From owner-freebsd-bugs Sat Feb 3 05:30:09 1996 Return-Path: owner-bugs Received: (from root@localhost) by freefall.freebsd.org (8.7.3/8.7.3) id FAA29064 for bugs-outgoing; Sat, 3 Feb 1996 05:30:09 -0800 (PST) Received: (from gnats@localhost) by freefall.freebsd.org (8.7.3/8.7.3) id FAA29045 Sat, 3 Feb 1996 05:30:06 -0800 (PST) Resent-Date: Sat, 3 Feb 1996 05:30:06 -0800 (PST) Resent-Message-Id: <199602031330.FAA29045@freefall.freebsd.org> Resent-From: gnats (GNATS Management) Resent-To: freebsd-bugs Resent-Reply-To: FreeBSD-gnats@freefall.FreeBSD.org, graichen@omega.physik.fu-berlin.de Received: from omega.physik.fu-berlin.de (omega.physik.fu-berlin.de [130.133.3.51]) by freefall.freebsd.org (8.7.3/8.7.3) with ESMTP id FAA28342 for ; Sat, 3 Feb 1996 05:19:54 -0800 (PST) Received: from prospero.physik.fu-berlin.de (lislip.physik.fu-berlin.de [130.133.3.126]) by omega.physik.fu-berlin.de (8.7.1/8.7.1) with ESMTP id OAA03190 for ; Sat, 3 Feb 1996 14:19:50 +0100 (MET) Received: (from graichen@localhost) by prospero (8.6.12/8.6.12) id MAA01092; Sat, 3 Feb 1996 12:36:00 +0100 Message-Id: <199602031136.MAA01092@prospero> Date: Sat, 3 Feb 1996 12:36:00 +0100 From: Thomas Graichen Reply-To: graichen@omega.physik.fu-berlin.de To: FreeBSD-gnats-submit@FreeBSD.org X-Send-Pr-Version: 3.2 Subject: kern/992: can crash the system using modload Sender: owner-bugs@FreeBSD.org Precedence: bulk >Number: 992 >Category: kern >Synopsis: it is possible to crash the system using modload >Confidential: no >Severity: critical >Priority: high >Responsible: freebsd-bugs >State: open >Class: sw-bug >Submitter-Id: current-users >Arrival-Date: Sat Feb 3 05:30:05 PST 1996 >Last-Modified: >Originator: Thomas Graichen >Organization: thomas graichen graichen@mail.physik.fu-berlin.de graichen@FreeBSD.org perfection is reached, not when there is no longer anything to add, but when there is no longer anything to take away antoine de saint-exupery >Release: FreeBSD 2.1-STABLE i386 >Environment: FreeBSD 2.1.0-RELEASE #0: Fri Feb 2 13:20:53 MET 1996 root@prospero:/usr/src/sys/compile/KERNEL_CONFIG CPU: i486DX (486-class CPU) real memory = 20971520 (20480K bytes) avail memory = 19296256 (18844K bytes) Probing for devices on the ISA bus: ed0 at 0x280-0x29f irq 5 on isa ed0: address 00:40:95:20:0a:14, type NE2000 (16 bit) vt0 at 0x60-0x6f irq 1 on motherboard vt0: tvga 8900cl, 80/132 col, mono, 2 scr, mf2-kbd, [R3.20-b24] sio0 at 0x3f8-0x3ff irq 4 on isa sio0: type 16450 sio1 at 0x2f8-0x2ff irq 3 on isa sio1: type 16450wdc0 at 0x1f0-0x1f7 irq 14 on isa sio3 at 0x2e8-0x2ef irq 9 on isa sio3: type 16550A lpt0 at 0x378-0x37f irq 7 on isa lpt0: Interrupt-driven port lp0: TCP/IP capable interface fdc0 at 0x3f0-0x3f7 irq 6 drq 2 on isa fdc0: NEC 765 fd0: 1.44MB 3.5in wdc0: unit 0 (wd0): , multi-block-8 wd0: 516MB (1058400 sectors), 1050 cyls, 16 heads, 63 S/T, 512 B/S wdc0: unit 1 (atapi): , removable, intr, iordis wcd0: 299Kb/sec, 128Kb cache, audio play, 255 volume levels, ejectable tray wcd0: no disc inside, unlocked wdc1 at 0x170-0x177 irq 15 on isa wdc1: unit 0 (wd2): , multi-block-8 wd2: 406MB (832288 sectors), 839 cyls, 16 heads, 62 S/T, 512 B/S npx0 on motherboard npx0: INT 16 interface >Description: it is possible to crash a system by running: modload -e kernfs_init -u -q -o /tmp/kernfs_mod /lkm/kernfs_mod.o or modload -e union_init -u -q -o /tmp/union_mod /lkm/union_mod.o ok - the commandline is a bit bogus - but it should definitely not crash the system (an error from modload or the kernel would be enough i think) here's what gdb -k says: root@prospero:/var/crash> gdb -k kernel.0 vmcore.0 GDB is free software and you are welcome to distribute copies of it under certain conditions; type "show copying" to see the conditions. There is absolutely no warranty for GDB; type "show warranty" for details. GDB 4.13 (i386-unknown-freebsd), Copyright 1994 Free Software Foundation, Inc...(no debugging symbols found)... IdlePTD 192000 current pcb at 18a588 panic: loadable module initialization failed #0 0xf0157985 in boot () (kgdb) where #0 0xf0157985 in boot () #1 0xf010d413 in panic () #2 0xf0104b83 in lkmcioctl () #3 0xf01291d1 in spec_ioctl () #4 0xf01280c8 in vn_ioctl () #5 0xf010ec37 in ioctl () #6 0xf015c91f in syscall () #7 0xf01554db in Xsyscall () #8 0x10d3 in ?? () (kgdb) >How-To-Repeat: run one of the above commands >Fix: no idea >Audit-Trail: >Unformatted: