From owner-freebsd-bugs Mon Feb 19 11:40: 8 2001 Delivered-To: freebsd-bugs@hub.freebsd.org Received: from freefall.freebsd.org (freefall.freebsd.org [216.136.204.21]) by hub.freebsd.org (Postfix) with ESMTP id DFA0637B503 for ; Mon, 19 Feb 2001 11:40:01 -0800 (PST) Received: (from gnats@localhost) by freefall.freebsd.org (8.11.1/8.11.1) id f1JJe1o71310; Mon, 19 Feb 2001 11:40:01 -0800 (PST) (envelope-from gnats) Received: from freefall.freebsd.org (freefall.freebsd.org [216.136.204.21]) by hub.freebsd.org (Postfix) with ESMTP id C7A9837B401 for ; Mon, 19 Feb 2001 11:34:40 -0800 (PST) Received: (from nobody@localhost) by freefall.freebsd.org (8.11.1/8.11.1) id f1JJYew70666; Mon, 19 Feb 2001 11:34:40 -0800 (PST) (envelope-from nobody) Message-Id: <200102191934.f1JJYew70666@freefall.freebsd.org> Date: Mon, 19 Feb 2001 11:34:40 -0800 (PST) From: mm@omnix.net To: freebsd-gnats-submit@FreeBSD.org X-Send-Pr-Version: www-1.0 Subject: kern/25206: Kernel Panic Sender: owner-freebsd-bugs@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org >Number: 25206 >Category: kern >Synopsis: Kernel Panic >Confidential: no >Severity: critical >Priority: medium >Responsible: freebsd-bugs >State: open >Quarter: >Keywords: >Date-Required: >Class: sw-bug >Submitter-Id: current-users >Arrival-Date: Mon Feb 19 11:40:01 PST 2001 >Closed-Date: >Last-Modified: >Originator: Meadele Mathieu >Release: FreeBSD-4.2-Stable >Organization: - >Environment: FreeBSD PAF 4.2-RELEASE FreeBSD 4.2-RELEASE #9: Wed Feb 7 22:01:11 CET 2001 root@PAF:/usr/src/sys/compile/PAF i386 >Description: By default, /dev/ttyp* have perm set to 0666, until someone remotely log in, in this case the user's ttyp is chmod'ed to 0600 and chown'ed to this user. if noone is remotely logged in, the next ttyp associated with telnet or ssh for example will be ttyp1. My box crashed if a local user open the next /dev/ttyp normally used for remote connection: luser@PAF$ w 8:37PM up 32 mins, 2 users, load averages: 0.41, 0.17, 0.14 USER TTY FROM LOGIN@ IDLE WHAT luser v0 - 8:08PM - w luser@PAF$ tail -f /dev/ttyp1 now ruser is going to connect to my box: ruser@NOWHERE$ telnet PAF Connection closed by foreign host. luser@PAF$ Fatal trap 12 = Page Fault while in kernel mode Fault virtual address = 0x88 Fault code = supervisor read, page not present Instruction pointer = 0x8:0xc0167c1b Stack pointer = 0x10:0xd11f2ecc Frame pointer = 0x10:0xd11f2ed0 Code segment = base 0x0, limit 0xfffff, type 0x1b = DLP 0, pres 1, def32 1, gran 1 Processor eflags = interrupt enabled, resume, IO PL=0 Current process = 257(tail) Interrupt mask = net tty bio cam trap number = 12 panic = page fault syncing disk: 13 13 13 [...] 13 13 giving up on 13 buffers uptime 32m36s Automatic reboot in 15 seconds... Have you this problem on your box ? It seems that a malicious local user can easily cause a denial of service like this. >How-To-Repeat: luser@A$ tail -f /dev/ttypx (where ttypx is the next ttyp associated with a remote connection) ruser@B$ telnet A -->machine A crashes >Fix: >Release-Note: >Audit-Trail: >Unformatted: To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-bugs" in the body of the message