Skip site navigation (1)Skip section navigation (2)
Date:      Fri, 26 Nov 2010 14:31:53 +0300
From:      Dmitry Krivenok <krivenok.dmitry@gmail.com>
To:        Ivan Klymenko <fidaj@ukr.net>
Cc:        freebsd-hackers@freebsd.org
Subject:   Re: Simple kernel attack using socketpair.
Message-ID:  <AANLkTimH58340209kH3SxD_NpfjiJOai6HvL5-Vfd_=2@mail.gmail.com>
In-Reply-To: <20101126124922.3947bab4@ukr.net>
References:  <20101126122639.4fd47cba@ukr.net> <20101126124922.3947bab4@ukr.net>

next in thread | previous in thread | raw e-mail | index | archive | help
I run it on 8.0 and CURRENT and got fatal double fault on both systems:

=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D
Unread portion of the kernel message buffer:
kern.maxfiles limit exceeded by uid 1001, please see tuning(7).

Fatal double fault
rip =3D 0xffffffff80615f54
rsp =3D 0xffffff803c1fa000
rbp =3D 0xffffff803c1fa000
cpuid =3D 0; apic id =3D 00
panic: double fault
cpuid =3D 0
KDB: enter: panic
Uptime: 8d21h9m48s
Physical memory: 983 MB
Dumping 244 MB: 229 213 197 181 165 149 133 117 101 85 69 53 37 21 5

Reading symbols from /boot/modules/bwn_v4_lp_ucode.ko...done.
Loaded symbols for /boot/modules/bwn_v4_lp_ucode.ko
#0  0xffffffff805cc90a in kproc_shutdown (arg=3D0x0, howto=3DVariable
"howto" is not available.
) at /usr/src/sys/kern/kern_shutdown.c:639
639             printf("Waiting (max %d seconds) for system process
`%s' to stop...",
(kgdb) bt
#0  0xffffffff805cc90a in kproc_shutdown (arg=3D0x0, howto=3DVariable
"howto" is not available.
) at /usr/src/sys/kern/kern_shutdown.c:639
#1  0xffffffff805cce37 in kern_reboot (howto=3D260) at
/usr/src/sys/kern/kern_shutdown.c:216
#2  0xffffffff805cd2c1 in panic (fmt=3D0x1 <Address 0x1 out of bounds>)
at /usr/src/sys/kern/kern_shutdown.c:555
#3  0xffffffff808c7586 in user_ldt_free (td=3D0xffffff800021a300) at cpufun=
c.h:524
#4  0xffffffff808b24dd in Xtss () at /usr/src/sys/amd64/amd64/exception.S:1=
51
#5  0xffffffff80615f54 in db_witness_list_all (addr=3D-2137114768,
have_addr=3D1, count=3D-2137114768, modif=3D0x1 <Address 0x1 out of bounds>=
)
    at /usr/src/sys/kern/subr_witness.c:2352
Previous frame inner to this frame (corrupt stack?)
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D


On Fri, Nov 26, 2010 at 1:49 PM, Ivan Klymenko <fidaj@ukr.net> wrote:
> =D0=92 Fri, 26 Nov 2010 12:26:39 +0200
> Ivan Klymenko <fidaj@ukr.net> =D0=BF=D0=B8=D1=88=D0=B5=D1=82:
>
>> Hello!
>> Rumor has it that this vulnerability applies to FreeBSD too, with the
>> replacement SOCK_SEQPACKET on SOCK_DGRAM...
> and add:
>
> #include <sys/mount.h>
> #include <sys/wait.h>
> #include <errno.h>
> #include <fcntl.h>
> #include <stdio.h>
> #include <stdlib.h>
> #include <string.h>
> #include <unistd.h>
>
>>
>> http://lkml.org/lkml/2010/11/25/8
>>
>> What do you think about this?
>>
>> Thank you!
> _______________________________________________
> freebsd-hackers@freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-hackers
> To unsubscribe, send any mail to "freebsd-hackers-unsubscribe@freebsd.org=
"
>



--=20
Sincerely yours, Dmitry V. Krivenok
e-mail: krivenok.dmitry@gmail.com
skype: krivenok_dmitry
jabber: krivenok_dmitry@jabber.ru
icq: 242-526-443



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?AANLkTimH58340209kH3SxD_NpfjiJOai6HvL5-Vfd_=2>