Date: Mon, 04 May 2020 17:43:29 +0000 From: bugzilla-noreply@freebsd.org To: bugs@FreeBSD.org Subject: [Bug 246182] Kernel panic with sendfile() on ext2fs mounted filesystems Message-ID: <bug-246182-227@https.bugs.freebsd.org/bugzilla/>
next in thread | raw e-mail | index | archive | help
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D246182 Bug ID: 246182 Summary: Kernel panic with sendfile() on ext2fs mounted filesystems Product: Base System Version: 12.1-RELEASE Hardware: Any OS: Any Status: New Severity: Affects Only Me Priority: --- Component: kern Assignee: bugs@FreeBSD.org Reporter: sega01@go-beyond.org sendfile() with ext2fs can cause a kernel panic. Tested on 12.1-RELEASE with x86_64 and ARMv7. Steps: 1. Mount a filesystem with ext2fs. 2. open() a file under the mount point. Bigger files seem to work best, like 1GiB or so. 3. sendfile() that filedescriptor to the socket of your choice (127.0.0.1 on some listening port that won't disconnect is fine, like nc -l 1234 > /dev/null). It seems to be kind of random for when the kernel panics, but it happens inevitably. I've had it take anywhere from a second to maybe 10-20. Data speed seems to have an effect, but maybe it's just the total amount transferred. I'm not sure. A web server like nginx that gives access to files mounted with ext2fs can trigger this if it's setup to use sendfile (I think most are). Or any user with access to an ext2fs mounted partition can trigger it. Does not have to be ran as root. I don't know if this can be skillfully exploited to give something more interesting than a kernel panic or not. Sample code to help with testing: #include <stdio.h> #include <string.h> #include <unistd.h> #include <sys/types.h> #include <sys/uio.h> #include <sys/socket.h> #include <netinet/in.h> #include <netinet/tcp.h> #include <fcntl.h> char *self; #define destinationPort 1234 int main(int argc, char **argv) { self=3Dargv[0]; if (argc !=3D 2) { fprintf(stderr, "Usage: %s <file>\n", self); return(2); } int srcfp =3D open(argv[1], O_RDONLY); if (srcfp < 0) { perror("open"); return(1); } int destinationSocket; if ((destinationSocket =3D socket(PF_INET, SOCK_STREAM, 0)) < 0) { perror("socket"); return(1); } struct sockaddr_in sa; bzero(&sa, sizeof(sa)); sa.sin_addr.s_addr =3D htonl(INADDR_LOOPBACK); sa.sin_family =3D AF_INET; sa.sin_port =3D htons(destinationPort); if (connect(destinationSocket, (struct sockaddr *)&sa, sizeof(sa)) < 0)= { perror("connect"); return(1); } if (sendfile(srcfp, destinationSocket, 0, 0, NULL, 0, 0) !=3D 0) { perror("sendfile"); return(1); } close(srcfp); close(destinationSocket); return(0); } --=20 You are receiving this mail because: You are the assignee for the bug.=
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?bug-246182-227>