Date: Wed, 7 Jun 2006 01:31:00 +0400 (MSD) From: Maxim Konovalov <maxim@macomnet.ru> To: Kris Kennaway <kris@obsecurity.org> Cc: andre@freebsd.org, net@freebsd.org Subject: Re: Panic from osendmsg() (Re: panic: m_prepend: MH_ALIGN not PKTHDR mbuf) Message-ID: <20060607011436.H23589@mp2.macomnet.net> In-Reply-To: <20060605004132.GA39212@xor.obsecurity.org> References: <20060524015826.GA54564@xor.obsecurity.org> <20060605004132.GA39212@xor.obsecurity.org>
next in thread | previous in thread | raw e-mail | index | archive | help
Hi Kris, On Sun, 4 Jun 2006, 20:41-0400, Kris Kennaway wrote: > On Tue, May 23, 2006 at 09:58:26PM -0400, Kris Kennaway wrote: > > I got this panic as a non-privileged user running the stress2 test > > component that does random syscalls: > > > > panic: m_prepend: MH_ALIGN not PKTHDR mbuf > > cpuid = 1 > > KDB: enter: panic > > [thread pid 15370 tid 100536 ] > > Stopped at kdb_enter+0x32: leave > > db> wh > > Tracing pid 15370 tid 100536 td 0xc5561000 > > kdb_enter(c073c6b2,1,c0741b31,eced5be0,c5561000) at kdb_enter+0x32 > > panic(c0741b31,c07199c6,2,0,e) at panic+0x1b1 > > m_prepend(c4dc0300,c,2,e,eced5c58) at m_prepend+0xd8 > > sendit(eced5c58,7cd3a4b7,eced5c54,28,c4beb1a0) at sendit+0x1a4 > > osendmsg(c5561000,eced5d04,c,445,3) at osendmsg+0x89 > > Anyone looking at this? It seems that the osendmsg() compatibility > syscall can be easily used to cause this panic. It panics at KASSERT which appeared in rev. 1.181 mbuf.h: % revision 1.181 % date: 2005/11/18 14:40:43; author: andre; state: Exp; lines: +8 -0 % Add KASSERTs to M_ALIGN() and MH_ALIGN() to prevent usage on wrong % mbuf types. % % Sponsored by: TCP/IP Optimization Fundraise 2005 COMPAT_OLDSOCK code in sendit() tries to prepend a control data mbuf to sockargs mbuf which is !M_PKTHDR and could be !M_EXT. There are two options: 1. Backout KASSERTS. 2. Fix m_prepend() so it won't call MH_ALIGN for an mbuf without M_PKTHDR/M_EXT stuff. I think this is a resonable w/o and shouldn't break anything (it passed my tests at least): Index: uipc_mbuf.c =================================================================== RCS file: /home/ncvs/src/sys/kern/uipc_mbuf.c,v retrieving revision 1.165 diff -u -p -r1.165 uipc_mbuf.c --- uipc_mbuf.c 15 Mar 2006 21:11:11 -0000 1.165 +++ uipc_mbuf.c 6 Jun 2006 21:09:57 -0000 @@ -496,7 +496,7 @@ m_prepend(struct mbuf *m, int len, int h M_MOVE_PKTHDR(mn, m); mn->m_next = m; m = mn; - if (len < MHLEN) + if (m->m_flags & M_PKTHDR && len < MHLEN) MH_ALIGN(m, len); m->m_len = len; return (m); %%% I CC'ed Andre. -- Maxim Konovalov
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20060607011436.H23589>