src/sys/ddb/db_command.c:498
#4  0xc04d7c7d in db_trap (type=3, code=0) at /usr/src/sys/ddb/db_main.c:229
#5  0xc08ee99e in kdb_trap (type=3, code=0, tf=0xcd0cc930) at
/usr/src/sys/kern/subr_kdb.c:546
#6  0xc0bfcf5b in trap (frame=0xcd0cc930) at
/usr/src/sys/i386/i386/trap.c:732
#7  0xc0be5e8c in calltrap () at /usr/src/sys/i386/i386/exception.s:168
#8  0xc08eeb6a in kdb_enter (why=0xc0cddbdf "panic", msg=0xc0cddbdf
"panic") at cpufunc.h:71
#9  0xc08bba04 in panic (fmt=0xc0cfb014 "%s: mbuf chain shorter than
expected") at /usr/src/sys/kern/kern_shutdown.c:574
#10 0xc0a3ecc6 in tcp_output (tp=0xc2789768) at
/usr/src/sys/netinet/tcp_output.c:1084
#11 0xc0a4a309 in tcp_ctloutput (so=0xc3a179a8, sopt=0xcd0ccc0c) at
/usr/src/sys/netinet/tcp_usrreq.c:1328
#12 0xc092742d in sosetopt (so=0xc3a179a8, sopt=0xcd0ccc0c) at
/usr/src/sys/kern/uipc_socket.c:2396
#13 0xc092ec95 in kern_setsockopt (td=0xc33b1b40, s=4, level=6, name=4,
val=0xbfbfdacc, valseg=UIO_USERSPACE, valsize=4) at
/usr/src/sys/kern/uipc_syscalls.c:1335
#14 0xc092ed1e in setsockopt (td=0xc33b1b40, uap=0xcd0cccec) at
/usr/src/sys/kern/uipc_syscalls.c:1290
#15 0xc08fc103 in syscallenter (td=0xc33b1b40, sa=0xcd0ccce4) at
/usr/src/sys/kern/subr_trap.c:318
#16 0xc0bfc804 in syscall (frame=0xcd0ccd28) at
/usr/src/sys/i386/i386/trap.c:1095
#17 0xc0be5ef1 in Xint0x80_syscall () at
/usr/src/sys/i386/i386/exception.s:266
#18 0x00000033 in ?? ()
Previous frame inner to this frame (corrupt stack?)
(kgdb)




None ESXi armv5te IOP 80321
current -r216409 - Not repeatable.


I am in the process of building a more up to date current to do another
test.

Tom

-- 
TJU13-ARIN