kern/73208: panic by duplicating UDP NFS v2 packets
Dmitry Miloserdov
dmitry at bis.ru
Wed Oct 27 10:00:47 PDT 2004
>Number: 73208
>Category: kern
>Synopsis: panic by duplicating UDP NFS v2 packets
>Confidential: no
>Severity: serious
>Priority: high
>Responsible: freebsd-bugs
>State: open
>Quarter:
>Keywords:
>Date-Required:
>Class: sw-bug
>Submitter-Id: current-users
>Arrival-Date: Wed Oct 27 17:00:46 GMT 2004
>Closed-Date:
>Last-Modified:
>Originator: Dmitry Miloserdov
>Release: FreeBSD 5.3-RC1 i386
>Organization:
>Environment:
System: FreeBSD dhcp.bis.local 5.3-RC1 FreeBSD 5.3-RC1 #0: Wed Oct 27 15:48:02 MSD 2004 dmitry at dhcp.bis.local:/usr/obj/u/src5/sys/DHCP i386
>Description:
System creshes when NFS server receive two same packets
in a short period of time and command in them must be rejected
by access control. In my opinion access control itself is not
the reason of crash - it just helps exploit a race somethere.
// Feel free to ignore my opinion
BTW sending duplicate for most control NFS packets is default
behavior of UnixWare NFS client.
/etc/exports:
/u -alldirs -mapall=www
---
ls -ld /u/db
drwxr-xr-x 2 www www 3072 25 Oct 21:54 /u/db
---
On client trying create file /u/db/fil (which is allowed)
and then client's creat() syscall trying to change group
of /u/db/fil to primary group of client's user (which is denied).
tethereal -td:
1 0.021505 192.168.1.4 -> 10.1.1.1 NFS V2 LOOKUP Call, DH:0x3273bcaa/db
2 0.000016 192.168.1.4 -> 10.1.1.1 NFS [RPC retransmission of #1]V2 LOOKUP Call, DH:0x3273bcaa/db
3 0.010767 192.168.1.4 -> 10.1.1.1 NFS V2 LOOKUP Call, DH:0x9d5440aa/fil
4 0.000015 192.168.1.4 -> 10.1.1.1 NFS [RPC retransmission of #3]V2 LOOKUP Call, DH:0x9d5440aa/fil
5 0.011850 192.168.1.4 -> 10.1.1.1 NFS V2 CREATE Call, DH:0x9d5440aa/fil
6 0.000016 192.168.1.4 -> 10.1.1.1 NFS [RPC retransmission of #5]V2 CREATE Call, DH:0x9d5440aa/fil
7 0.000534 192.168.1.4 -> 10.1.1.1 NFS V2 SETATTR Call, FH:0x7233c0b2
8 0.000012 192.168.1.4 -> 10.1.1.1 NFS [RPC retransmission of #7]V2 SETATTR Call, FH:0x7233c0b2
9 0.863791 192.168.1.4 -> 10.1.1.1 NFS [RPC retransmission of #7]V2 SETATTR Call, FH:0x7233c0b2
---
On 8th packet system creshes.
Problem not in content of packet but in packet's frequency as
blocking half of nfs packets with ipfw allowes system fullfill
request without panic.
---
kernel trap 12 with interrupts disabled
Fatal trap 12: page fault while in kernel mode
cpuid = 0; apic id = 00
fault virtual address = 0x24
fault code = supervisor read, page not present
instruction pointer = 0x8:0xc0511337
stack pointer = 0x10:0xe4b45b50
frame pointer = 0x10:0xe4b45b64
code segment = base 0x0, limit 0xfffff, type 0x1b
= DPL 0, pres 1, def32 1, gran 1
processor eflags = resume, IOPL = 0
current process = 86 (swi1: net)
trap number = 12
panic: page fault
cpuid = 0
boot() called on cpu#0
Uptime: 6m50s
---
(kgdb) bt
#0 doadump () at pcpu.h:159
#1 0xc04f2293 in boot (howto=260) at /u/src5/sys/kern/kern_shutdown.c:397
#2 0xc04f25b9 in panic (fmt=0xc064bd2f "%s")
at /u/src5/sys/kern/kern_shutdown.c:553
#3 0xc0629690 in trap_fatal (frame=0xe4b45b10, eva=36)
at /u/src5/sys/i386/i386/trap.c:809
#4 0xc0628e4d in trap (frame=
{tf_fs = -65512, tf_es = -457965552, tf_ds = -1068498928, tf_edi = -1041038560, tf_esi = -1066696864, tf_ebp = -457942172, tf_isp = -457942212, tf_ebx = -1041117680, tf_edx = -1041463000, tf_ecx = -1041462912, tf_eax = 0, tf_trapno = 12, tf_err = 0, tf_eip = -1068428489, tf_cs = 8, tf_eflags = 65683, tf_esp = 40, tf_ss = 0}) at /u/src5/sys/i386/i386/trap.c:247
#5 0xc0617c3a in calltrap () at /u/src5/sys/i386/i386/exception.s:140
#6 0xffff0018 in ?? ()
#7 0xe4b40010 in ?? ()
#8 0xc0500010 in osethostid (td=0xc1f1ce10, uap=0x0)
at /u/src5/sys/kern/kern_xxx.c:145
#9 0xc0511af1 in turnstile_wait (ts=0xc1ec8980, lock=0xc06b7f60,
owner=0xc1f30320) at /u/src5/sys/kern/subr_turnstile.c:556
#10 0xc04e9899 in _mtx_lock_sleep (m=0xc06b7f60, td=0xc1f1ce10, opts=0,
file=0x0, line=0) at /u/src5/sys/kern/kern_mutex.c:560
#11 0xc05b05ae in nfsrv_rcv (so=0xc234b144, arg=0xc22aa280, waitflag=1)
at /u/src5/sys/nfsserver/nfs_srvsock.c:443
#12 0xc052ba6d in sowakeup (so=0xc234b144, sb=0xc234b194)
at /u/src5/sys/kern/uipc_socket2.c:413
#13 0xc0580e90 in udp_append (last=0xc234b144, ip=0xc27b4810, n=0xc278b300,
off=28) at /u/src5/sys/netinet/udp_usrreq.c:509
#14 0xc0580c93 in udp_input (m=0xc278b300, off=20)
at /u/src5/sys/netinet/udp_usrreq.c:402
#15 0xc056fd1d in ip_input (m=0xc278b300) at /u/src5/sys/netinet/ip_input.c:739
#16 0xc055c38b in netisr_processqueue (ni=0xc06b03d8)
at /u/src5/sys/net/netisr.c:233
#17 0xc055c7b6 in swi_net (dummy=0x0) at /u/src5/sys/net/netisr.c:346
#18 0xc04de181 in ithread_loop (arg=0xc1f34200)
at /u/src5/sys/kern/kern_intr.c:547
#19 0xc04dd231 in fork_exit (callout=0xc04de028 <ithread_loop>,
arg=0xc1f34200, frame=0xe4b45d48) at /u/src5/sys/kern/kern_fork.c:811
#20 0xc0617c9c in fork_trampoline () at /u/src5/sys/i386/i386/exception.s:209
---
As GENERIC kernel panics too, kernel config skipped.
>How-To-Repeat:
May be `ipfw tee natd` can emulate my situation but I didn't tried
myself.
>Fix:
Disable UDP transport on NFS. But problem seems to be deeper.
>Release-Note:
>Audit-Trail:
>Unformatted:
More information about the freebsd-bugs
mailing list