From owner-freebsd-hackers Tue Dec 18 12:29:39 2001 Delivered-To: freebsd-hackers@freebsd.org Received: from scanner.secnap.net (scanner.secnap.net [216.241.67.74]) by hub.freebsd.org (Postfix) with ESMTP id 2512B37B417 for ; Tue, 18 Dec 2001 12:29:31 -0800 (PST) Received: from MIKELT ([10.1.1.40]) by scanner.secnap.net (8.11.3/8.11.5) with SMTP id fBIKTUU38013 for ; Tue, 18 Dec 2001 15:29:30 -0500 (EST) (envelope-from scheidell@secnap.net) Message-ID: <002301c18802$ab06b460$2801010a@MIKELT> From: "Michael Scheidell" To: Subject: userland program panics freebsd 4.3 Date: Tue, 18 Dec 2001 15:29:17 -0500 Organization: Secnap Network Security, LLC. MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 8bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.50.4807.1700 X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4807.1700 Sender: owner-freebsd-hackers@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG I have a userland program that canpanic/reboot a freebsd 4.3 system. Hardware is Intel isp1100 (mbx440 motherboard) 850MHZ pIII, 256mb ram, 640mb swapfile software is 'nessusd' (network security scanner) hits the ethernet port pretty hard when running. If I read the dumpdev right, it is crashing in the vm section of the kernel, refrencing a structure that is not within kernel space? (sp) enabled ulimits (as per suggestion in comp.os.group) cputime infinity secs filesize 131072 kb datasize-cur 65536 kb stacksize-cur 32768 kb coredumpsize-cur 0 kb memoryuse-cur 65536 kb memorylocked-cur 65536 kb maxprocesses 64 openfiles 128 sbsize infinity bytes never hits these (at least, not log entries) top shows it doesn't even hit swap file:(note, crashes with and without snort running for those who know snort) last pid: 27785; load averages: 0.46, 0.36, 0.25 up 0+03:28:26 14:13:58 33 processes: 3 running, 30 sleeping CPU states: 23.3% user, 0.0% nice, 4.7% system, 1.6% interrupt, 70.5% idle Mem: 42M Active, 157M Inact, 24M Wired, 14M Cache, 35M Buf, 13M Free Swap: 640M Total, 640M Free PID USERNAME PRI NICE SIZE RES STATE TIME WCPU CPU COMMAND 317 root 4 0 9940K 9508K bpf 16:58 11.52% 11.52% snort 322 root 4 0 9368K 8968K bpf 11:18 6.88% 6.88% snort 27343 root 10 0 5148K 4800K RUN 0:03 0.15% 0.15% nessusd 24346 root 10 0 4960K 4604K RUN 0:37 0.00% 0.00% nessusd 24566 root 28 0 1888K 1108K RUN 0:07 0.00% 0.00% top 165 root 2 0 932K 512K select 0:07 0.00% 0.00% syslogd 14859 root 2 0 2240K 1748K select 0:03 0.00% 0.00% sshd 262 root 10 0 4072K 3692K nanslp 0:02 0.00% 0.00% perl 173 root 2 -12 1256K 912K select 0:01 0.00% 0.00% ntpd 330 root 2 0 5692K 5168K select 0:00 0.00% 0.00% perl 255 root 2 0 7208K 4780K select 0:00 0.00% 0.00% httpd 299 mysql 2 0 26168K 5280K poll 0:00 0.00% 0.00% mysqld 27353 root 2 0 2280K 1792K select 0:00 0.00% 0.00% sshd 25728 root 2 0 2240K 1756K select 0:00 0.00% 0.00% sshd 231 root 10 0 3380K 2904K nanslp 0:00 0.00% 0.00% perl 14887 root 18 0 1324K 944K pause 0:00 0.00% 0.00% csh 27363 root 3 0 1328K 960K ttyin 0:00 0.00% 0.00% csh enabled dumpdev and compiled kernel with -g panicstr: page fault panic messages: --- Fatal trap 12: page fault while in kernel mode stray irq 7 fault virtual address = 0x8 fault code = supervisor read, page not present instruction pointer = 0x8:0xc01625d5 stack pointer = 0x10:0xd2110e1c frame pointer = 0x10:0xd2110f2c stray irq 7 code segment = base 0x0, limit 0xfffff, type 0x1b = DPL 0, pres 1, def32 1, gran 1 processor eflags = interrupt enabled, resume, IOPL = 0 current process = 27343 (nessusd) interrupt mask = none stray irq 7 trap number = 12 stray irq 7 panic: page fault syncing disks... 7 1 done Uptime: 3h27m57s dumping to dev #ad/0x20001, offset 786944 dump ata0: resetting devices .. done where #0 dumpsys () at ../../kern/kern_shutdown.c:469 #1 0xc0134643 in boot (howto=256) at ../../kern/kern_shutdown.c:309 #2 0xc01349c0 in poweroff_wait (junk=0xc020454f, howto=-791358464) at ../../kern/kern_shutdown.c:556 #3 0xc01d8b11 in trap_fatal (frame=0xd2110ddc, eva=8) at ../../i386/i386/trap.c:951 #4 0xc01d87e9 in trap_pfault (frame=0xd2110ddc, usermode=0, eva=8) at ../../i386/i386/trap.c:844 #5 0xc01d83cf in trap (frame={tf_fs = 16, tf_es = 16, tf_ds = 16, tf_edi = -791358464, tf_esi = 72, tf_ebp = -770633940, tf_isp = -770634232, tf_ebx = 0, tf_edx = -1047781184, tf_ecx = -1071582376, tf_eax = -769392960, tf_trapno = 12, tf_err = 0, tf_eip = -1072290347, tf_cs = 8, tf_eflags = 66118, tf_esp = -791358464, tf_ss = 2}) at ../../i386/i386/trap.c:443 #6 0xc01625d5 in fstatfs (p=0xd0d4d400, uap=0xd2110f80) at ../../kern/vfs_syscalls.c:681 #7 0xc01d8dbd in syscall2 (frame={tf_fs = 134610991, tf_es = 47, tf_ds = -1078001617, tf_edi = 134647524, tf_esi = 9, tf_ebp = -1077939040, tf_isp = -770633772, tf_ebx = 672247464, tf_edx = 3, tf_ecx = 672320104, tf_eax = 158, tf_trapno = 7, tf_err = 2, tf_eip = 671957244, tf_cs = 31, tf_eflags = 663, tf_esp = -1077939468, tf_ss = 47}) at ../../i386/i386/trap.c:1150 #8 0xc01cdb45 in Xint0x80_syscall () up 5 #5 0xc01d83cf in trap (frame={tf_fs = 16, tf_es = 16, tf_ds = 16, tf_edi = -791358464, tf_esi = 72, tf_ebp = -770633940, tf_isp = -770634232, tf_ebx = 0, tf_edx = -1047781184, tf_ecx = -1071582376, tf_eax = -769392960, tf_trapno = 12, tf_err = 0, tf_eip = -1072290347, tf_cs = 8, tf_eflags = 66118, tf_esp = -791358464, tf_ss = 2}) at ../../i386/i386/trap.c:443 443 (void) trap_pfault(&frame, FALSE, eva); frame frame->tf_ebp frame->tf_eip #0 fstatfs (p=0xd0d4d400, uap=0xd2110f80) at ../../kern/vfs_syscalls.c:682 682 error = VFS_STATFS(mp, sp, p); list 677 678 if ((error = getvnode(p->p_fd, SCARG(uap, fd), &fp)) != 0) 679 return (error); 680 mp = ((struct vnode *)fp->f_data)->v_mount; 681 sp = &mp->mnt_stat; 682 error = VFS_STATFS(mp, sp, p); 683 if (error) 684 return (error); 685 sp->f_flags = mp->mnt_flag & MNT_VISFLAGMASK; 686 if (suser_xxx(p->p_ucred, 0, 0)) { print mp->mnt_stat $2 = {f_spare2 = 671786274, f_bsize = 671786290, f_iosize = 671786306, f_blocks = 672132720, f_bfree = 671786338, f_bavail = 671786354, f_files = 671786370, f_ffree = 671786386, f_fsid = {val = {671786402, 671786418}}, f_owner = 671786434, f_type = 672043168, f_flags = 671786466, f_syncwrites = 671786482, f_asyncwrites = 671786498, f_fstypename = "Hy\017(\"¦\n(2¦\n(B¦\n(", f_mntonname = "R¦\n(b¦\n(r¦\n(\\ð\016(\f\t\021(\bê\020(ü\217\016(¦\n(Ò¦\n(\230x\017(\224D \r(\002§\n(\022§\n(\"§\n(2§\n(B§\n(R§\n(b§\n(\220\020\021(\202§\n(", f_syncreads = 671786898, f_asyncreads = 671786914, f_spares1 = -22606, f_mntfromname = "\n(§\n(p\200\017(â§\n(ò§\n(\002¨\n(\022¨\n(\"¨\n(2¨\n(B¨\n(R¨\n(H?\020(r¨\ n(\202¨\n(\222¨\n(¢¨\n(²¨\n(¨\n(Ò¨\n(°ë\020(ò¨", f_spares2 = 10250, f_spare = {671787266, 671787282}} print sp->f_flags Cannot access memory at address 0x39. print mp $6 = (struct mount *) 0x2811aea8 (kgdb) print p $7 = (struct proc *) 0x8068ee4 (kgdb) print mp (kgdb) print sp $9 = (struct statfs *) 0x9 -- Michael Scheidell Secnap Network Security, LLC scheidell@secnap.net 1+(561) 368-9561 See updated IT Security News at http://www.fdma.com/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-hackers" in the body of the message