Skip site navigation (1)Skip section navigation (2) 
Date:      Thu, 27 Apr 2006 23:24:16 -0400
From:      Kris Kennaway <kris@obsecurity.org>
To:        current@FreeBSD.org
Cc:        phk@FreeBSD.org
Subject:   Use after free in devfs from new pts
Message-ID:  <20060428032415.GA77097@xor.obsecurity.org>
next in thread | raw e-mail | index | archive | help 

--0F1p//8PRICkK4MW
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline

With memguard watching the DEVFS1 malloc type:

kern.pts.enable: 0 -> 1

running the pty stress2 test gives:

Fatal trap 12: page fault while in kernel mode
cpuid = 1; apic id = 06
fault virtual address   = 0xc9448070
fault code              = supervisor write, protection violation
instruction pointer     = 0x20:0xc050fb1a
stack pointer           = 0x28:0xf7cefa6c
frame pointer           = 0x28:0xf7cefa80
code segment            = base 0x0, limit 0xfffff, type 0x1b
                        = DPL 0, pres 1, def32 1, gran 1
processor eflags        = interrupt enabled, resume, IOPL = 0
current process         = 1159 (pty)
[thread pid 1159 tid 100212 ]
Stopped at      dev_relthread+0x33:     subl    $0x1,0x70(%ebx)
db> wh
Tracing pid 1159 tid 100212 td 0xccc5ad80
dev_relthread(c9448000,3,2000,ccc5ad80,c9448000) at dev_relthread+0x33
devfs_close(f7cefaec,c07607e6,3,3,ce23ca80) at devfs_close+0x3a6
VOP_CLOSE_APV(c0774ea0,f7cefaec,ccc5ad80,ccc5ad80,cc7b9000) at VOP_CLOSE_APV+0x94
vn_close(ce23ca80,3,ccb63b80,ccc5ad80,c106cc08) at vn_close+0xb0
vn_closefile(cce8fe10,ccc5ad80,f7cefbac,c051ab9d,cce8fe10) at vn_closefile+0xf0
devfs_close_f(cce8fe10,ccc5ad80,c0737913,876,cce8fe10) at devfs_close_f+0x19
fdrop_locked(cce8fe10,ccc5ad80,c0737913,861) at fdrop_locked+0xb9
fdrop(cce8fe10,ccc5ad80,cc483928,0,c0737913,872,cce8fe10,ccc5ad80,f7cefc0c,c051aade,0,ccc5ad80,c0737913,861,0,f7cefc40,c056d352,ccc9602c,ccc9602c,3f8,c0737913,f7cefc48,c05341e6,ccc9602c,1,c073a278,138) at fdrop+0x3c
closef(cce8fe10,ccc5ad80,c0737913,3f8,ccc5ad80) at closef+0x428
close(ccc5ad80,f7cefd04,4,445,ccc5ad80) at close+0x25b
syscall(3b,3b,3b,28050a1a,bfbfe880) at syscall+0x307
Xint0x80_syscall() at Xint0x80_syscall+0x1f
--- syscall (6, FreeBSD ELF32, close), eip = 0x28160a23, esp = 0xbfbfe81c, ebp = 0xbfbfea88 ---

Kris

--0F1p//8PRICkK4MW
Content-Type: application/pgp-signature
Content-Disposition: inline

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.3 (FreeBSD)

iD8DBQFEUYrfWry0BWjoQKURAoWmAJ94Id2XmSot6yYbosSHC/pFebLMtwCg8VF/
YFoq1DJ7GhL7MwZMU7A0HgU=
=NLrH
-----END PGP SIGNATURE-----

--0F1p//8PRICkK4MW--

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20060428032415.GA77097>