FreeBSD Mail Archives

Date:      Fri, 28 Jan 2011 10:08:37 -0600
From:      Tom Judge <tom@tomjudge.com>
To:        freebsd-security@freebsd.org
Subject:   Re: Recent full disclosure post - Local DOS
Message-ID:  <4D42EA05.2070707@tomjudge.com>
In-Reply-To: <4D42D2B2.4030806@tomjudge.com>
References:  <4D42D2B2.4030806@tomjudge.com>

On 01/28/2011 08:29 AM, Tom Judge wrote:
> 
> Has anyone looked at this:
> 
> [Full-disclosure] FreeBSD local denial of service - forced reboot
> 
> http://lists.grok.org.uk/pipermail/full-disclosure/2011-January/078836.html
> 

I have done some simple tests on ESXi 4.1.0, 260247.

releng/8.1 - i386 - Not repeatable.

releng/8.2-RC1 - amd64 - Not repeatable.


current 9.0-CURRENT-201011 - i386 - Repeatable:

Unread portion of the kernel message buffer:
panic: tcp_output: mbuf chain shorter than expected
cpuid = 0
KDB: enter: panic
Physical memory: 239 MB
Dumping 99 MB: 84 68 52 36 20 4


(kgdb) bt
#0  doadump () at pcpu.h:231
#1  0xc04d5809 in db_fncall (dummy1=1, dummy2=0, dummy3=-1057111072,
dummy4=0xcd0cc78c "") at /usr/src/sys/ddb/db_command.c:548
#2  0xc04d5c01 in db_command (last_cmdp=0xc0e0e27c, cmd_table=0x0,
dopager=1) at /usr/src/sys/ddb/db_command.c:445
#3  0xc04d5d5a in db_command_loop () at /usr/src/sys/ddb/db_command.c:498
#4  0xc04d7c7d in db_trap (type=3, code=0) at /usr/src/sys/ddb/db_main.c:229
#5  0xc08ee99e in kdb_trap (type=3, code=0, tf=0xcd0cc930) at
/usr/src/sys/kern/subr_kdb.c:546
#6  0xc0bfcf5b in trap (frame=0xcd0cc930) at
/usr/src/sys/i386/i386/trap.c:732
#7  0xc0be5e8c in calltrap () at /usr/src/sys/i386/i386/exception.s:168
#8  0xc08eeb6a in kdb_enter (why=0xc0cddbdf "panic", msg=0xc0cddbdf
"panic") at cpufunc.h:71
#9  0xc08bba04 in panic (fmt=0xc0cfb014 "%s: mbuf chain shorter than
expected") at /usr/src/sys/kern/kern_shutdown.c:574
#10 0xc0a3ecc6 in tcp_output (tp=0xc2789768) at
/usr/src/sys/netinet/tcp_output.c:1084
#11 0xc0a4a309 in tcp_ctloutput (so=0xc3a179a8, sopt=0xcd0ccc0c) at
/usr/src/sys/netinet/tcp_usrreq.c:1328
#12 0xc092742d in sosetopt (so=0xc3a179a8, sopt=0xcd0ccc0c) at
/usr/src/sys/kern/uipc_socket.c:2396
#13 0xc092ec95 in kern_setsockopt (td=0xc33b1b40, s=4, level=6, name=4,
val=0xbfbfdacc, valseg=UIO_USERSPACE, valsize=4) at
/usr/src/sys/kern/uipc_syscalls.c:1335
#14 0xc092ed1e in setsockopt (td=0xc33b1b40, uap=0xcd0cccec) at
/usr/src/sys/kern/uipc_syscalls.c:1290
#15 0xc08fc103 in syscallenter (td=0xc33b1b40, sa=0xcd0ccce4) at
/usr/src/sys/kern/subr_trap.c:318
#16 0xc0bfc804 in syscall (frame=0xcd0ccd28) at
/usr/src/sys/i386/i386/trap.c:1095
#17 0xc0be5ef1 in Xint0x80_syscall () at
/usr/src/sys/i386/i386/exception.s:266
#18 0x00000033 in ?? ()
Previous frame inner to this frame (corrupt stack?)
(kgdb)




None ESXi armv5te IOP 80321
current -r216409 - Not repeatable.


I am in the process of building a more up to date current to do another
test.

Tom

-- 
TJU13-ARIN

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?4D42EA05.2070707>

Header And Logo

Peripheral Links

Site Navigation

Header And Logo

Peripheral Links

Search

Site Navigation