From owner-freebsd-bugs@FreeBSD.ORG  Mon Feb 10 10:00:00 2014
Return-Path: <owner-freebsd-bugs@FreeBSD.ORG>
Delivered-To: freebsd-bugs@smarthost.ysv.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115])
 (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits))
 (No client certificate requested)
 by hub.freebsd.org (Postfix) with ESMTPS id C1F6BDA5
 for <freebsd-bugs@smarthost.ysv.freebsd.org>;
 Mon, 10 Feb 2014 10:00:00 +0000 (UTC)
Received: from freefall.freebsd.org (freefall.freebsd.org
 [IPv6:2001:1900:2254:206c::16:87])
 (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
 (No client certificate requested)
 by mx1.freebsd.org (Postfix) with ESMTPS id 9B0841954
 for <freebsd-bugs@smarthost.ysv.freebsd.org>;
 Mon, 10 Feb 2014 10:00:00 +0000 (UTC)
Received: from freefall.freebsd.org (localhost [127.0.0.1])
 by freefall.freebsd.org (8.14.7/8.14.7) with ESMTP id s1AA00ZC056922
 for <freebsd-bugs@freefall.freebsd.org>; Mon, 10 Feb 2014 10:00:00 GMT
 (envelope-from gnats@freefall.freebsd.org)
Received: (from gnats@localhost)
 by freefall.freebsd.org (8.14.8/8.14.8/Submit) id s1AA00kO056921;
 Mon, 10 Feb 2014 10:00:00 GMT (envelope-from gnats)
Resent-Date: Mon, 10 Feb 2014 10:00:00 GMT
Resent-Message-Id: <201402101000.s1AA00kO056921@freefall.freebsd.org>
Resent-From: FreeBSD-gnats-submit@FreeBSD.org (GNATS Filer)
Resent-To: freebsd-bugs@FreeBSD.org
Resent-Reply-To: FreeBSD-gnats-submit@FreeBSD.org,
 Tomasz CEDRO <cederom@tlen.pl>
Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115])
 (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits))
 (No client certificate requested)
 by hub.freebsd.org (Postfix) with ESMTPS id C9513D98
 for <freebsd-gnats-submit@FreeBSD.org>; Mon, 10 Feb 2014 09:59:28 +0000 (UTC)
Received: from newred.freebsd.org (cgiserv.freebsd.org
 [IPv6:2001:1900:2254:206a::50:4])
 (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits))
 (No client certificate requested)
 by mx1.freebsd.org (Postfix) with ESMTPS id B2AB4194B
 for <freebsd-gnats-submit@FreeBSD.org>; Mon, 10 Feb 2014 09:59:28 +0000 (UTC)
Received: from cgiserv.freebsd.org ([127.0.1.6])
 by newred.freebsd.org (8.14.7/8.14.7) with ESMTP id s1A9xRKq059140
 for <freebsd-gnats-submit@FreeBSD.org>; Mon, 10 Feb 2014 09:59:27 GMT
 (envelope-from nobody@cgiserv.freebsd.org)
Received: (from nobody@localhost)
 by cgiserv.freebsd.org (8.14.7/8.14.7/Submit) id s1A9xRvN059139;
 Mon, 10 Feb 2014 09:59:27 GMT (envelope-from nobody)
Message-Id: <201402100959.s1A9xRvN059139@cgiserv.freebsd.org>
Date: Mon, 10 Feb 2014 09:59:27 GMT
From: Tomasz CEDRO <cederom@tlen.pl>
To: freebsd-gnats-submit@FreeBSD.org
X-Send-Pr-Version: www-3.1
Subject: kern/186622: FreeBSD 10.0 AMD64 kernel panic in ifmedia_set() / usb /
 ethernet / vulnerability / remote
X-BeenThere: freebsd-bugs@freebsd.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: Bug reports <freebsd-bugs.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/options/freebsd-bugs>,
 <mailto:freebsd-bugs-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-bugs/>
List-Post: <mailto:freebsd-bugs@freebsd.org>
List-Help: <mailto:freebsd-bugs-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-bugs>,
 <mailto:freebsd-bugs-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Mon, 10 Feb 2014 10:00:00 -0000


>Number:         186622
>Category:       kern
>Synopsis:       FreeBSD 10.0 AMD64 kernel panic in ifmedia_set() / usb / ethernet / vulnerability / remote
>Confidential:   no
>Severity:       non-critical
>Priority:       low
>Responsible:    freebsd-bugs
>State:          open
>Quarter:        
>Keywords:       
>Date-Required:
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Mon Feb 10 10:00:00 UTC 2014
>Closed-Date:
>Last-Modified:
>Originator:     Tomasz CEDRO
>Release:        FreeBSD-10.0 AMD64
>Organization:
CeDeROM
>Environment:
# uname -a
FreeBSD mercury.rd.tp.pl 10.0-RELEASE FreeBSD 10.0-RELEASE #0 r260789: Thu Jan 16 22:34:59 UTC 2014     root@snap.freebsd.org:/usr/obj/usr/src/sys/GENERIC  amd64

>Description:
After plugging USB Ethernet interface (Unitek USB2.0 Gigabit LAN) system crashed. After reboot it turned out that it was related with media status. This may allow to trigger such situation by USB device or maybe crafted packet in order to perform DoS and maybe remote code execution...

ugen1.5: <vendor 0x0b95> at usbus1
axe0: <vendor 0x0b95 product 0x1780, rev 2.00/0.01, addr 5> on usbus1
miibus0: <MII bus> on axe0
rgephy0: <RTL8169S/8110S/8211 1000BASE-T media interface> PHY 2 on miibus0
rgephy0:  no media present
ifmedia_set: no match for 0x0/0xeffffff
panic: ifmedia_set
cpuid = 1
KDB: stack backtrace:
#0 0xffffffff808e7dd0 at kdb_backtrace+0x60
#1 0xffffffff808af8b5 at panic+0x155
#2 0xffffffff8096fa7a at ifmedia_set+0x5a
#3 0xffffffff805b6e02 at rgephy_attach+0x172
#4 0xffffffff808df242 at device_attach+0x3a2
#5 0xffffffff808e031d at bus_generic_attach+0x2d
#6 0xffffffff805b30ad at miibus_attach+0xbd
#7 0xffffffff808df242 at device_attach+0x3a2
#8 0xffffffff808e031d at bus_generic_attach+0x2d
#9 0xffffffff805b2c85 at mii_attach+0x435
#10 0xffffffff81d8f4f6 at axe_attach_post_sub+0x116
#11 0xffffffff81d70217 at ue_attach_post_task+0xb7
#12 0xffffffff8075bc8f at usb_process+0x11f
#13 0xffffffff8088198a at fork_exit+0x9a
#14 0xffffffff80c758ce at fork_trampoline+0xe

>How-To-Repeat:
Plug in USB Ethernet interface, then plug in media cable into the interface.
>Fix:
Fix media handling..?

>Release-Note:
>Audit-Trail:
>Unformatted: