FreeBSD Mail Archives

Date:      Tue, 18 Dec 2001 15:29:17 -0500
From:      "Michael Scheidell" <scheidell@secnap.net>
To:        <freebsd-hackers@freebsd.org>
Subject:   userland program panics freebsd 4.3
Message-ID:  <002301c18802$ab06b460$2801010a@MIKELT>

next in thread | raw e-mail | index | archive | help


I have a userland program that canpanic/reboot a freebsd 4.3 system.
Hardware is Intel isp1100 (mbx440 motherboard) 850MHZ pIII, 256mb ram, 640mb
swapfile
software is 'nessusd' (network security scanner) hits the ethernet port
pretty hard when running.
If I read the dumpdev right, it is crashing in the vm section of the kernel,
refrencing a structure that is not within kernel space?
(sp)

enabled ulimits (as per suggestion in comp.os.group)
cputime          infinity secs
  filesize           131072 kb
  datasize-cur        65536 kb
  stacksize-cur       32768 kb
  coredumpsize-cur        0 kb
  memoryuse-cur       65536 kb
  memorylocked-cur    65536 kb
  maxprocesses           64
  openfiles             128
  sbsize           infinity bytes

never hits these (at least, not log entries)
top shows it doesn't even hit swap file:(note, crashes with and without
snort running for those who know snort)

last pid: 27785;  load averages:  0.46,  0.36,  0.25    up 0+03:28:26
14:13:58
33 processes:  3 running, 30 sleeping
CPU states: 23.3% user,  0.0% nice,  4.7% system,  1.6% interrupt, 70.5%
idle
Mem: 42M Active, 157M Inact, 24M Wired, 14M Cache, 35M Buf, 13M Free
Swap: 640M Total, 640M Free

  PID USERNAME  PRI NICE  SIZE    RES STATE    TIME   WCPU    CPU COMMAND
  317 root        4   0  9940K  9508K bpf     16:58 11.52% 11.52% snort
  322 root        4   0  9368K  8968K bpf     11:18  6.88%  6.88% snort
27343 root       10   0  5148K  4800K RUN      0:03  0.15%  0.15% nessusd
24346 root       10   0  4960K  4604K RUN      0:37  0.00%  0.00% nessusd
24566 root       28   0  1888K  1108K RUN      0:07  0.00%  0.00% top
  165 root        2   0   932K   512K select   0:07  0.00%  0.00% syslogd
14859 root        2   0  2240K  1748K select   0:03  0.00%  0.00% sshd
  262 root       10   0  4072K  3692K nanslp   0:02  0.00%  0.00% perl
  173 root        2 -12  1256K   912K select   0:01  0.00%  0.00% ntpd
  330 root        2   0  5692K  5168K select   0:00  0.00%  0.00% perl
  255 root        2   0  7208K  4780K select   0:00  0.00%  0.00% httpd
  299 mysql       2   0 26168K  5280K poll     0:00  0.00%  0.00% mysqld
27353 root        2   0  2280K  1792K select   0:00  0.00%  0.00% sshd
25728 root        2   0  2240K  1756K select   0:00  0.00%  0.00% sshd
  231 root       10   0  3380K  2904K nanslp   0:00  0.00%  0.00% perl
14887 root       18   0  1324K   944K pause    0:00  0.00%  0.00% csh
27363 root        3   0  1328K   960K ttyin    0:00  0.00%  0.00% csh

enabled dumpdev and compiled kernel with -g
panicstr: page fault
panic messages:
---
Fatal trap 12: page fault while in kernel mode
stray irq 7

fault virtual address   = 0x8
fault code              = supervisor read, page not present
instruction pointer     = 0x8:0xc01625d5
stack pointer           = 0x10:0xd2110e1c
frame pointer    = 0x10:0xd2110f2c
stray irq 7
code segment            = base 0x0, limit 0xfffff, type 0x1b
                        = DPL 0, pres 1, def32 1, gran 1
processor eflags        = interrupt enabled, resume, IOPL = 0
current process         = 27343 (nessusd)
interrupt mask          =  none
stray irq 7
trap number = 12
stray irq 7

panic: page fault

syncing disks... 7 1
done
Uptime: 3h27m57s

dumping to dev #ad/0x20001, offset 786944
dump ata0: resetting devices .. done

where
#0  dumpsys () at ../../kern/kern_shutdown.c:469
#1  0xc0134643 in boot (howto=256) at ../../kern/kern_shutdown.c:309
#2  0xc01349c0 in poweroff_wait (junk=0xc020454f, howto=-791358464)
    at ../../kern/kern_shutdown.c:556
#3  0xc01d8b11 in trap_fatal (frame=0xd2110ddc, eva=8)
    at ../../i386/i386/trap.c:951
#4  0xc01d87e9 in trap_pfault (frame=0xd2110ddc, usermode=0, eva=8)
    at ../../i386/i386/trap.c:844
#5  0xc01d83cf in trap (frame={tf_fs = 16, tf_es = 16, tf_ds = 16,
      tf_edi = -791358464, tf_esi = 72, tf_ebp = -770633940,
      tf_isp = -770634232, tf_ebx = 0, tf_edx = -1047781184,
      tf_ecx = -1071582376, tf_eax = -769392960, tf_trapno = 12, tf_err = 0,
      tf_eip = -1072290347, tf_cs = 8, tf_eflags = 66118, tf_esp
= -791358464,
      tf_ss = 2}) at ../../i386/i386/trap.c:443
#6  0xc01625d5 in fstatfs (p=0xd0d4d400, uap=0xd2110f80)
    at ../../kern/vfs_syscalls.c:681
#7  0xc01d8dbd in syscall2 (frame={tf_fs = 134610991, tf_es = 47,
      tf_ds = -1078001617, tf_edi = 134647524, tf_esi = 9,
      tf_ebp = -1077939040, tf_isp = -770633772, tf_ebx = 672247464,
      tf_edx = 3, tf_ecx = 672320104, tf_eax = 158, tf_trapno = 7, tf_err =
2,
      tf_eip = 671957244, tf_cs = 31, tf_eflags = 663, tf_esp = -1077939468,
      tf_ss = 47}) at ../../i386/i386/trap.c:1150
#8  0xc01cdb45 in Xint0x80_syscall ()
 up 5
#5  0xc01d83cf in trap (frame={tf_fs = 16, tf_es = 16, tf_ds = 16,
      tf_edi = -791358464, tf_esi = 72, tf_ebp = -770633940,
      tf_isp = -770634232, tf_ebx = 0, tf_edx = -1047781184,
      tf_ecx = -1071582376, tf_eax = -769392960, tf_trapno = 12, tf_err = 0,
      tf_eip = -1072290347, tf_cs = 8, tf_eflags = 66118, tf_esp
= -791358464,
      tf_ss = 2}) at ../../i386/i386/trap.c:443
443                             (void) trap_pfault(&frame, FALSE, eva);
frame frame->tf_ebp frame->tf_eip
#0  fstatfs (p=0xd0d4d400, uap=0xd2110f80) at ../../kern/vfs_syscalls.c:682
682             error = VFS_STATFS(mp, sp, p);
 list
677
678             if ((error = getvnode(p->p_fd, SCARG(uap, fd), &fp)) != 0)
679                     return (error);
680             mp = ((struct vnode *)fp->f_data)->v_mount;
681             sp = &mp->mnt_stat;
682             error = VFS_STATFS(mp, sp, p);
683             if (error)
684                     return (error);
685             sp->f_flags = mp->mnt_flag & MNT_VISFLAGMASK;
686             if (suser_xxx(p->p_ucred, 0, 0)) {

print mp->mnt_stat
$2 = {f_spare2 = 671786274, f_bsize = 671786290, f_iosize = 671786306,
  f_blocks = 672132720, f_bfree = 671786338, f_bavail = 671786354,
  f_files = 671786370, f_ffree = 671786386, f_fsid = {val = {671786402,
      671786418}}, f_owner = 671786434, f_type = 672043168,
  f_flags = 671786466, f_syncwrites = 671786482, f_asyncwrites = 671786498,
  f_fstypename = "Hy\017(\"�\n(2�\n(B�\n(",
  f_mntonname =
"R�\n(b�\n(r�\n(\\�\016(\f\t\021(\b�\020(�\217\016(¦\n(Ҧ\n(\230x\017(\224D
\r(\002�\n(\022�\n(\"�\n(2�\n(B�\n(R�\n(b�\n(\220\020\021(\202�\n(",
f_syncreads = 671786898, f_asyncreads = 671786914, f_spares1 = -22606,
  f_mntfromname =
"\n(§\n(p\200\017(�\n(�\n(\002�\n(\022�\n(\"�\n(2�\n(B�\n(R�\n(H?\020(r�\
n(\202�\n(\222�\n(��\n(��\n(¨\n(Ҩ\n(��\020(�",
  f_spares2 = 10250, f_spare = {671787266, 671787282}}

print sp->f_flags
Cannot access memory at address 0x39.

 print mp
$6 = (struct mount *) 0x2811aea8
(kgdb) print p
$7 = (struct proc *) 0x8068ee4
(kgdb) print mp
(kgdb) print sp
$9 = (struct statfs *) 0x9

--
Michael Scheidell
Secnap Network Security, LLC
scheidell@secnap.net 1+(561) 368-9561
See updated IT Security News at http://www.fdma.com/



To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-hackers" in the body of the message

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?002301c18802$ab06b460$2801010a>

Header And Logo

Peripheral Links

Site Navigation

Header And Logo

Peripheral Links

Search

Site Navigation