kern/73208: panic by duplicating UDP NFS v2 packets

Dmitry Miloserdov dmitry at bis.ru
Wed Oct 27 10:00:47 PDT 2004


>Number:         73208
>Category:       kern
>Synopsis:       panic by duplicating UDP NFS v2 packets
>Confidential:   no
>Severity:       serious
>Priority:       high
>Responsible:    freebsd-bugs
>State:          open
>Quarter:        
>Keywords:       
>Date-Required:
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Wed Oct 27 17:00:46 GMT 2004
>Closed-Date:
>Last-Modified:
>Originator:     Dmitry Miloserdov
>Release:        FreeBSD 5.3-RC1 i386
>Organization:
>Environment:
System: FreeBSD dhcp.bis.local 5.3-RC1 FreeBSD 5.3-RC1 #0: Wed Oct 27 15:48:02 MSD 2004 dmitry at dhcp.bis.local:/usr/obj/u/src5/sys/DHCP i386

>Description:
	System creshes when NFS server receive two same packets
	in a short period of time and command in them must be rejected
	by access control. In my opinion access control itself is not
	the reason of crash - it just helps exploit a race somethere.
	// Feel free to ignore my opinion
	BTW sending duplicate for most control NFS packets is default
	behavior of UnixWare NFS client.

	/etc/exports:
	/u -alldirs -mapall=www
	---
	ls -ld /u/db
	drwxr-xr-x  2 www  www  3072 25 Oct 21:54 /u/db
	---
	On client trying create file /u/db/fil (which is allowed)
	and then client's creat() syscall trying to change group
	of /u/db/fil to primary group of client's user (which is denied).
	tethereal -td:
	1 0.021505  192.168.1.4 -> 10.1.1.1 NFS V2 LOOKUP Call, DH:0x3273bcaa/db
	2 0.000016  192.168.1.4 -> 10.1.1.1 NFS [RPC retransmission of #1]V2 LOOKUP Call, DH:0x3273bcaa/db
	3 0.010767  192.168.1.4 -> 10.1.1.1 NFS V2 LOOKUP Call, DH:0x9d5440aa/fil
	4 0.000015  192.168.1.4 -> 10.1.1.1 NFS [RPC retransmission of #3]V2 LOOKUP Call, DH:0x9d5440aa/fil
	5 0.011850  192.168.1.4 -> 10.1.1.1 NFS V2 CREATE Call, DH:0x9d5440aa/fil
	6 0.000016  192.168.1.4 -> 10.1.1.1 NFS [RPC retransmission of #5]V2 CREATE Call, DH:0x9d5440aa/fil
	7 0.000534  192.168.1.4 -> 10.1.1.1 NFS V2 SETATTR Call, FH:0x7233c0b2
	8 0.000012  192.168.1.4 -> 10.1.1.1 NFS [RPC retransmission of #7]V2 SETATTR Call, FH:0x7233c0b2
	9 0.863791  192.168.1.4 -> 10.1.1.1 NFS [RPC retransmission of #7]V2 SETATTR Call, FH:0x7233c0b2
	---
	On 8th packet system creshes.
	Problem not in content of packet but in packet's frequency as
	blocking half of nfs packets with ipfw allowes system fullfill
	request without panic.

	---
	kernel trap 12 with interrupts disabled
	Fatal trap 12: page fault while in kernel mode
	cpuid = 0; apic id = 00
	fault virtual address   = 0x24
	fault code              = supervisor read, page not present
	instruction pointer     = 0x8:0xc0511337
	stack pointer           = 0x10:0xe4b45b50
	frame pointer           = 0x10:0xe4b45b64
	code segment            = base 0x0, limit 0xfffff, type 0x1b
	                        = DPL 0, pres 1, def32 1, gran 1
	processor eflags        = resume, IOPL = 0
	current process         = 86 (swi1: net)
	trap number             = 12
	panic: page fault
	cpuid = 0
	boot() called on cpu#0
	Uptime: 6m50s
	---
	(kgdb) bt
	#0  doadump () at pcpu.h:159
	#1  0xc04f2293 in boot (howto=260) at /u/src5/sys/kern/kern_shutdown.c:397
	#2  0xc04f25b9 in panic (fmt=0xc064bd2f "%s")
	    at /u/src5/sys/kern/kern_shutdown.c:553
	#3  0xc0629690 in trap_fatal (frame=0xe4b45b10, eva=36)
	    at /u/src5/sys/i386/i386/trap.c:809
	#4  0xc0628e4d in trap (frame=
	      {tf_fs = -65512, tf_es = -457965552, tf_ds = -1068498928, tf_edi = -1041038560, tf_esi = -1066696864, tf_ebp = -457942172, tf_isp = -457942212, tf_ebx = -1041117680, tf_edx = -1041463000, tf_ecx = -1041462912, tf_eax = 0, tf_trapno = 12, tf_err = 0, tf_eip = -1068428489, tf_cs = 8, tf_eflags = 65683, tf_esp = 40, tf_ss = 0}) at /u/src5/sys/i386/i386/trap.c:247
	#5  0xc0617c3a in calltrap () at /u/src5/sys/i386/i386/exception.s:140
	#6  0xffff0018 in ?? ()
	#7  0xe4b40010 in ?? ()
	#8  0xc0500010 in osethostid (td=0xc1f1ce10, uap=0x0)
	    at /u/src5/sys/kern/kern_xxx.c:145
	#9  0xc0511af1 in turnstile_wait (ts=0xc1ec8980, lock=0xc06b7f60,
	    owner=0xc1f30320) at /u/src5/sys/kern/subr_turnstile.c:556
	#10 0xc04e9899 in _mtx_lock_sleep (m=0xc06b7f60, td=0xc1f1ce10, opts=0,
	    file=0x0, line=0) at /u/src5/sys/kern/kern_mutex.c:560
	#11 0xc05b05ae in nfsrv_rcv (so=0xc234b144, arg=0xc22aa280, waitflag=1)
	    at /u/src5/sys/nfsserver/nfs_srvsock.c:443
	#12 0xc052ba6d in sowakeup (so=0xc234b144, sb=0xc234b194)
	    at /u/src5/sys/kern/uipc_socket2.c:413
	#13 0xc0580e90 in udp_append (last=0xc234b144, ip=0xc27b4810, n=0xc278b300,
	    off=28) at /u/src5/sys/netinet/udp_usrreq.c:509
	#14 0xc0580c93 in udp_input (m=0xc278b300, off=20)
	    at /u/src5/sys/netinet/udp_usrreq.c:402
	#15 0xc056fd1d in ip_input (m=0xc278b300) at /u/src5/sys/netinet/ip_input.c:739
	#16 0xc055c38b in netisr_processqueue (ni=0xc06b03d8)
	    at /u/src5/sys/net/netisr.c:233
	#17 0xc055c7b6 in swi_net (dummy=0x0) at /u/src5/sys/net/netisr.c:346
	#18 0xc04de181 in ithread_loop (arg=0xc1f34200)
	    at /u/src5/sys/kern/kern_intr.c:547
	#19 0xc04dd231 in fork_exit (callout=0xc04de028 <ithread_loop>,
	    arg=0xc1f34200, frame=0xe4b45d48) at /u/src5/sys/kern/kern_fork.c:811
	#20 0xc0617c9c in fork_trampoline () at /u/src5/sys/i386/i386/exception.s:209
	---
	As GENERIC kernel panics too, kernel config skipped.

>How-To-Repeat:
	May be `ipfw tee natd` can emulate my situation but I didn't tried
	myself.

>Fix:
	Disable UDP transport on NFS. But problem seems to be deeper.
>Release-Note:
>Audit-Trail:
>Unformatted:


More information about the freebsd-bugs mailing list