From graichen@omega.physik.fu-berlin.de  Sat Feb  3 05:21:02 1996
Received: from omega.physik.fu-berlin.de (omega.physik.fu-berlin.de [130.133.3.51])
          by freefall.freebsd.org (8.7.3/8.7.3) with ESMTP id FAA28342
          for <FreeBSD-gnats-submit@FreeBSD.org>; Sat, 3 Feb 1996 05:19:54 -0800 (PST)
Received: from prospero.physik.fu-berlin.de (lislip.physik.fu-berlin.de [130.133.3.126]) by omega.physik.fu-berlin.de (8.7.1/8.7.1) with ESMTP id OAA03190 for <FreeBSD-gnats-submit@FreeBSD.org>; Sat, 3 Feb 1996 14:19:50 +0100 (MET)
Received: (from graichen@localhost) by prospero (8.6.12/8.6.12) id MAA01092; Sat, 3 Feb 1996 12:36:00 +0100
Message-Id: <199602031136.MAA01092@prospero>
Date: Sat, 3 Feb 1996 12:36:00 +0100
From: Thomas Graichen <graichen@omega.physik.fu-berlin.de>
Reply-To: graichen@omega.physik.fu-berlin.de
To: FreeBSD-gnats-submit@FreeBSD.org
Subject: can crash the system using modload
X-Send-Pr-Version: 3.2

>Number:         992
>Category:       kern
>Synopsis:       it is possible to crash the system using modload
>Confidential:   no
>Severity:       critical
>Priority:       high
>Responsible:    freebsd-bugs
>State:          closed
>Quarter:
>Keywords:
>Date-Required:
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Sat Feb  3 05:30:05 PST 1996
>Closed-Date:    Sun Feb 4 12:29:36 PST 1996
>Last-Modified:  Sun Feb  4 12:31:19 PST 1996
>Originator:     Thomas Graichen
>Release:        FreeBSD 2.1-STABLE i386
>Organization:
thomas graichen    graichen@mail.physik.fu-berlin.de    graichen@FreeBSD.org

  perfection is reached, not when there is no longer anything to add, but when
      there is no longer anything to take away    antoine de saint-exupery
>Environment:

FreeBSD 2.1.0-RELEASE #0: Fri Feb  2 13:20:53 MET 1996
    root@prospero:/usr/src/sys/compile/KERNEL_CONFIG
CPU: i486DX (486-class CPU)
real memory  = 20971520 (20480K bytes)
avail memory = 19296256 (18844K bytes)
Probing for devices on the ISA bus:
ed0 at 0x280-0x29f irq 5 on isa
ed0: address 00:40:95:20:0a:14, type NE2000 (16 bit)
vt0 at 0x60-0x6f irq 1 on motherboard
vt0: tvga 8900cl, 80/132 col, mono, 2 scr, mf2-kbd, [R3.20-b24]
sio0 at 0x3f8-0x3ff irq 4 on isa
sio0: type 16450
sio1 at 0x2f8-0x2ff irq 3 on isa
sio1: type 16450wdc0 at 0x1f0-0x1f7 irq 14 on isa
sio3 at 0x2e8-0x2ef irq 9 on isa
sio3: type 16550A
lpt0 at 0x378-0x37f irq 7 on isa
lpt0: Interrupt-driven port
lp0: TCP/IP capable interface
fdc0 at 0x3f0-0x3f7 irq 6 drq 2 on isa
fdc0: NEC 765
fd0: 1.44MB 3.5in                
wdc0: unit 0 (wd0): <Conner Peripherals 540MB - CFS540A>, multi-block-8
wd0: 516MB (1058400 sectors), 1050 cyls, 16 heads, 63 S/T, 512 B/S
wdc0: unit 1 (atapi): <FX001DE/E02>, removable, intr, iordis
wcd0: 299Kb/sec, 128Kb cache, audio play, 255 volume levels, ejectable tray
wcd0: no disc inside, unlocked
wdc1 at 0x170-0x177 irq 15 on isa
wdc1: unit 0 (wd2): <Conner Peripherals 425MB - CFS425A>, multi-block-8
wd2: 406MB (832288 sectors), 839 cyls, 16 heads, 62 S/T, 512 B/S
npx0 on motherboard
npx0: INT 16 interface

	

>Description:

it is possible to crash a system by running:

  modload -e kernfs_init -u -q -o /tmp/kernfs_mod /lkm/kernfs_mod.o

or

  modload -e union_init -u -q -o /tmp/union_mod /lkm/union_mod.o

ok - the commandline is a bit bogus - but it should definitely not crash the
system (an error from modload or the kernel would be enough i think)

here's what gdb -k says:

root@prospero:/var/crash> gdb -k kernel.0 vmcore.0
GDB is free software and you are welcome to distribute copies of it
 under certain conditions; type "show copying" to see the conditions.
There is absolutely no warranty for GDB; type "show warranty" for details.
GDB 4.13 (i386-unknown-freebsd),
Copyright 1994 Free Software Foundation, Inc...(no debugging symbols found)...
IdlePTD 192000
current pcb at 18a588
panic: loadable module initialization failed
#0  0xf0157985 in boot ()
(kgdb) where
#0  0xf0157985 in boot ()
#1  0xf010d413 in panic ()
#2  0xf0104b83 in lkmcioctl ()
#3  0xf01291d1 in spec_ioctl ()
#4  0xf01280c8 in vn_ioctl ()
#5  0xf010ec37 in ioctl ()
#6  0xf015c91f in syscall ()
#7  0xf01554db in Xsyscall ()
#8  0x10d3 in ?? ()
(kgdb)

>How-To-Repeat:

run one of the above commands

	

>Fix:

no idea
	
	

>Release-Note:
>Audit-Trail:
State-Changed-From-To: open->closed 
State-Changed-By: wollman 
State-Changed-When: Sun Feb 4 12:29:36 PST 1996 
State-Changed-Why:  
Neither modload(8) nor the kernel has any way of knowing that what 
you have asked it to do makes no sense.  (You shouldn't be trying 
to modload filesystems manually anyway.)  The root user is supposed 
to know what he is doing. 
>Unformatted:
