From nobody  Tue Nov 11 07:13:54 1997
Received: (from nobody@localhost)
          by hub.freebsd.org (8.8.7/8.8.7) id HAA28208;
          Tue, 11 Nov 1997 07:13:54 -0800 (PST)
          (envelope-from nobody)
Message-Id: <199711111513.HAA28208@hub.freebsd.org>
Date: Tue, 11 Nov 1997 07:13:54 -0800 (PST)
From: jt@nanoteq.com
To: freebsd-gnats-submit@freebsd.org
Subject: rndcontrol -s 8 causes kernel panic
X-Send-Pr-Version: www-1.0

>Number:         5011
>Category:       kern
>Synopsis:       rndcontrol -s 8 causes kernel panic
>Confidential:   no
>Severity:       non-critical
>Priority:       low
>Responsible:    freebsd-bugs
>State:          closed
>Quarter:        
>Keywords:       
>Date-Required:  
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Tue Nov 11 07:20:00 PST 1997
>Closed-Date:    Tue Oct 17 13:09:35 PDT 2000
>Last-Modified:  Tue Oct 17 13:12:54 PDT 2000
>Originator:     Johann Tonsing
>Release:        2.2.5-STABLE
>Organization:
Nanoteq
>Environment:
FreeBSD Amnesiac.Domain 2.2.5-STABLE FreeBSD 2.2.5-STABLE #0: Mon Nov 10 05:21:1
4 SAT 1997     root@zibbi.mikom.csir.co.za:/ns/dist/src/kernel/sys/compile/NSR
i386
>Description:
If interrupt 8 is enabled for random information collection,
the kernel panics.

Admittedly this is a silly thing to do (IRQ8=RTC, which
is supposed to NOT be very random ;-)) but rndcontrol 
and/or the kernel /dev/random code should disallow this -
kernel panic is too drastic a punishment.


>How-To-Repeat:
Add interrupt 8 to the random bit collection interrupts.
Example:
# rndcontrol -s 8
rndcontrol: setting irq 8
rndcontrol: Interrupts in use: 8
#
Fatal trap 12: page fault while in kernel mode
fault virtual address   = 0x28
fault code              = supervisor read, page not present
instruction pointer     = 0x8:0xf0105ec5
stack pointer           = 0x10:0xf01b9f6c
frame pointer           = 0x10:0xf01b9f74
code segment            = base 0x0, limit 0xfffff, type 0x1b
                        = DPL 0, pres 1, def32 1, gran 1
processor eflags        = interrupt enabled, resume, IOPL = 0
current process         = Idle
interrupt mask          =
panic: page fault


>Fix:
Add (more) validation code to rndcontrol and/or /dev/random
to disallow IRQ 8 -or- allow addition but fix whatever causes
panic.




>Release-Note:
>Audit-Trail:

From: Bruce Evans <bde@zeta.org.au>
To: freebsd-gnats-submit@FreeBSD.ORG, jt@nanoteq.com
Cc:  Subject: Re: kern/5011: rndcontrol -s 8 causes kernel panic
Date: Wed, 12 Nov 1997 11:38:18 +1100

 >>Description:
 >If interrupt 8 is enabled for random information collection,
 >the kernel panics.
 
 This is because add_interrupt_randomness() calls statclock()
 with an invalid frame.  This confuses statclock() about the
 whether the call came from user mode, and it sometimes follows
 a null curproc pointer.
 
 Other C-level interrupt handlers that are passed a frame (i.e.,
 the ones for clk0 and npx0) have the same problem.
 
 Quick fix:
 In add_interrupt_randomness(), pass (void *)&irq instead of
 sec_intr_handler[irq] to the interrupt handlers that want a
 frame pointer.
 
 Bruce
State-Changed-From-To: open->closed 
State-Changed-By: johan 
State-Changed-When: Tue Oct 17 13:09:35 PDT 2000 
State-Changed-Why:  
This does not happen on a 4.1-STABLE system. 
I guess it has been fixed. 

If you experiense this problem in more recent releases of 
FreeBSd please open a new PR. 

However, Please see the FAQ (http://www.FreeBSD.org/FAQ/FAQ.html) 
section 'For serious FreeBSD hackers only' 
question 'Making the most of a kernel panic' 
before doing so. 



http://www.freebsd.org/cgi/query-pr.cgi?pr=5011 
>Unformatted:
