From owner-freebsd-bugs@freebsd.org Mon May 4 17:43:30 2020 Return-Path: Delivered-To: freebsd-bugs@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id 16A092D57EF for ; Mon, 4 May 2020 17:43:30 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from mailman.nyi.freebsd.org (unknown [127.0.1.3]) by mx1.freebsd.org (Postfix) with ESMTP id 49G9FF6xxPz4Tjp for ; Mon, 4 May 2020 17:43:29 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: by mailman.nyi.freebsd.org (Postfix) id EE8522D57EE; Mon, 4 May 2020 17:43:29 +0000 (UTC) Delivered-To: bugs@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id EE4D72D57ED for ; Mon, 4 May 2020 17:43:29 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) server-signature RSA-PSS (4096 bits) client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "Let's Encrypt Authority X3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 49G9FF62yvz4Tjn for ; Mon, 4 May 2020 17:43:29 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from kenobi.freebsd.org (kenobi.freebsd.org [IPv6:2610:1c1:1:606c::50:1d]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) server-signature RSA-PSS (4096 bits)) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id CAF5B27FA5 for ; Mon, 4 May 2020 17:43:29 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from kenobi.freebsd.org ([127.0.1.5]) by kenobi.freebsd.org (8.15.2/8.15.2) with ESMTP id 044HhTbs010784 for ; Mon, 4 May 2020 17:43:29 GMT (envelope-from bugzilla-noreply@freebsd.org) Received: (from www@localhost) by kenobi.freebsd.org (8.15.2/8.15.2/Submit) id 044HhTBt010783 for bugs@FreeBSD.org; Mon, 4 May 2020 17:43:29 GMT (envelope-from bugzilla-noreply@freebsd.org) X-Authentication-Warning: kenobi.freebsd.org: www set sender to bugzilla-noreply@freebsd.org using -f From: bugzilla-noreply@freebsd.org To: bugs@FreeBSD.org Subject: [Bug 246182] Kernel panic with sendfile() on ext2fs mounted filesystems Date: Mon, 04 May 2020 17:43:29 +0000 X-Bugzilla-Reason: AssignedTo X-Bugzilla-Type: new X-Bugzilla-Watch-Reason: None X-Bugzilla-Product: Base System X-Bugzilla-Component: kern X-Bugzilla-Version: 12.1-RELEASE X-Bugzilla-Keywords: X-Bugzilla-Severity: Affects Only Me X-Bugzilla-Who: sega01@go-beyond.org X-Bugzilla-Status: New X-Bugzilla-Resolution: X-Bugzilla-Priority: --- X-Bugzilla-Assigned-To: bugs@FreeBSD.org X-Bugzilla-Flags: X-Bugzilla-Changed-Fields: bug_id short_desc product version rep_platform op_sys bug_status bug_severity priority component assigned_to reporter Message-ID: Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Bugzilla-URL: https://bugs.freebsd.org/bugzilla/ Auto-Submitted: auto-generated MIME-Version: 1.0 X-BeenThere: freebsd-bugs@freebsd.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: Bug reports List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 04 May 2020 17:43:30 -0000 https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D246182 Bug ID: 246182 Summary: Kernel panic with sendfile() on ext2fs mounted filesystems Product: Base System Version: 12.1-RELEASE Hardware: Any OS: Any Status: New Severity: Affects Only Me Priority: --- Component: kern Assignee: bugs@FreeBSD.org Reporter: sega01@go-beyond.org sendfile() with ext2fs can cause a kernel panic. Tested on 12.1-RELEASE with x86_64 and ARMv7. Steps: 1. Mount a filesystem with ext2fs. 2. open() a file under the mount point. Bigger files seem to work best, like 1GiB or so. 3. sendfile() that filedescriptor to the socket of your choice (127.0.0.1 on some listening port that won't disconnect is fine, like nc -l 1234 > /dev/null). It seems to be kind of random for when the kernel panics, but it happens inevitably. I've had it take anywhere from a second to maybe 10-20. Data speed seems to have an effect, but maybe it's just the total amount transferred. I'm not sure. A web server like nginx that gives access to files mounted with ext2fs can trigger this if it's setup to use sendfile (I think most are). Or any user with access to an ext2fs mounted partition can trigger it. Does not have to be ran as root. I don't know if this can be skillfully exploited to give something more interesting than a kernel panic or not. Sample code to help with testing: #include #include #include #include #include #include #include #include #include char *self; #define destinationPort 1234 int main(int argc, char **argv) { self=3Dargv[0]; if (argc !=3D 2) { fprintf(stderr, "Usage: %s \n", self); return(2); } int srcfp =3D open(argv[1], O_RDONLY); if (srcfp < 0) { perror("open"); return(1); } int destinationSocket; if ((destinationSocket =3D socket(PF_INET, SOCK_STREAM, 0)) < 0) { perror("socket"); return(1); } struct sockaddr_in sa; bzero(&sa, sizeof(sa)); sa.sin_addr.s_addr =3D htonl(INADDR_LOOPBACK); sa.sin_family =3D AF_INET; sa.sin_port =3D htons(destinationPort); if (connect(destinationSocket, (struct sockaddr *)&sa, sizeof(sa)) < 0)= { perror("connect"); return(1); } if (sendfile(srcfp, destinationSocket, 0, 0, NULL, 0, 0) !=3D 0) { perror("sendfile"); return(1); } close(srcfp); close(destinationSocket); return(0); } --=20 You are receiving this mail because: You are the assignee for the bug.=