From nobody@FreeBSD.org  Mon Jan  2 14:56:11 2006
Return-Path: <nobody@FreeBSD.org>
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id A9E3916A41F
	for <freebsd-gnats-submit@FreeBSD.org>; Mon,  2 Jan 2006 14:56:11 +0000 (GMT)
	(envelope-from nobody@FreeBSD.org)
Received: from www.freebsd.org (www.freebsd.org [216.136.204.117])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 3EF0A43D4C
	for <freebsd-gnats-submit@FreeBSD.org>; Mon,  2 Jan 2006 14:56:11 +0000 (GMT)
	(envelope-from nobody@FreeBSD.org)
Received: from www.freebsd.org (localhost [127.0.0.1])
	by www.freebsd.org (8.13.1/8.13.1) with ESMTP id k02EuApj045518
	for <freebsd-gnats-submit@FreeBSD.org>; Mon, 2 Jan 2006 14:56:10 GMT
	(envelope-from nobody@www.freebsd.org)
Received: (from nobody@localhost)
	by www.freebsd.org (8.13.1/8.13.1/Submit) id k02EuAjS045517;
	Mon, 2 Jan 2006 14:56:10 GMT
	(envelope-from nobody)
Message-Id: <200601021456.k02EuAjS045517@www.freebsd.org>
Date: Mon, 2 Jan 2006 14:56:10 GMT
From: Vladimir Kotal <vlada@devnull.cz>
To: freebsd-gnats-submit@FreeBSD.org
Subject: sending file descriptors via AF_UNIX socket crashes kernel
X-Send-Pr-Version: www-2.3

>Number:         91224
>Category:       kern
>Synopsis:       sending file descriptors via AF_UNIX socket crashes kernel
>Confidential:   no
>Severity:       non-critical
>Priority:       medium
>Responsible:    rwatson
>State:          closed
>Quarter:        
>Keywords:       
>Date-Required:  
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Mon Jan 02 15:00:16 GMT 2006
>Closed-Date:    Tue Jan 03 06:19:45 GMT 2006
>Last-Modified:  Tue Jan 03 06:19:45 GMT 2006
>Originator:     Vladimir Kotal
>Release:        6.0-RELEASE
>Organization:
>Environment:
FreeBSD mailnfs1 6.0-RELEASE FreeBSD 6.0-RELEASE #0: Thu Dec 22 18:33:19 CET 2005     x@mailnfs1:/usr/src/sys/i386/compile/mailnfs  i386
>Description:
              When playing with AF_UNIX sockets, I have discovered that ancient code which crashed FreeBSD 3.1 still "works" on more recent versions of FreeBSD.

The original bug report can be found at
  http://www.securiteam.com/exploits/2FUQ4QAQRK.html

Fixed code (so that it compiles cleanly) is here:
  http://techie.devnull.cz/public/AF_UNIX-FreeBSD-crash.c

The backtrace looks like this:

#0  doadump () at pcpu.h:165
#1  0xc05deb7e in boot (howto=260) at ../../../kern/kern_shutdown.c:399
#2  0xc05dee14 in panic (fmt=0xc07adf73 "%s")
    at ../../../kern/kern_shutdown.c:555
#3  0xc076ee10 in trap_fatal (frame=0xe6cf5a44, eva=0)
    at ../../../i386/i386/trap.c:831
#4  0xc076eb7b in trap_pfault (frame=0xe6cf5a44, usermode=0, eva=0)
    at ../../../i386/i386/trap.c:742
#5  0xc076e7b9 in trap (frame=
      {tf_fs = -422641656, tf_es = 40, tf_ds = 40, tf_edi = -1042289368, tf_esi = -1030220736, tf_ebp = -422618400, tf_isp = -422618512, tf_ebx = -1044382336, tf_edx = -1047046376, tf_ecx = -1043903488, tf_eax = 0, tf_trapno = 12, tf_err = 0, tf_eip = -1067719191, tf_cs = 32, tf_eflags = 66050, tf_esp = 0, tf_ss = 0})
    at ../../../i386/i386/trap.c:432
#6  0xc075dfaa in calltrap () at ../../../i386/i386/exception.s:139
#7  0xc05be5e9 in closef (fp=0xc1bffd80, td=0x0)
    at ../../../kern/kern_descrip.c:1877
#8  0xc0622958 in unp_discard (fp=0xc1bffd80)
    at ../../../kern/uipc_usrreq.c:1888
#9  0xc0622854 in unp_scan (m0=0xc1dfe600, op=0xc06228dc <unp_discard>)
    at ../../../kern/uipc_usrreq.c:1855
#10 0xc0622721 in unp_dispose (m=0x0) at ../../../kern/uipc_usrreq.c:1802
#11 0xc06181f8 in sorflush (so=0xc2e162c8) at ../../../kern/uipc_socket.c:1479
#12 0xc0620699 in unp_detach (unp=0xc3b9cc08)
    at ../../../kern/uipc_usrreq.c:805
#13 0xc061f562 in uipc_detach (so=0x0) at ../../../kern/uipc_usrreq.c:256
#14 0xc0616840 in soclose (so=0xc2e162c8) at ../../../kern/uipc_socket.c:475
#15 0xc0606783 in soo_close (fp=0xc1e14558, td=0xc1c74c00)
    at ../../../kern/sys_socket.c:317
#16 0xc05c040c in fdrop_locked (fp=0xc1e14558, td=0xc1c74c00) at file.h:289
#17 0xc05c035d in fdrop (fp=0xc1e14558, td=0xc1c74c00)
    at ../../../kern/kern_descrip.c:2101
#18 0xc05be98b in closef (fp=0xc1e14558, td=0xc1c74c00)
    at ../../../kern/kern_descrip.c:1921
#19 0xc05bbdb9 in close (td=0xc1c74c00, uap=0x0)
    at ../../../kern/kern_descrip.c:1004
#20 0xc076f127 in syscall (frame=
      {tf_fs = 59, tf_es = 59, tf_ds = 59, tf_edi = 671408776, tf_esi = -1077940908, tf_ebp = -1077941032, tf_isp = -422617756, tf_ebx = 1, tf_edx = 134515882, tf_ecx = 9, tf_eax = 6, tf_trapno = 0, tf_err = 2, tf_eip = 671836115, tf_cs = 51, tf_eflags = 658, tf_esp = -1077941348, tf_ss = 59})
    at ../../../i386/i386/trap.c:976
#21 0xc075dfff in Xint0x80_syscall () at ../../../i386/i386/exception.s:200
#22 0x00000033 in ?? ()


The kernel crash occured in closef():

(kgdb) fr 7
#7  0xc05be5e9 in closef (fp=0xc1bffd80, td=0x0)
    at ../../../kern/kern_descrip.c:1877
1877            if ((td->td_proc->p_leader->p_flag & P_ADVLOCK) != 0) {
(kgdb) l
1872        if (fp->f_type == DTYPE_VNODE) {
1873            int vfslocked;
1874
1875            vp = fp->f_vnode;
1876            vfslocked = VFS_LOCK_GIANT(vp->v_mount);
1877            if ((td->td_proc->p_leader->p_flag & P_ADVLOCK) != 0) {
1878                    lf.l_whence = SEEK_SET;
1879                    lf.l_start = 0;
1880                    lf.l_len = 0;
1881                    lf.l_type = F_UNLCK;

because of:

(kgdb) p &td->td_proc          
$1 = (struct proc **) 0x0
(kgdb) p td
$2 = (struct thread *) 0x0

>How-To-Repeat:
1. download source code mentioned in previous section
2. compile the code
3. run the code
>Fix:
It seems that the root cause is in unp_discard():

static void
unp_discard(struct file *fp)
{
        FILE_LOCK(fp);
        fp->f_msgcount--;
        unp_rights--;
        FILE_UNLOCK(fp);
        (void) closef(fp, (struct thread *)NULL);
}

because it calls closef() with second param which is NULL pointer.

Possible solutions:
  - patch unp_discard() so it fills something more sane into second param
  - fix closef() so it checks NULL pointer

side note: This might be vaguely related to ancient kern/4345 bug report (Kernel panic is caused by passing file descriptors through AF_UNIX socket)

>Release-Note:
>Audit-Trail:
State-Changed-From-To: open->feedback 
State-Changed-By: rwatson 
State-Changed-When: Mon Jan 2 17:54:04 UTC 2006 
State-Changed-Why:  
On 2005/11/10, I committed a fix for a number of bugs relating to 
transfering UNIX domain sockets to the CVS HEAD as uipc_usrreq.c:1.159, 
and merged these to RELENG_6 as uipc_usrreq.c:1.155.2.2.  Could you 
try upgrading to 6-STABLE and see if you still experience this problem? 



Responsible-Changed-From-To: freebsd-bugs->rwatson 
Responsible-Changed-By: rwatson 
Responsible-Changed-When: Mon Jan 2 17:54:04 UTC 2006 
Responsible-Changed-Why:  
Grab this as I've made a number of recent changes to this and related code. 


Date: Mon, 2 Jan 2006 19:09:08 +0100
From: Vladimr Kotal <vlada@devnull.cz>
To: Robert Watson <rwatson@FreeBSD.org>
Cc: freebsd-bugs@FreeBSD.org
Subject: Re: kern/91224: sending file descriptors via AF_UNIX socket crashes
     kernel


On 2.1.2006, at 18:57, Robert Watson wrote:

> 
> On Mon, 2 Jan 2006, Robert Watson wrote:
> 
> > Synopsis: sending file descriptors via AF_UNIX socket crashes kernel
> > 
> > State-Changed-From-To: open->feedback
> > State-Changed-By: rwatson
> > State-Changed-When: Mon Jan 2 17:54:04 UTC 2006
> > State-Changed-Why:
> > On 2005/11/10, I committed a fix for a number of bugs relating to
> > transfering UNIX domain sockets to the CVS HEAD as uipc_usrreq.c:1.159,
> > and merged these to RELENG_6 as uipc_usrreq.c:1.155.2.2.  Could you
> > try upgrading to 6-STABLE and see if you still experience this problem?
> 
> You'll also want kern_descrip.c:1.284 in HEAD or kern_descrip.c:1.243.2.8
> which teaches closef() about the NULL thread pointer.  That was merged
> around 2005/11/16.
> 

Yes, I have noticed the MFC in closef() just after I have submitted the bug.
I don't think the kernel panic is possible with the (td != NULL) check so
this bug report can be marked as closed.


http://www.freebsd.org/cgi/query-pr.cgi?pr=91224 
State-Changed-From-To: feedback->closed 
State-Changed-By: rwatson 
State-Changed-When: Tue Jan 3 06:13:41 UTC 2006 
State-Changed-Why:  
Mark as closed as this bug is believed fixed; add quoted e-mail from 
out of band discussion.  We may want to consider an errata patch for 
RELENG_6_0 relating to these bugs. 



http://www.freebsd.org/cgi/query-pr.cgi?pr=91224 
>Unformatted:
