From owner-freebsd-net@FreeBSD.ORG Sat Feb 11 03:50:27 2006 Return-Path: X-Original-To: net@FreeBSD.org Delivered-To: freebsd-net@FreeBSD.ORG Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id E1BA016A422 for ; Sat, 11 Feb 2006 03:50:26 +0000 (GMT) (envelope-from kris@obsecurity.org) Received: from elvis.mu.org (elvis.mu.org [192.203.228.196]) by mx1.FreeBSD.org (Postfix) with ESMTP id 9622443D46 for ; Sat, 11 Feb 2006 03:50:26 +0000 (GMT) (envelope-from kris@obsecurity.org) Received: from obsecurity.dyndns.org (elvis.mu.org [192.203.228.196]) by elvis.mu.org (Postfix) with ESMTP id 7B0F71A3C26; Fri, 10 Feb 2006 19:50:26 -0800 (PST) Received: by obsecurity.dyndns.org (Postfix, from userid 1000) id B762A515A3; Fri, 10 Feb 2006 22:50:25 -0500 (EST) Date: Fri, 10 Feb 2006 22:50:25 -0500 From: Kris Kennaway To: "JINMEI Tatuya / ?$B?@L@C#:H" Message-ID: <20060211035025.GA77114@xor.obsecurity.org> References: <20060116004438.GA27901@xor.obsecurity.org> <20060207054502.GA18560@xor.obsecurity.org> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="huq684BweRXVnRxX" Content-Disposition: inline In-Reply-To: User-Agent: Mutt/1.4.2.1i Cc: net@FreeBSD.org, Kris Kennaway Subject: Re: Changing time causes ipv6 panics X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 11 Feb 2006 03:50:27 -0000 --huq684BweRXVnRxX Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Tue, Feb 07, 2006 at 07:16:09PM +0900, JINMEI Tatuya / ?$B?@L@C#:H wrote: > >>>>> On Tue, 7 Feb 2006 00:45:02 -0500,=20 > >>>>> Kris Kennaway said: >=20 > >> I ran ntpdate on an amd64 system with ipv6 enabled and a skewed clock > >> (ntpdate stepped it back by about an hour), and immediately got a > >> use-after-free panic in ifaddr. When I rebooted with memguard enabled > >> on this malloc type and retried, I got this panic upon changing the > >> date forward, then back, then forward again (also note the garbage > >> return data from ntpdate): >=20 > > Has anyone looked at this? This is on the TODO list for 6.1, so the > > sooner it can be resolved the better. >=20 > Sorry, not really (we've not got a test environment to reproduce it). > But from a quick review of nd6.c, there seems to be one thing that is > obviously wrong. The possible bug has been there since rev. 1.19 > committed in April 2002. We've been probably just lucky so far... >=20 > Could you try the patch attached below? We'll probably also need to > apply this fix to 4.X and 5.X. The patch did not fix the panic. Fatal trap 12: page fault while in kernel mode cpuid =3D 0; apic id =3D 00 fault virtual address =3D 0xffffffff919d5198 fault code =3D supervisor write, protection violation instruction pointer =3D 0x8:0xffffffff8031fa76 stack pointer =3D 0x10:0xffffffffbcda4b60 frame pointer =3D 0x10:0xffffffffbcda4b90 code segment =3D base 0x0, limit 0xfffff, type 0x1b =3D DPL 0, pres 1, long 1, def32 0, gran 1 processor eflags =3D interrupt enabled, resume, IOPL =3D 0 current process =3D 14 (swi4: clock sio) [thread pid 14 tid 100010 ] Stopped at nd6_timer+0x106: movl %eax,0x198(%rbx) db> wh Tracing pid 14 tid 100010 td 0xffffff03e15d6c30 nd6_timer() at nd6_timer+0x106 softclock() at softclock+0x279 ithread_execute_handlers() at ithread_execute_handlers+0x12f ithread_loop() at ithread_loop+0x99 fork_exit() at fork_exit+0xdf fork_trampoline() at fork_trampoline+0xe --- trap 0, rip =3D 0, rsp =3D 0xffffffffbcda4d40, rbp =3D 0 --- db> > (a note about the patch: the first chunk is actually not related to > the bug, but I could not miss the trivial typo) You missed the other one though :-) > - * However, from a stricter speci-confrmance standpoint, we should > + * However, from a stricter spec-confrmance standpoint, we should ^o Kris --huq684BweRXVnRxX Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.2 (FreeBSD) iD8DBQFD7V8BWry0BWjoQKURAre3AKD3OcY47WraUlT1cO8IWihXA9Px1gCg2686 pc4yt9EYr/UQYfxSczsPkVI= =72Zw -----END PGP SIGNATURE----- --huq684BweRXVnRxX--