Skip site navigation (1)Skip section navigation (2)
Date:      Mon, 3 Dec 2007 15:08:13 GMT
From:      Gabor Berczi <gabor@berczi.be>
To:        freebsd-gnats-submit@FreeBSD.org
Subject:   misc/118399: local/remote kernel DoS through TAP device
Message-ID:  <200712031508.lB3F8DVQ080758@www.freebsd.org>
Resent-Message-ID: <200712031510.lB3FA4Tg071116@freefall.freebsd.org>

next in thread | raw e-mail | index | archive | help

>Number:         118399
>Category:       misc
>Synopsis:       local/remote kernel DoS through TAP device
>Confidential:   no
>Severity:       critical
>Priority:       high
>Responsible:    freebsd-bugs
>State:          open
>Quarter:        
>Keywords:       
>Date-Required:
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Mon Dec 03 15:10:04 UTC 2007
>Closed-Date:
>Last-Modified:
>Originator:     Gabor Berczi
>Release:        6.2-RELEASE
>Organization:
>Environment:
Tested on x86/alpha, SMP/non-SMP.


>Description:
There is a bug somewhere in the FreeBSD kernel that causes lockup if the TAP device receives abnormal data.

..
tap1: discard oversize frame (ether type 4f84 flags 3 len 16384 > max 1514)
tap1: discard oversize frame (ether type 0 flags 3 len 16384 > max 1514)
tap1: discard oversize frame (ether type 39e7 flags 3 len 16384 > max 1514)
tap1: discard oversize frame (ether type 0 flags 3 len 16384 > max 1514)
tap1: discard oversize frame (ether type 4fe7 flags 3 len 16384 > max 1514)
tap1: discard oversize frame (ether type 44b4 flags 3 len 16384 > max 1514)
tap1: discard oversize frame (ether type 87df flags 3 len 16384 > max 1514)
tap1: discard oversize frame (ether type 1c flags 3 len 16384 > max 1514)
tap1: discard oversize frame (ether type 1f flags 3 len 16384 > max 1514)
tap1: discard oversize frame (ether type 80c0 flags 3 len 16384 > max 1514)
tap1: discard oversize frame (ether type 9a87 flags 3 len 16384 > max 1514)
tap1: discard oversize frame (ether type c5e6 flags 3 len 16384 > max 1514)
tap1: discard oversize frame (ether type 2aab flags 3 len 16384 > max 1514)
tap1: discard oversize frame (ether type 656c flags 3 len 16384 > max 1514)
tap1: discard oversize frame (ether type e6f3 flags 3 len 16384 > max 1514)
tap1: discard oversize frame (ether type 48bd flags 3 len 16384 > max 1514)
tap1: discard oversize frame (ether type 0 flags 3 len 16384 > max 1514)
tap1: discard oversize frame (ether type ca87 flags 3 len 16384 > max 1514)
tap1: discard oversize frame (ether type d0ca flags 3 len 16384 > max 1514)
tap1: discard oversize frame (ether type 249c flags 3 len 16384 > max 1514)
tap1: discard oversize frame (ether type 0 flags 3 len 16384 > max 1514)

fatal kernel trap:

    trap entry     = 0x2 (memory management fault)
    cpuid          = 0
    faulting va    = 0x34
    type           = access violation
    cause          = load instructon
    pc             = 0xfffffc00005dd39c
    ra             = 0xfffffc00005de15c
    sp             = 0xfffffe0007763870
    usp            = 0x11ffd6c0
    curthread      = 0xfffffc0001ef22b0
        pid = 31183, comm = zsh

panic: trap


>How-To-Repeat:
1. Compile this:

#include <fcntl.h>
#include <stdio.h>
#include <sys/types.h>
#include <sys/uio.h>
#include <unistd.h>

int main(int argc, char **argv)
{
	if (argc != 2)
		return 1;

	int fd = open(argv[1], O_WRONLY);
	if (fd < 0) {
		perror("open");
		return 1;
	}

	for (;;) {
		char buf[2048];
		int ret = read(0, buf, sizeof(buf));
		if (ret < 0) {
			perror("read");
			close(fd);
			return 1;
		}
		ret = write(fd, buf, ret);
	}

	return 0;
}

2. Load if_tap, and create tap0 device.
3. cat /dev/urandom|./a.out /dev/tap0

Sooner or later it'll die.


>Fix:


>Release-Note:
>Audit-Trail:
>Unformatted:



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200712031508.lB3F8DVQ080758>