From nobody@FreeBSD.org  Mon May 14 22:57:10 2007
Return-Path: <nobody@FreeBSD.org>
Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52])
	by hub.freebsd.org (Postfix) with ESMTP id 3B38716A407
	for <freebsd-gnats-submit@FreeBSD.org>; Mon, 14 May 2007 22:57:10 +0000 (UTC)
	(envelope-from nobody@FreeBSD.org)
Received: from www.freebsd.org (www.freebsd.org [69.147.83.33])
	by mx1.freebsd.org (Postfix) with ESMTP id 2CC9B13C43E
	for <freebsd-gnats-submit@FreeBSD.org>; Mon, 14 May 2007 22:57:10 +0000 (UTC)
	(envelope-from nobody@FreeBSD.org)
Received: from www.freebsd.org (localhost [127.0.0.1])
	by www.freebsd.org (8.13.1/8.13.1) with ESMTP id l4EMvAod020656
	for <freebsd-gnats-submit@FreeBSD.org>; Mon, 14 May 2007 22:57:10 GMT
	(envelope-from nobody@www.freebsd.org)
Received: (from nobody@localhost)
	by www.freebsd.org (8.13.1/8.13.1/Submit) id l4EMq978019965;
	Mon, 14 May 2007 22:52:09 GMT
	(envelope-from nobody)
Message-Id: <200705142252.l4EMq978019965@www.freebsd.org>
Date: Mon, 14 May 2007 22:52:09 GMT
From: Ludovico Gardenghi<osd@cs.unibo.it>
To: freebsd-gnats-submit@FreeBSD.org
Subject: [if_tap] stat /dev/tapN leads to panic for N >= 2G
X-Send-Pr-Version: www-3.0

>Number:         112671
>Category:       kern
>Synopsis:       [if_tap] stat /dev/tapN leads to panic for N >= 2G
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    freebsd-bugs
>State:          closed
>Quarter:        
>Keywords:       
>Date-Required:  
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Mon May 14 23:00:12 GMT 2007
>Closed-Date:    Mon May 14 23:03:49 GMT 2007
>Last-Modified:  Wed May 16 21:20:04 GMT 2007
>Originator:     Ludovico Gardenghi
>Release:        6.2-RELEASE
>Organization:
Virtual Square Team
>Environment:
FreeBSD devil.localdomain 6.2-RELEASE FreeBSD 6.2-RELEASE #0: Fri Jan 12 10:40:27 UTC 2007     root@dessler.cse.buffalo.edu:/usr/obj/usr/src/sys/GENERIC  i386
>Description:
Trying to access a tap device in /dev leads to a kernel panic ("foo") if the tap name is tapN when N is greater or equal than 2^31 and less than 2^32-1. 

This is probably due to a bad conversion between unsigned and signed in dev_stdclone (kern_conf.c:750). The tap name is converted from string to integer with a loop (lines 762--765) and stored in the signed int variable 'u'; if the resulting value is greater than 2G, u becomes negative and the check at line 766 (if (u > 0xffffff)) fails, but the original value is in fact greater than that value and should be rejected.
>How-To-Repeat:
shammash@devil:~$ ls -l /dev/tap2147483648

(the following is in /var/log/messages)

May 10 13:57:12 devil kernel: dev 0xc370a000 (tap-1530494977) is on clonelist
May 10 13:57:12 devil kernel: unit=-1530494977, low=0, extra=0x0
May 10 13:57:12 devil kernel: 0xc36b4b00 tap0
May 10 13:57:12 devil kernel: 0xc36f1500 tap255
May 10 13:57:12 devil kernel: 0xc34f2000 tap256
May 10 13:57:12 devil kernel: 0xc32aee00 tap65537
May 10 13:57:12 devil kernel: 0xc36f1a00 tap1
May 10 13:57:12 devil kernel: 0xc36f1600 tap2
May 10 13:57:12 devil kernel: 0xc370a000 tap-1530494977
May 10 13:57:12 devil kernel: panic: foo
May 10 13:57:12 devil kernel: Uptime: 35m24s
May 10 13:57:12 devil kernel: Cannot dump. No dump device defined.
May 10 13:57:12 devil kernel: Automatic reboot in 15 seconds - press a key on the console to abort
May 10 13:57:12 devil kernel: Rebooting...
>Fix:
It should be enough to change 'int' to 'unsigned int' inside the functions involved in tap creation, mainly dev_stdclone() in kern/kern_conf.c. 
>Release-Note:
>Audit-Trail:
State-Changed-From-To: open->closed 
State-Changed-By: erwin 
State-Changed-When: Mon May 14 23:03:37 UTC 2007 
State-Changed-Why:  
Duplicate of kern/112670. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=112671 

From: Ariff Abdullah <ariff@FreeBSD.org>
To: bug-followup@FreeBSD.org, osd@cs.unibo.it
Cc:  
Subject: Re: kern/112671: [if_tap] stat /dev/tapN leads to panic for N >= 2G
Date: Thu, 17 May 2007 05:10:46 +0800

 This is a multi-part message in MIME format.
 
 --Multipart=_Thu__17_May_2007_05_10_46_+0800_//OmptO1D13lMuyR
 Content-Type: text/plain; charset=US-ASCII
 Content-Transfer-Encoding: 7bit
 
 Well, I'm not really sure if this is all about signess or simply
 because dev_stdclone() itself fail to do correct checking on
 unit > 0xffffff (it should be CLONE_UNITMASK which is 0xfffff, no?),
 obviously an overflow against clone_create(). It could be argued that
 the caller would later strip and truncate it, but there are few other
 drivers (notably snp(4)) which innocently proceed without any
 tinkering.
 
 Anyway, try this patch. It should help other dev_stdclone() users too.
 
 --
 Ariff Abdullah
 FreeBSD
 
 ... Recording in stereo is obviously too advanced
     and confusing for us idiot ***** users :P ........
 
 --Multipart=_Thu__17_May_2007_05_10_46_+0800_//OmptO1D13lMuyR
 Content-Type: text/x-diff;
  name="kern_conf.c.diff"
 Content-Disposition: attachment;
  filename="kern_conf.c.diff"
 Content-Transfer-Encoding: 7bit
 
 Index: src/sys/kern/kern_conf.c
 ===================================================================
 RCS file: /home/ncvs/src/sys/kern/kern_conf.c,v
 retrieving revision 1.201
 diff -u -r1.201 kern_conf.c
 --- src/sys/kern/kern_conf.c	2 Feb 2007 22:27:45 -0000	1.201
 +++ src/sys/kern/kern_conf.c	16 May 2007 20:05:51 -0000
 @@ -763,7 +763,7 @@
  		u *= 10;
  		u += name[i++] - '0';
  	}
 -	if (u > 0xffffff)
 +	if (u > CLONE_UNITMASK)
  		return (0);
  	*unit = u;
  	if (namep)
 
 --Multipart=_Thu__17_May_2007_05_10_46_+0800_//OmptO1D13lMuyR--
>Unformatted:
