Date: Mon, 3 Dec 2007 15:08:13 GMT From: Gabor Berczi <gabor@berczi.be> To: freebsd-gnats-submit@FreeBSD.org Subject: misc/118399: local/remote kernel DoS through TAP device Message-ID: <200712031508.lB3F8DVQ080758@www.freebsd.org> Resent-Message-ID: <200712031510.lB3FA4Tg071116@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help
>Number: 118399
>Category: misc
>Synopsis: local/remote kernel DoS through TAP device
>Confidential: no
>Severity: critical
>Priority: high
>Responsible: freebsd-bugs
>State: open
>Quarter:
>Keywords:
>Date-Required:
>Class: sw-bug
>Submitter-Id: current-users
>Arrival-Date: Mon Dec 03 15:10:04 UTC 2007
>Closed-Date:
>Last-Modified:
>Originator: Gabor Berczi
>Release: 6.2-RELEASE
>Organization:
>Environment:
Tested on x86/alpha, SMP/non-SMP.
>Description:
There is a bug somewhere in the FreeBSD kernel that causes lockup if the TAP device receives abnormal data.
..
tap1: discard oversize frame (ether type 4f84 flags 3 len 16384 > max 1514)
tap1: discard oversize frame (ether type 0 flags 3 len 16384 > max 1514)
tap1: discard oversize frame (ether type 39e7 flags 3 len 16384 > max 1514)
tap1: discard oversize frame (ether type 0 flags 3 len 16384 > max 1514)
tap1: discard oversize frame (ether type 4fe7 flags 3 len 16384 > max 1514)
tap1: discard oversize frame (ether type 44b4 flags 3 len 16384 > max 1514)
tap1: discard oversize frame (ether type 87df flags 3 len 16384 > max 1514)
tap1: discard oversize frame (ether type 1c flags 3 len 16384 > max 1514)
tap1: discard oversize frame (ether type 1f flags 3 len 16384 > max 1514)
tap1: discard oversize frame (ether type 80c0 flags 3 len 16384 > max 1514)
tap1: discard oversize frame (ether type 9a87 flags 3 len 16384 > max 1514)
tap1: discard oversize frame (ether type c5e6 flags 3 len 16384 > max 1514)
tap1: discard oversize frame (ether type 2aab flags 3 len 16384 > max 1514)
tap1: discard oversize frame (ether type 656c flags 3 len 16384 > max 1514)
tap1: discard oversize frame (ether type e6f3 flags 3 len 16384 > max 1514)
tap1: discard oversize frame (ether type 48bd flags 3 len 16384 > max 1514)
tap1: discard oversize frame (ether type 0 flags 3 len 16384 > max 1514)
tap1: discard oversize frame (ether type ca87 flags 3 len 16384 > max 1514)
tap1: discard oversize frame (ether type d0ca flags 3 len 16384 > max 1514)
tap1: discard oversize frame (ether type 249c flags 3 len 16384 > max 1514)
tap1: discard oversize frame (ether type 0 flags 3 len 16384 > max 1514)
fatal kernel trap:
trap entry = 0x2 (memory management fault)
cpuid = 0
faulting va = 0x34
type = access violation
cause = load instructon
pc = 0xfffffc00005dd39c
ra = 0xfffffc00005de15c
sp = 0xfffffe0007763870
usp = 0x11ffd6c0
curthread = 0xfffffc0001ef22b0
pid = 31183, comm = zsh
panic: trap
>How-To-Repeat:
1. Compile this:
#include <fcntl.h>
#include <stdio.h>
#include <sys/types.h>
#include <sys/uio.h>
#include <unistd.h>
int main(int argc, char **argv)
{
if (argc != 2)
return 1;
int fd = open(argv[1], O_WRONLY);
if (fd < 0) {
perror("open");
return 1;
}
for (;;) {
char buf[2048];
int ret = read(0, buf, sizeof(buf));
if (ret < 0) {
perror("read");
close(fd);
return 1;
}
ret = write(fd, buf, ret);
}
return 0;
}
2. Load if_tap, and create tap0 device.
3. cat /dev/urandom|./a.out /dev/tap0
Sooner or later it'll die.
>Fix:
>Release-Note:
>Audit-Trail:
>Unformatted:
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200712031508.lB3F8DVQ080758>