From owner-freebsd-bugs@FreeBSD.ORG Wed Mar 17 10:40:14 2004 Return-Path: Delivered-To: freebsd-bugs@hub.freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 4091416A4CE for ; Wed, 17 Mar 2004 10:40:14 -0800 (PST) Received: from freefall.freebsd.org (freefall.freebsd.org [216.136.204.21]) by mx1.FreeBSD.org (Postfix) with ESMTP id 37EA943D39 for ; Wed, 17 Mar 2004 10:40:14 -0800 (PST) (envelope-from gnats@FreeBSD.org) Received: from freefall.freebsd.org (gnats@localhost [127.0.0.1]) i2HIeEbv032170 for ; Wed, 17 Mar 2004 10:40:14 -0800 (PST) (envelope-from gnats@freefall.freebsd.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.12.10/8.12.10/Submit) id i2HIeEd2032169; Wed, 17 Mar 2004 10:40:14 -0800 (PST) (envelope-from gnats) Date: Wed, 17 Mar 2004 10:40:14 -0800 (PST) Message-Id: <200403171840.i2HIeEd2032169@freefall.freebsd.org> To: freebsd-bugs@FreeBSD.org From: Dmitry Morozovsky Subject: Re: kern/64345: 4.x IPFW2 kernel memory leak (IPFW2+roteflaps+verrevpath) (fwd) X-BeenThere: freebsd-bugs@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list Reply-To: Dmitry Morozovsky List-Id: Bug reports List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 17 Mar 2004 18:40:14 -0000 The following reply was made to PR kern/64345; it has been noted by GNATS. From: Dmitry Morozovsky To: bug-followup@freebsd.org Cc: Subject: Re: kern/64345: 4.x IPFW2 kernel memory leak (IPFW2+rote flaps+verrevpath) (fwd) Date: Wed, 17 Mar 2004 21:32:18 +0300 (MSK) Forwarding misfiled message to audit-trail: Sincerely, D.Marck [DM5020, MCK-RIPE, DM3-RIPN] ------------------------------------------------------------------------ *** Dmitry Morozovsky --- D.Marck --- Wild Woozle --- marck@rinet.ru *** ------------------------------------------------------------------------ ---------- Forwarded message ---------- Date: Wed, 17 Mar 2004 17:16:13 +0300 (MSK) From: Oleg Bulyzhin To: Dmitry Morozovsky Cc: FreeBSD-gnats-submit@freebsd.org Subject: Re: 4.x IPFW2 kernel memory leak (IPFW2+rote flaps+verrevpath) In order to reproduce problem do the following: ifconfig fxp0 10.0.0.1/24 ipfw add 1 count verrevpath in while (true); do ping -c 2 -i 0.01 -S 10.0.0.1 localhost>/dev/null; ping -c 2 -i 0.01 -S 127.0.0.1 localhost>/dev/null; route delete 10.0.0.1>/dev/null;netstat -rs|tail -1;vmstat -m|grep routetbl|tail -1; done and look at numbers. If you run this script long enough (depends on your kernel memory size) you will get panic like this: panic: kmem_malloc(4096): kmem_map too small: 33554432 total allocated This happens due to verify_rev_path() calls rtalloc_ign() (for not cached routes) which increments rt_refcnt for corresponding rtentry structure. This lead to always 'held' routes which cannot be released by rtfree() (due to their rt_refcnt will never hit zero) P.S. this bug is remotely exploitable (at least if attacker is in your LAN). -- Oleg. ================================================================ === Oleg Bulyzhin -- OBUL-RIPN -- OBUL-RIPE -- oleg@rinet.ru === ================================================================