Skip site navigation (1)Skip section navigation (2) 
Date:      Mon, 19 Feb 2001 11:34:40 -0800 (PST)
From:      mm@omnix.net
To:        freebsd-gnats-submit@FreeBSD.org
Subject:   kern/25206: Kernel Panic
Message-ID:  <200102191934.f1JJYew70666@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help 


>Number:         25206
>Category:       kern
>Synopsis:       Kernel Panic
>Confidential:   no
>Severity:       critical
>Priority:       medium
>Responsible:    freebsd-bugs
>State:          open
>Quarter:        
>Keywords:       
>Date-Required:
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Mon Feb 19 11:40:01 PST 2001
>Closed-Date:
>Last-Modified:
>Originator:     Meadele Mathieu
>Release:        FreeBSD-4.2-Stable
>Organization:
-
>Environment:
FreeBSD PAF 4.2-RELEASE FreeBSD 4.2-RELEASE #9:
Wed Feb  7 22:01:11 CET 2001     
root@PAF:/usr/src/sys/compile/PAF  i386
>Description:
By default, /dev/ttyp* have perm set to 0666, until someone remotely
log in, in this case the user's ttyp is chmod'ed to 0600 and chown'ed
to this user.
if noone is remotely logged in, the next ttyp associated with telnet or 
ssh for example will be ttyp1.
My box crashed if a local user open the next /dev/ttyp normally used
for remote connection:

luser@PAF$ w
 8:37PM  up 32 mins, 2 users, load averages: 0.41, 0.17, 0.14
 USER             TTY      FROM              LOGIN@  IDLE WHAT
 luser            v0       -                 8:08PM     -  w
luser@PAF$ tail -f /dev/ttyp1

now ruser is going to connect to my box:
ruser@NOWHERE$ telnet PAF
Connection closed by foreign host.

luser@PAF$
 
 Fatal trap 12 = Page Fault while in kernel mode
 Fault virtual address = 0x88
 Fault code = supervisor read, page not present
 Instruction pointer = 0x8:0xc0167c1b
 Stack pointer = 0x10:0xd11f2ecc
 Frame pointer = 0x10:0xd11f2ed0
 Code segment = base 0x0, limit 0xfffff, type 0x1b
              = DLP 0, pres 1, def32 1, gran 1
 Processor eflags = interrupt enabled, resume, IO PL=0
 Current process = 257(tail)
 Interrupt mask = net tty bio cam
 trap number = 12
 panic = page fault

 syncing disk: 13 13 13 [...] 13 13
 giving up on 13 buffers

 uptime 32m36s
 Automatic reboot in 15 seconds...




Have you this problem on your box ?
It seems that a malicious local user can easily cause a denial 
of service like this.
>How-To-Repeat:
luser@A$ tail -f /dev/ttypx   (where ttypx is the next ttyp associated
                               with a remote connection)

ruser@B$ telnet A

-->machine A crashes

>Fix:


>Release-Note:
>Audit-Trail:
>Unformatted:


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-bugs" in the body of the message

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200102191934.f1JJYew70666>