From korvin@post2.tehnomir.lipetsk.ru  Sat Oct  1 06:01:53 2005
Return-Path: <korvin@post2.tehnomir.lipetsk.ru>
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 24D8216A420
	for <FreeBSD-gnats-submit@freebsd.org>; Sat,  1 Oct 2005 06:01:53 +0000 (GMT)
	(envelope-from korvin@post2.tehnomir.lipetsk.ru)
Received: from falcon.lipetsk.ru (falcon.lipetsk.ru [195.34.224.68])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 3917943D49
	for <FreeBSD-gnats-submit@freebsd.org>; Sat,  1 Oct 2005 06:01:51 +0000 (GMT)
	(envelope-from korvin@post2.tehnomir.lipetsk.ru)
Received: from tehnomir.lipetsk.ru ([195.34.235.66]:52418 "EHLO
	post2.tehnomir.lipetsk.ru") by falcon.lipetsk.ru with ESMTP
	id S620363AbVJAGBu (ORCPT <rfc822;FreeBSD-gnats-submit@freebsd.org>);
	Sat, 1 Oct 2005 10:01:50 +0400
Received: from post2.tehnomir.lipetsk.ru (localhost.tehnomir.lipetsk.ru [127.0.0.1])
	by post2.tehnomir.lipetsk.ru (8.13.4/8.13.3) with ESMTP id j915wY13031492
	(version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO)
	for <FreeBSD-gnats-submit@freebsd.org>; Sat, 1 Oct 2005 09:58:35 +0400 (MSD)
	(envelope-from korvin@post2.tehnomir.lipetsk.ru)
Received: (from korvin@localhost)
	by post2.tehnomir.lipetsk.ru (8.13.4/8.13.3/Submit) id j915wYUv031491;
	Sat, 1 Oct 2005 09:58:34 +0400 (MSD)
	(envelope-from korvin)
Message-Id: <200510010558.j915wYUv031491@post2.tehnomir.lipetsk.ru>
Date: Sat, 1 Oct 2005 09:58:34 +0400 (MSD)
From: Guram Dukashvili <korvin@tehnomir.lipetsk.ru>
Reply-To: Guram Dukashvili <korvin@tehnomir.lipetsk.ru>
To: FreeBSD-gnats-submit@freebsd.org
Subject: system reboot without syncing
X-Send-Pr-Version: 3.113
X-GNATS-Notify:

>Number:         86775
>Category:       kern
>Synopsis:       system reboot without syncing
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    freebsd-bugs
>State:          closed
>Quarter:        
>Keywords:       
>Date-Required:  
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Sat Oct 01 06:10:19 GMT 2005
>Closed-Date:    Fri Nov 16 09:12:49 UTC 2007
>Last-Modified:  Fri Nov 16 09:12:49 UTC 2007
>Originator:     Guram Dukashvili
>Release:        FreeBSD 5.4-STABLE i386
>Organization:
>Environment:
System: FreeBSD post2.tehnomir.lipetsk.ru 5.4-STABLE FreeBSD 5.4-STABLE #0: Thu Sep 29 14:09:36 MSD 2005 root@post2.tehnomir.lipetsk.ru:/usr/obj/usr/src/sys/MCOM i386

>Description:
kevent syscall with aio filter invoke system reboot without sync under
regular user and may be security issue

>How-To-Repeat:
#include <sys/types.h>
#include <sys/event.h>
#include <sys/time.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include <arpa/inet.h>

#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <unistd.h>
#include <fcntl.h>
#include <errno.h>
#include <sys/stat.h>
#include <aio.h>
	  	       
class KQueue {
  public:
    ~KQueue();
    KQueue();
    
    KQueue & testRegularFiles();
  protected:
  private:
    int kqueue_;
};

KQueue::~KQueue()
{
  if( close(kqueue_) != 0 ){
    perror(NULL);
    abort();
  }
}

KQueue::KQueue()
{
  kqueue_ = kqueue();
  if( kqueue_ == -1 ){
    perror(NULL);
    abort();
  }
}

KQueue & KQueue::testRegularFiles()
{
  struct kevent kev;
  int f;
  
  f = open("qwert",O_RDWR | O_CREAT/* | O_NONBLOCK*/);
  if( f == -1 ){
    perror(NULL);
    abort();
  }
  if( fcntl(f,F_SETFL,fcntl(f,F_GETFL,0) | O_NONBLOCK) != 0 ){
    perror(NULL);
    abort();
  }
  char b[1 * 1024 * 1024];
  struct aiocb iocb;
  memset(&iocb,0,sizeof(iocb));
  iocb.aio_fildes = f;
  iocb.aio_nbytes = sizeof(b);
  iocb.aio_buf = b;
  iocb.aio_offset = 0;
  iocb.aio_sigevent.sigev_notify_kqueue = kqueue_;
  iocb.aio_sigevent.sigev_notify = SIGEV_KEVENT;
  if( aio_write(&iocb) != 0 ){
    perror(NULL);
    abort();
  }
  int kcount;
  struct timespec timeout = { 0, 0 }, * pto = NULL;
  for(;;){
    kcount = kevent(kqueue_,NULL,0,&kev,1,NULL);
    if( kcount == -1 ){
      perror(NULL);
      abort();
    }
    if( kcount == 0 ) break;
    if( kev.flags & EV_ERROR ){
      errno = kev.data;
      perror(NULL);
      abort();
    }
    if( kev.flags & EV_EOF ){
      if( (errno = kev.fflags) != 0 ){
        perror(NULL);
        abort();
      }
    }

    if( kev.filter == EVFILT_READ ){
      fprintf(stderr,"EVFILT_READ\n");
    }
    if( kev.filter == EVFILT_WRITE ){
      fprintf(stderr,"EVFILT_READ\n");
    }
    if( kev.filter == EVFILT_AIO ){
      fprintf(stderr,"EVFILT_AIO\n");
      kev.ident = (uintptr_t) &iocb;
      kev.filter = EVFILT_AIO;
// this flags invoke reboot
      kev.flags |= EV_CLEAR;
// reboot after this call
      if( kevent(kqueue_,&kev,1,NULL,0,NULL) == -1 ){
        perror(NULL);
        abort();
      }
    }
    pto = &timeout;
  }
  if( close(f) != 0 ){
    perror(NULL);
    abort();
  }
  return *this;
}

int main(int argc,char ** argv)
{
  KQueue kqueue;
  kqueue.testRegularFiles();
  return 0;
}

>Fix:


>Release-Note:
>Audit-Trail:

From: Kris Kennaway <kris@obsecurity.org>
To: Guram Dukashvili <korvin@tehnomir.lipetsk.ru>
Cc: FreeBSD-gnats-submit@FreeBSD.org
Subject: Re: kern/86775: system reboot without syncing
Date: Sat, 1 Oct 2005 12:26:54 -0400

 Under 7.0 I get
 
 dalki# ./kevent
 Bad system call (core dumped)
 
 Please provide more information - what is the panic and traceback when
 you run it?
 
 Kris
 
State-Changed-From-To: open->closed 
State-Changed-By: kmacy 
State-Changed-When: Fri Nov 16 09:12:18 UTC 2007 
State-Changed-Why:  

Feedback timeout. Please re-open if you can provide more details. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=86775 
>Unformatted:
