From owner-freebsd-security Sun May 9 4:17: 5 1999 Delivered-To: freebsd-security@freebsd.org Received: from verdi.nethelp.no (verdi.nethelp.no [158.36.41.162]) by hub.freebsd.org (Postfix) with SMTP id 26CF914DFA for ; Sun, 9 May 1999 04:17:02 -0700 (PDT) (envelope-from sthaug@nethelp.no) Received: (qmail 66150 invoked by uid 1001); 9 May 1999 11:17:01 +0000 (GMT) To: Don.Lewis@tsc.tdk.com Cc: wes@softweyr.com, toasty@HOME.DRAGONDATA.COM, security@FreeBSD.ORG Subject: Re: KKIS.05051999.003b From: sthaug@nethelp.no In-Reply-To: Your message of "Sat, 8 May 1999 20:26:05 -0700" References: <199905090326.UAA19750@salsa.gv.tsc.tdk.com> X-Mailer: Mew version 1.05+ on Emacs 19.34.2 Mime-Version: 1.0 Content-Type: Text/Plain; charset=us-ascii Date: Sun, 09 May 1999 13:17:01 +0200 Message-ID: <66148.926248621@verdi.nethelp.no> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org > I don't see any obvious descriptor leaks, but the fact that FreeBSD < 3.1 > panics (probably in unp_gc(), which Matt fixed) indicates that I'm missing > something. A 2.2.8 system I have here panics in sorflush (called from unp_gc()): void sorflush(so) register struct socket *so; { register struct sockbuf *sb = &so->so_rcv; register struct protosw *pr = so->so_proto; register int s; struct sockbuf asb; sb->sb_flags |= SB_NOINTR; (void) sblock(sb, M_WAITOK); s = splimp(); socantrcvmore(so); sbunlock(sb); asb = *sb; bzero((caddr_t)sb, sizeof (*sb)); splx(s); if (pr->pr_flags & PR_RIGHTS && pr->pr_domain->dom_dispose) (*pr->pr_domain->dom_dispose)(asb.sb_mb); sbrelease(&asb); } because so->so_proto is 0. Backtrace: #0 boot (howto=256) at ../../kern/kern_shutdown.c:275 #1 0xf01128ba in panic (fmt=0xf01bdf0f "page fault") at ../../kern/kern_shutdown.c:409 #2 0xf01beafa in trap_fatal (frame=0xefbffde4) at ../../i386/i386/trap.c:772 #3 0xf01be5bc in trap_pfault (frame=0xefbffde4, usermode=0) at ../../i386/i386/trap.c:681 #4 0xf01be247 in trap (frame={tf_es = 16, tf_ds = 16, tf_edi = -272630184, tf_esi = -260321820, tf_ebp = -272630184, tf_isp = -272630260, tf_ebx = -260321856, tf_edx = 1073610751, tf_ecx = 0, tf_eax = 0, tf_trapno = 12, tf_err = 0, tf_eip = -267232200, tf_cs = 8, tf_eflags = 66118, tf_esp = 0, tf_ss = -259461120}) at ../../i386/i386/trap.c:324 #5 0xf0125c38 in sorflush (so=0xf07bcd80) at ../../kern/uipc_socket.c:854 #6 0xf01297de in unp_gc () at ../../kern/uipc_usrreq.c:889 #7 0xf012908f in unp_detach (unp=0xf0548694) at ../../kern/uipc_usrreq.c:420 #8 0xf0128b42 in uipc_usrreq (so=0xf0890f00, req=1, m=0x0, nam=0x0, control=0x0) at ../../kern/uipc_usrreq.c:113 #9 0xf012720f in old_detach (so=0xf0890f00) at ../../kern/uipc_socket2.c:890 #10 0xf0124902 in soclose (so=0xf0890f00) at ../../kern/uipc_socket.c:209 #11 0xf011c607 in soo_close (fp=0xf0906540, p=0xf07d8800) at ../../kern/sys_socket.c:206 #12 0xf010b1bc in closef (fp=0xf0906540, p=0xf07d8800) at ../../kern/kern_descrip.c:896 #13 0xf010a8a9 in close (p=0xf07d8800, uap=0xefbfff94, retval=0xefbfff84) at ../../kern/kern_descrip.c:392 #14 0xf01bed93 in syscall (frame={tf_es = 39, tf_ds = 39, tf_edi = 0, tf_esi = -272638692, tf_ebp = -272638740, tf_isp = -272629788, tf_ebx = -272638688, tf_edx = -272638846, tf_ecx = -272638972, tf_eax = 6, tf_trapno = 7, tf_err = 7, tf_eip = 537330913, tf_cs = 31, tf_eflags = 646, tf_esp = -272639024, tf_ss = 39}) at ../../i386/i386/trap.c:920 #15 0x200704e1 in ?? () #16 0x163d in ?? () #17 0x1095 in ?? () Steinar Haug, Nethelp consulting, sthaug@nethelp.no To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message