Date: Sun, 09 May 1999 13:17:01 +0200 From: sthaug@nethelp.no To: Don.Lewis@tsc.tdk.com Cc: wes@softweyr.com, toasty@HOME.DRAGONDATA.COM, security@FreeBSD.ORG Subject: Re: KKIS.05051999.003b Message-ID: <66148.926248621@verdi.nethelp.no> In-Reply-To: Your message of "Sat, 8 May 1999 20:26:05 -0700" References: <199905090326.UAA19750@salsa.gv.tsc.tdk.com>
next in thread | previous in thread | raw e-mail | index | archive | help
> I don't see any obvious descriptor leaks, but the fact that FreeBSD < 3.1
> panics (probably in unp_gc(), which Matt fixed) indicates that I'm missing
> something.
A 2.2.8 system I have here panics in sorflush (called from unp_gc()):
void
sorflush(so)
register struct socket *so;
{
register struct sockbuf *sb = &so->so_rcv;
register struct protosw *pr = so->so_proto;
register int s;
struct sockbuf asb;
sb->sb_flags |= SB_NOINTR;
(void) sblock(sb, M_WAITOK);
s = splimp();
socantrcvmore(so);
sbunlock(sb); asb = *sb;
bzero((caddr_t)sb, sizeof (*sb));
splx(s);
if (pr->pr_flags & PR_RIGHTS && pr->pr_domain->dom_dispose)
(*pr->pr_domain->dom_dispose)(asb.sb_mb);
sbrelease(&asb);
}
because so->so_proto is 0. Backtrace:
#0 boot (howto=256) at ../../kern/kern_shutdown.c:275
#1 0xf01128ba in panic (fmt=0xf01bdf0f "page fault") at ../../kern/kern_shutdown.c:409
#2 0xf01beafa in trap_fatal (frame=0xefbffde4) at ../../i386/i386/trap.c:772
#3 0xf01be5bc in trap_pfault (frame=0xefbffde4, usermode=0) at ../../i386/i386/trap.c:681
#4 0xf01be247 in trap (frame={tf_es = 16, tf_ds = 16, tf_edi = -272630184, tf_esi = -260321820,
tf_ebp = -272630184, tf_isp = -272630260, tf_ebx = -260321856, tf_edx = 1073610751, tf_ecx = 0,
tf_eax = 0, tf_trapno = 12, tf_err = 0, tf_eip = -267232200, tf_cs = 8, tf_eflags = 66118,
tf_esp = 0, tf_ss = -259461120}) at ../../i386/i386/trap.c:324
#5 0xf0125c38 in sorflush (so=0xf07bcd80) at ../../kern/uipc_socket.c:854
#6 0xf01297de in unp_gc () at ../../kern/uipc_usrreq.c:889
#7 0xf012908f in unp_detach (unp=0xf0548694) at ../../kern/uipc_usrreq.c:420
#8 0xf0128b42 in uipc_usrreq (so=0xf0890f00, req=1, m=0x0, nam=0x0, control=0x0)
at ../../kern/uipc_usrreq.c:113
#9 0xf012720f in old_detach (so=0xf0890f00) at ../../kern/uipc_socket2.c:890
#10 0xf0124902 in soclose (so=0xf0890f00) at ../../kern/uipc_socket.c:209
#11 0xf011c607 in soo_close (fp=0xf0906540, p=0xf07d8800) at ../../kern/sys_socket.c:206
#12 0xf010b1bc in closef (fp=0xf0906540, p=0xf07d8800) at ../../kern/kern_descrip.c:896
#13 0xf010a8a9 in close (p=0xf07d8800, uap=0xefbfff94, retval=0xefbfff84) at ../../kern/kern_descrip.c:392
#14 0xf01bed93 in syscall (frame={tf_es = 39, tf_ds = 39, tf_edi = 0, tf_esi = -272638692,
tf_ebp = -272638740, tf_isp = -272629788, tf_ebx = -272638688, tf_edx = -272638846,
tf_ecx = -272638972, tf_eax = 6, tf_trapno = 7, tf_err = 7, tf_eip = 537330913, tf_cs = 31,
tf_eflags = 646, tf_esp = -272639024, tf_ss = 39}) at ../../i386/i386/trap.c:920
#15 0x200704e1 in ?? ()
#16 0x163d in ?? ()
#17 0x1095 in ?? ()
Steinar Haug, Nethelp consulting, sthaug@nethelp.no
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?66148.926248621>