From owner-freebsd-hackers@FreeBSD.ORG Fri Nov 26 11:31:55 2010 Return-Path: Delivered-To: freebsd-hackers@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 35E461065672 for ; Fri, 26 Nov 2010 11:31:55 +0000 (UTC) (envelope-from krivenok.dmitry@gmail.com) Received: from mail-iw0-f182.google.com (mail-iw0-f182.google.com [209.85.214.182]) by mx1.freebsd.org (Postfix) with ESMTP id EFF218FC1A for ; Fri, 26 Nov 2010 11:31:54 +0000 (UTC) Received: by iwn39 with SMTP id 39so2253323iwn.13 for ; Fri, 26 Nov 2010 03:31:54 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:received:received:in-reply-to :references:date:message-id:subject:from:to:cc:content-type :content-transfer-encoding; bh=ZFDA9SjE8vDwrRVsOONSS7XzdpM5NP0d9jnKb/TskNU=; b=aiARTJ9UXOQ6xsjdv46dSoaZU5yBf8Nee8ioIk87iTQULnOu5zCHJ2r2OvKmUkHLeS UcucvyJnxBSrYxZE737ZaPYd4MRoSjgPMWH7+Z9VSl0qHT847+s/sY1YPYs5T4s6eJLQ YIV+00U2+yC101FhA/tk/ycRptg37ReG6I/Ko= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type:content-transfer-encoding; b=bJAdzNmXz9TWDE+6i3l/Q+uQuPRzCnH6OROakP9VlHTXFJx7ZZzvgPQ0MbDEnumtm7 gSY3apOhiWDACiQ8zx0H/vffUStnu4iJQ1rzDEaybegAL2kysc6tgvX4//+rmss8tSwk g+GivhgC2jwebRXHSuD/APssKcEfOWihA3WP4= MIME-Version: 1.0 Received: by 10.231.37.130 with SMTP id x2mr1416606ibd.46.1290771113187; Fri, 26 Nov 2010 03:31:53 -0800 (PST) Received: by 10.231.152.2 with HTTP; Fri, 26 Nov 2010 03:31:53 -0800 (PST) In-Reply-To: <20101126124922.3947bab4@ukr.net> References: <20101126122639.4fd47cba@ukr.net> <20101126124922.3947bab4@ukr.net> Date: Fri, 26 Nov 2010 14:31:53 +0300 Message-ID: From: Dmitry Krivenok To: Ivan Klymenko Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable Cc: freebsd-hackers@freebsd.org Subject: Re: Simple kernel attack using socketpair. X-BeenThere: freebsd-hackers@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Technical Discussions relating to FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 26 Nov 2010 11:31:55 -0000 I run it on 8.0 and CURRENT and got fatal double fault on both systems: =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D Unread portion of the kernel message buffer: kern.maxfiles limit exceeded by uid 1001, please see tuning(7). Fatal double fault rip =3D 0xffffffff80615f54 rsp =3D 0xffffff803c1fa000 rbp =3D 0xffffff803c1fa000 cpuid =3D 0; apic id =3D 00 panic: double fault cpuid =3D 0 KDB: enter: panic Uptime: 8d21h9m48s Physical memory: 983 MB Dumping 244 MB: 229 213 197 181 165 149 133 117 101 85 69 53 37 21 5 Reading symbols from /boot/modules/bwn_v4_lp_ucode.ko...done. Loaded symbols for /boot/modules/bwn_v4_lp_ucode.ko #0 0xffffffff805cc90a in kproc_shutdown (arg=3D0x0, howto=3DVariable "howto" is not available. ) at /usr/src/sys/kern/kern_shutdown.c:639 639 printf("Waiting (max %d seconds) for system process `%s' to stop...", (kgdb) bt #0 0xffffffff805cc90a in kproc_shutdown (arg=3D0x0, howto=3DVariable "howto" is not available. ) at /usr/src/sys/kern/kern_shutdown.c:639 #1 0xffffffff805cce37 in kern_reboot (howto=3D260) at /usr/src/sys/kern/kern_shutdown.c:216 #2 0xffffffff805cd2c1 in panic (fmt=3D0x1
) at /usr/src/sys/kern/kern_shutdown.c:555 #3 0xffffffff808c7586 in user_ldt_free (td=3D0xffffff800021a300) at cpufun= c.h:524 #4 0xffffffff808b24dd in Xtss () at /usr/src/sys/amd64/amd64/exception.S:1= 51 #5 0xffffffff80615f54 in db_witness_list_all (addr=3D-2137114768, have_addr=3D1, count=3D-2137114768, modif=3D0x1
= ) at /usr/src/sys/kern/subr_witness.c:2352 Previous frame inner to this frame (corrupt stack?) =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D On Fri, Nov 26, 2010 at 1:49 PM, Ivan Klymenko wrote: > =D0=92 Fri, 26 Nov 2010 12:26:39 +0200 > Ivan Klymenko =D0=BF=D0=B8=D1=88=D0=B5=D1=82: > >> Hello! >> Rumor has it that this vulnerability applies to FreeBSD too, with the >> replacement SOCK_SEQPACKET on SOCK_DGRAM... > and add: > > #include > #include > #include > #include > #include > #include > #include > #include > >> >> http://lkml.org/lkml/2010/11/25/8 >> >> What do you think about this? >> >> Thank you! > _______________________________________________ > freebsd-hackers@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-hackers > To unsubscribe, send any mail to "freebsd-hackers-unsubscribe@freebsd.org= " > --=20 Sincerely yours, Dmitry V. Krivenok e-mail: krivenok.dmitry@gmail.com skype: krivenok_dmitry jabber: krivenok_dmitry@jabber.ru icq: 242-526-443