From nobody@FreeBSD.org  Mon May 14 22:53:03 2007
Return-Path: <nobody@FreeBSD.org>
Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52])
	by hub.freebsd.org (Postfix) with ESMTP id CC77216A404
	for <freebsd-gnats-submit@FreeBSD.org>; Mon, 14 May 2007 22:53:03 +0000 (UTC)
	(envelope-from nobody@FreeBSD.org)
Received: from www.freebsd.org (www.freebsd.org [69.147.83.33])
	by mx1.freebsd.org (Postfix) with ESMTP id BDA0613C447
	for <freebsd-gnats-submit@FreeBSD.org>; Mon, 14 May 2007 22:53:03 +0000 (UTC)
	(envelope-from nobody@FreeBSD.org)
Received: from www.freebsd.org (localhost [127.0.0.1])
	by www.freebsd.org (8.13.1/8.13.1) with ESMTP id l4EMr3tE020081
	for <freebsd-gnats-submit@FreeBSD.org>; Mon, 14 May 2007 22:53:03 GMT
	(envelope-from nobody@www.freebsd.org)
Received: (from nobody@localhost)
	by www.freebsd.org (8.13.1/8.13.1/Submit) id l4EMm1hS019105;
	Mon, 14 May 2007 22:48:01 GMT
	(envelope-from nobody)
Message-Id: <200705142248.l4EMm1hS019105@www.freebsd.org>
Date: Mon, 14 May 2007 22:48:01 GMT
From: Ludovico Gardenghi<osd@cs.unibo.it>
To: freebsd-gnats-submit@FreeBSD.org
Subject: [if_tap] stat /dev/tapN leads to panic for N >= 2G
X-Send-Pr-Version: www-3.0

>Number:         112670
>Category:       kern
>Synopsis:       [if_tap] stat /dev/tapN leads to panic for N >= 2G
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    freebsd-net
>State:          closed
>Quarter:        
>Keywords:       
>Date-Required:  
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Mon May 14 23:00:11 GMT 2007
>Closed-Date:    Fri May 18 07:00:34 GMT 2007
>Last-Modified:  Fri May 18 07:00:34 GMT 2007
>Originator:     Ludovico Gardenghi
>Release:        6.2-RELEASE
>Organization:
Virtual Square Team
>Environment:
FreeBSD devil.localdomain 6.2-RELEASE FreeBSD 6.2-RELEASE #0: Fri Jan 12 10:40:27 UTC 2007     root@dessler.cse.buffalo.edu:/usr/obj/usr/src/sys/GENERIC  i386
>Description:
Trying to access a tap device in /dev leads to a kernel panic ("foo") if the tap name is tapN when N is greater or equal than 2^31 and less than 2^32-1. 

This is probably due to a bad conversion between unsigned and signed in dev_stdclone (kern_conf.c:750). The tap name is converted from string to integer with a loop (lines 762--765) and stored in the signed int variable 'u'; if the resulting value is greater than 2G, u becomes negative and the check at line 766 (if (u > 0xffffff)) fails, but the original value is in fact greater than that value and should be rejected.
>How-To-Repeat:
shammash@devil:~$ ls -l /dev/tap2147483648

(the following is in /var/log/messages)

May 10 13:57:12 devil kernel: dev 0xc370a000 (tap-1530494977) is on clonelist
May 10 13:57:12 devil kernel: unit=-1530494977, low=0, extra=0x0
May 10 13:57:12 devil kernel: 0xc36b4b00 tap0
May 10 13:57:12 devil kernel: 0xc36f1500 tap255
May 10 13:57:12 devil kernel: 0xc34f2000 tap256
May 10 13:57:12 devil kernel: 0xc32aee00 tap65537
May 10 13:57:12 devil kernel: 0xc36f1a00 tap1
May 10 13:57:12 devil kernel: 0xc36f1600 tap2
May 10 13:57:12 devil kernel: 0xc370a000 tap-1530494977
May 10 13:57:12 devil kernel: panic: foo
May 10 13:57:12 devil kernel: Uptime: 35m24s
May 10 13:57:12 devil kernel: Cannot dump. No dump device defined.
May 10 13:57:12 devil kernel: Automatic reboot in 15 seconds - press a key on the console to abort
May 10 13:57:12 devil kernel: Rebooting...
>Fix:
It should be enough to change 'int' to 'unsigned int' inside the functions involved in tap creation, mainly dev_stdclone() in kern/kern_conf.c. 
>Release-Note:
>Audit-Trail:

From: Remko Lodder <remko@elvandar.org>
To: Ludovico Gardenghi <osd@cs.unibo.it>
Cc: freebsd-gnats-submit@FreeBSD.org
Subject: Re: kern/112670: [if_tap] stat /dev/tapN leads to panic for N >=
 2G
Date: Tue, 15 May 2007 20:08:05 +0200

 Can you try obtaining us a kernel dump as mentioned in the developers
 handbook?
 
 Thanks!
 
 -- 
 Kind regards,
 
      Remko Lodder               ** remko@elvandar.org
      FreeBSD                    ** remko@FreeBSD.org
 
      /* Quis custodiet ipsos custodes */
Responsible-Changed-From-To: freebsd-bugs->freebsd-net 
Responsible-Changed-By: remko 
Responsible-Changed-When: Tue May 15 19:33:39 UTC 2007 
Responsible-Changed-Why:  
I think this is something more for the -net team, reassign. Note: I am 
awaiting a feedback report about the kernel dump (which wasn't made 
as you can see in the report, but it would perhaps tell us very well 
what the real problem is). 

http://www.freebsd.org/cgi/query-pr.cgi?pr=112670 

From: Landon Fuller <landonf@threerings.net>
To: bug-followup@FreeBSD.org,
 osd@cs.unibo.it
Cc:  
Subject: Re: kern/112670: [if_tap] stat /dev/tapN leads to panic for N > 2G
Date: Tue, 15 May 2007 15:26:45 -0700

 The sign comparison bug was fixed in r1.201 of sys/kern/kern_conf.c  
 (kern/105228).
 It should be fixed in STABLE (MFC'd on February 27th).
State-Changed-From-To: open->feedback 
State-Changed-By: remko 
State-Changed-When: Wed May 16 16:36:49 UTC 2007 
State-Changed-Why:  
Hello, it is being mentioned that -STABLE has the required fixed, can you please 
upgrade your station to -STABLE and report whether that indeed solved the problem. 
Thanks. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=112670 

From: Ariff Abdullah <ariff@FreeBSD.org>
To: bug-followup@FreeBSD.org, osd@cs.unibo.it
Cc:  
Subject: Re: kern/112670: [if_tap] stat /dev/tapN leads to panic for N >= 2G
Date: Thu, 17 May 2007 05:33:48 +0800

 This is a multi-part message in MIME format.
 
 --Multipart=_Thu__17_May_2007_05_33_48_+0800_IlHONeq=l+xq7q9C
 Content-Type: text/plain; charset=US-ASCII
 Content-Transfer-Encoding: 7bit
 
 Grr... this was meant for kern/112670, not 112671. Sorry.
 
 
 
 Well, I'm not really sure if this is all about signess or simply
 because dev_stdclone() itself fail to do correct checking on
 unit > 0xffffff (it should be CLONE_UNITMASK which is 0xfffff, no?),
 obviously an overflow against clone_create(). It could be argued that
 the caller would later strip and truncate it, but there are few other
 drivers (notably snp(4)) which innocently proceed without any
 tinkering.
  
 Anyway, try this patch. It should help other dev_stdclone() users too.
 
 
 --
 Ariff Abdullah
 FreeBSD
 
 ... Recording in stereo is obviously too advanced
     and confusing for us idiot ***** users :P ........
 
 --Multipart=_Thu__17_May_2007_05_33_48_+0800_IlHONeq=l+xq7q9C
 Content-Type: text/x-diff;
  name="kern_conf.c.diff"
 Content-Disposition: attachment;
  filename="kern_conf.c.diff"
 Content-Transfer-Encoding: 7bit
 
 Index: src/sys/kern/kern_conf.c
 ===================================================================
 RCS file: /home/ncvs/src/sys/kern/kern_conf.c,v
 retrieving revision 1.201
 diff -u -r1.201 kern_conf.c
 --- src/sys/kern/kern_conf.c	2 Feb 2007 22:27:45 -0000	1.201
 +++ src/sys/kern/kern_conf.c	16 May 2007 20:05:51 -0000
 @@ -763,7 +763,7 @@
  		u *= 10;
  		u += name[i++] - '0';
  	}
 -	if (u > 0xffffff)
 +	if (u > CLONE_UNITMASK)
  		return (0);
  	*unit = u;
  	if (namep)
 
 --Multipart=_Thu__17_May_2007_05_33_48_+0800_IlHONeq=l+xq7q9C--
State-Changed-From-To: feedback->closed 
State-Changed-By: remko 
State-Changed-When: Fri May 18 07:00:28 UTC 2007 
State-Changed-Why:  
6-STABLE has the proper support/fix, this will eventually get merged 
into later 6.x releases. Thanks for submitting the entry and the 
willingness to improve FreeBSD! 

http://www.freebsd.org/cgi/query-pr.cgi?pr=112670 
>Unformatted:
