Bogus signal handler causes kernel panic (5.2.1-p8/i386)
Simon Barner
barner at in.tum.de
Wed Jun 16 11:13:33 GMT 2004
Hi,
I tried the local denial of service attack described in [1], that was
reported for Linux 2.4 and 2.6 some days ago (see [2] for the original
thread in linux.kernel) on my FreeBSD 5.2.1-p8 system.
The result is a kernel panic (back trace attached).
Since des@ told me in a private mail, that he could not reprocduce the
panic on -CURRENT, I'd like to ask how to proceed from here.
Is the problem known to be fixed in current?
Is somebody able to reproduce this on FreeBSD 5.2.1 (I am sorry,
upgrading to -CURRENT is out of question for me)?
Please note, that the problem does not exist on FreeBSD 4.9 (the test
program simply dumps core (bt attached)).
Thanks in advance for your hints,
Simon
[1] http://linuxreviews.org/news/2004-06-11_kernel_crash/#toc1
[2] http://groups.google.de/groups?hl=de&lr=&ie=UTF-8&frame=right&th=f7580d647408b95b&seekm=26hGq-Zr-31%40gated-at.bofh.it#link1
-------------- next part --------------
Script started on Tue Jun 15 10:35:59 2004
�[=0;0B****************************** Kalender *****************************
15 Jun Edward (Edvard Hagerup) Grieg born in Bergen, Norway, 1843
16 Jun Hammurabi the Great dies, Babylon, 1686 BC
15 Jun UNIVAC I delivered to the Census Bureau, 1951
16 Jun First programming error at Census Bureau, 1951 (apocryphal)
15 Jun Harry Nilsson is born in Brooklyn, 1941
16 Jun The Monterey Pop festival opens, 1967
*********************************************************************
�[m�[27m�[Jzi025:~ % �[Kg�gdb a.out a.out.core �
GNU gdb 4.18 (FreeBSD)
Copyright 1998 Free Software Foundation, Inc.
GDB is free software, covered by the GNU General Public License, and you are
welcome to change it and/or distribute copies of it under certain conditions.
Type "show copying" to see the conditions.
There is absolutely no warranty for GDB. Type "show warranty" for details.
This GDB was configured as "i386-unknown-freebsd"...Deprecated bfd_read called at /usr/src/gnu/usr.bin/binutils/gdb/../../../../contrib/gdb/gdb/dbxread.c line 2627 in elfstab_build_psymtabs
Deprecated bfd_read called at /usr/src/gnu/usr.bin/binutils/gdb/../../../../contrib/gdb/gdb/dbxread.c line 933 in fill_symbuf
Core was generated by `a.out'.
Program terminated with signal 8, Floating point exception.
Reading symbols from /usr/lib/libc.so.4...done.
Reading symbols from /usr/libexec/ld-elf.so.1...done.
#0 0x804854f in Handler (ignore=14) at linux-kernel-crash.c:8
8 __asm__ __volatile__ ("fsave %0\n" : : "m"(fpubuf));
(gdb) bt
#0 0x804854f in Handler (ignore=14) at linux-kernel-crash.c:8
#1 0xbfbfffac in ?? ()
#2 0x80484a6 in _start ()
(gdb) bt full
#0 0x804854f in Handler (ignore=14) at linux-kernel-crash.c:8
fpubuf = "\000\000??????3?(?\b\000?\001\000\000\000\000\000\000??", '\000' <repeats 37 times>, "\200??\000\000\000\000\000\000\000\200??\000\000\000\000\000\000\000\200??\000\220?&\210?\017\200??\000?\215?\tK<?????\004("
#1 0xbfbfffac in ?? ()
No symbol table info available.
#2 0x80484a6 in _start ()
No symbol table info available.
(gdb)
�[m�[27m�[Jzi025:~ % �[K
Script done on Tue Jun 15 10:36:14 2004
FreeBSD zi025.glhnet.mhn.de 4.9-STABLE FreeBSD 4.9-STABLE #1: Wed Mar 10 04:01:44 CET 2004 simon at zi025.glhnet.mhn.de:/usr/src/sys/compile/KISTE i386
-------------- next part --------------
Script started on Tue Jun 15 10:40:03 2004
�[m��[27m�[24m�[Jzi025:/home/simon # �[Kg�gdb -k /v� �sys/compat/� �� �� �� �� �� �� �i4b/com�p�� �� �� �� �� �� �� �386/compile/KISTE/kernel.debug /var/crash/vmcore.�[K3� �2 �
GNU gdb 5.2.1 (FreeBSD)
Copyright 2002 Free Software Foundation, Inc.
GDB is free software, covered by the GNU General Public License, and you are
welcome to change it and/or distribute copies of it under certain conditions.
Type "show copying" to see the conditions.
There is absolutely no warranty for GDB. Type "show warranty" for details.
This GDB was configured as "i386-unknown-freebsd"...
panic: arithmetic trap
panic messages:
---
Fatal trap 6: arithmetic trap while in kernel mode
instruction pointer = 0x8:0xc061670a
stack pointer = 0x10:0xcc4299e4
frame pointer = 0x10:0xcc4299e4
code segment = base 0x0, limit 0xfffff, type 0x1b
= DPL 0, pres 1, def32 1, gran 1
processor eflags = resume, IOPL = 0
current process = 56940 (a.out)
trap number = 6
panic: arithmetic trap
syncing disks, buffers remaining... 1819 1819 1818 1818 1818 1818 1818 1818 1818 1818 1818 1818 1818 1818 1818 1818 1818 1818 1818 1818 1818 1818
giving up on 1102 buffers
Uptime: 23h21m6s
Dumping 192 MB
[CTRL-C to abort] [CTRL-C to abort] [CTRL-C to abort] 16 32 48 64 80 96 112 128 144 160 176
---
Reading symbols from /boot/kernel/fdescfs.ko...done.
Loaded symbols for /boot/kernel/fdescfs.ko
Reading symbols from /boot/kernel/green_saver.ko...done.
Loaded symbols for /boot/kernel/green_saver.ko
#0 doadump () at ../../../kern/kern_shutdown.c:240
240 dumping++;
(kgdb) bt
#0 doadump () at ../../../kern/kern_shutdown.c:240
#1 0xc04f0cbb in boot (howto=256) at ../../../kern/kern_shutdown.c:372
#2 0xc04f0f91 in panic () at ../../../kern/kern_shutdown.c:550
#3 0xc0611f68 in trap_fatal (frame=0xcc4299a4, eva=0)
at ../../../i386/i386/trap.c:821
#4 0xc0611ab4 in trap (frame=
{tf_fs = 24, tf_es = 16, tf_ds = 16, tf_edi = 0, tf_esi = -1033510592, tf_ebp = -868050460, tf_isp = -868050480, tf_ebx = 514, tf_edx = -1033510592, tf_ecx = -868050288, tf_eax = -868050288, tf_trapno = 6, tf_err = 0, tf_eip = -1067358454, tf_cs = 8, tf_eflags = 65606, tf_esp = -868050444, tf_ss = -1067358532})
at ../../../i386/i386/trap.c:618
#5 0xc0605998 in calltrap () at {standard input}:94
#6 0xc06166bc in npxsetregs (td=0x0, addr=0x0) at ../../../i386/isa/npx.c:954
#7 0xc060bd6b in set_fpcontext (td=0xc265e140, mcp=0x0)
at ../../../i386/i386/machdep.c:2529
#8 0xc060a76a in sigreturn (td=0xc265e140, uap=0x0)
at ../../../i386/i386/machdep.c:982
#9 0xc061224b in syscall (frame=
{tf_fs = 47, tf_es = 47, tf_ds = 47, tf_edi = -1077942784, tf_esi = -1077942776, tf_ebp = -1077942856, tf_isp = -868049548, tf_ebx = 1, tf_edx = 672409248, tf_ecx = 13, tf_eax = 417, tf_trapno = 22, tf_err = 2, tf_eip = -1077936211, tf_cs = 31, tf_eflags = 582, tf_esp = -1077943720, tf_ss = 47})
at ../../../i386/i386/trap.c:1010
#10 0xc06059ed in Xint0x80_syscall () at {standard input}:136
---Can't read userspace from dump, or kernel process---
(kgdb) bt full
#0 doadump () at ../../../kern/kern_shutdown.c:240
No locals.
#1 0xc04f0cbb in boot (howto=256) at ../../../kern/kern_shutdown.c:372
No locals.
#2 0xc04f0f91 in panic () at ../../../kern/kern_shutdown.c:550
td = (struct thread *) 0xc265e140
bootopt = 256
newpanic = 0
ap = 0xcc42994c "G\001e?"
buf = "arithmetic trap", '\0' <repeats 240 times>
#3 0xc0611f68 in trap_fatal (frame=0xcc4299a4, eva=0)
at ../../../i386/i386/trap.c:821
code = 16
type = 6
ss = 16
esp = 0
softseg = {ssd_base = 0, ssd_limit = 1048575, ssd_type = 27,
ssd_dpl = 0, ssd_p = 1, ssd_xx = 0, ssd_xx1 = 0, ssd_def32 = 1, ssd_gran = 1}
#4 0xc0611ab4 in trap (frame=
{tf_fs = 24, tf_es = 16, tf_ds = 16, tf_edi = 0, tf_esi = -1033510592, tf_ebp = -868050460, tf_isp = -868050480, tf_ebx = 514, tf_edx = -1033510592, tf_ecx = -868050288, tf_eax = -868050288, tf_trapno = 6, tf_err = 0, tf_eip = -1067358454, tf_cs = 8, tf_eflags = 65606, tf_esp = -868050444, tf_ss = -1067358532})
at ../../../i386/i386/trap.c:618
td = (struct thread *) 0xc265e140
p = (struct proc *) 0xc265da98
sticks = 3261455000
i = 0
ucode = 0
type = 6
code = 0
eva = 0
#5 0xc0605998 in calltrap () at {standard input}:94
No locals.
#6 0xc06166bc in npxsetregs (td=0x0, addr=0x0) at ../../../i386/isa/npx.c:954
s = 514
#7 0xc060bd6b in set_fpcontext (td=0xc265e140, mcp=0x0)
at ../../../i386/i386/machdep.c:2529
addr = (union savefpu *) 0xcc429a90
#8 0xc060a76a in sigreturn (td=0xc265e140, uap=0x0)
at ../../../i386/i386/machdep.c:982
uc = {uc_sigmask = {__bits = {0, 0, 0, 0}}, uc_mcontext = {
mc_onstack = 0, mc_gs = 47, mc_fs = 47, mc_es = 47, mc_ds = 47,
mc_edi = -1077942784, mc_esi = -1077942776, mc_ebp = -1077942856,
mc_isp = -868049548, mc_ebx = 1, mc_edx = 672409248, mc_ecx = 13,
mc_eax = 1, mc_trapno = 12, mc_err = 2, mc_eip = 671874187, mc_cs = 31,
mc_eflags = 662, mc_esp = -1077942900, mc_ss = 47, mc_len = 640,
mc_fpformat = 65537, mc_ownedfp = 131074, mc_spare1 = {0}, mc_fpstate = {
---Type <return> to continue, or q <return> to quit---
-60801, -65536, -1, 0, 0, 0, -65536, 613566464, -2061200823, -536854528,
-1, 1073451007, 0, 0, 1207959552, -1840700270, 1073775908, 0, -63161344,
16382, -251658240, 1073279216, 0, -286322986, 16391, 1011515392,
1073865788, 0 <repeats 101 times>}, mc_spare2 = {0, 0, 0, 0, 0, 0, 0,
0}}, uc_link = 0x0, uc_stack = {ss_sp = 0x0, ss_size = 0, ss_flags = 4},
uc_flags = 0, __spare__ = {0, 0, 0, 0}}
p = (struct proc *) 0xc265da98
regs = (struct trapframe *) 0xcc429d48
cs = 0
eflags = 662
error = 0
ret = 0
#9 0xc061224b in syscall (frame=
{tf_fs = 47, tf_es = 47, tf_ds = 47, tf_edi = -1077942784, tf_esi = -1077942776, tf_ebp = -1077942856, tf_isp = -868049548, tf_ebx = 1, tf_edx = 672409248, tf_ecx = 13, tf_eax = 417, tf_trapno = 22, tf_err = 2, tf_eip = -1077936211, tf_cs = 31, tf_eflags = 582, tf_esp = -1077943720, tf_ss = 47})
at ../../../i386/i386/trap.c:1010
params = 0xbfbfe25c---Can't read userspace from dump, or kernel process---
(kgdb)
�[m��[27m�[24m�[Jzi025:/home/simon # �[K
Script done on Tue Jun 15 10:40:48 2004
FreeBSD zi025.glhnet.mhn.de 5.2.1-RELEASE-p8 FreeBSD 5.2.1-RELEASE-p8 #1: Mon May 31 13:29:26 CEST 2004 simon at zi025.glhnet.mhn.de:/usr/src/sys/i386/compile/KISTE i386
-------------- next part --------------
#include <sys/time.h>
#include <signal.h>
#include <unistd.h>
static void Handler(int ignore)
{
char fpubuf[108];
__asm__ __volatile__ ("fsave %0\n" : : "m"(fpubuf));
write(2, "*", 1);
__asm__ __volatile__ ("frstor %0\n" : : "m"(fpubuf));
}
int main(int argc, char *argv[])
{
struct itimerval spec;
signal(SIGALRM, Handler);
spec.it_interval.tv_sec=0;
spec.it_interval.tv_usec=100;
spec.it_value.tv_sec=0;
spec.it_value.tv_usec=100;
setitimer(ITIMER_REAL, &spec, NULL);
while(1)
write(1, ".", 1);
return 0;
}
-------------- next part --------------
Copyright (c) 1992-2004 The FreeBSD Project.
Copyright (c) 1979, 1980, 1983, 1986, 1988, 1989, 1991, 1992, 1993, 1994
The Regents of the University of California. All rights reserved.
FreeBSD 5.2.1-RELEASE-p8 #1: Mon May 31 13:29:26 CEST 2004
simon at zi025.glhnet.mhn.de:/usr/src/sys/i386/compile/KISTE
Preloaded elf kernel "/boot/kernel/kernel" at 0xc0753000.
Timecounter "i8254" frequency 1193182 Hz quality 0
CPU: AMD-K6(tm) 3D+ Processor (400.91-MHz 586-class CPU)
Origin = "AuthenticAMD" Id = 0x591 Stepping = 1
Features=0x8021bf<FPU,VME,DE,PSE,TSC,MSR,MCE,CX8,PGE,MMX>
AMD Features=0x80000800<SYSCALL,3DNow!>
real memory = 201326592 (192 MB)
avail memory = 190103552 (181 MB)
netsmb_dev: loaded
K6-family MTRR support enabled (2 registers)
npx0: [FAST]
npx0: <math processor> on motherboard
npx0: INT 16 interface
pcibios: BIOS version 2.10
Using $PIR table, 5 entries at 0xc00fdde0
pcib0: <VIA 82C598MVP (Apollo MVP3) host bridge> at pcibus 0 on motherboard
pci0: <PCI bus> on pcib0
pci_cfgintr: 0:17 INTA BIOS irq 9
pci_cfgintr: 0:18 INTA BIOS irq 3
pcib1: <PCI-PCI bridge> at device 1.0 on pci0
pci1: <PCI bus> on pcib1
isab0: <PCI-ISA bridge> at device 7.0 on pci0
isa0: <ISA bus> on isab0
atapci0: <VIA 82C586B UDMA33 controller> port 0xe000-0xe00f at device 7.1 on pci0
ata0: at 0x1f0 irq 14 on atapci0
ata0: [MPSAFE]
ata1: at 0x170 irq 15 on atapci0
ata1: [MPSAFE]
xl0: <3Com 3c905-TX Fast Etherlink XL> port 0xe800-0xe83f irq 9 at device 17.0 on pci0
xl0: Ethernet address: 00:60:08:4a:00:e5
miibus0: <MII bus> on xl0
nsphy0: <DP83840 10/100 media interface> on miibus0
nsphy0: 10baseT, 10baseT-FDX, 100baseTX, 100baseTX-FDX, auto
pci0: <display, VGA> at device 18.0 (no driver attached)
orm0: <Option ROM> at iomem 0xc0000-0xc87ff on isa0
pmtimer0 on isa0
atkbdc0: <Keyboard controller (i8042)> at port 0x64,0x60 on isa0
atkbd0: <AT Keyboard> flags 0x1 irq 1 on atkbdc0
kbd0 at atkbd0
psm0: <PS/2 Mouse> irq 12 on atkbdc0
psm0: model Generic PS/2 mouse, device ID 0
fdc0: <Enhanced floppy controller (i82077, NE72065 or clone)> at port 0x3f7,0x3f0-0x3f5 irq 6 drq 2 on isa0
fdc0: FIFO enabled, 8 bytes threshold
fd0: <1440-KB 3.5" drive> on fdc0 drive 0
ppc0: <Parallel port> at port 0x378-0x37f irq 7 on isa0
ppc0: SMC-like chipset (ECP/EPP/PS2/NIBBLE) in COMPATIBLE mode
ppc0: FIFO with 16/16/15 bytes threshold
ppbus0: <Parallel port bus> on ppc0
lpt0: <Printer> on ppbus0
lpt0: Interrupt-driven port
ppi0: <Parallel I/O> on ppbus0
sc0: <System console> at flags 0x100 on isa0
sc0: VGA <16 virtual consoles, flags=0x300>
sio0: configured irq 4 not in bitmap of probed irqs 0
sio0: port may not be enabled
sio0 at port 0x3f8-0x3ff irq 4 flags 0x10 on isa0
sio0: type 8250 or not responding
sio1: configured irq 3 not in bitmap of probed irqs 0
sio1: port may not be enabled
vga0: <Generic ISA VGA> at port 0x3c0-0x3df iomem 0xa0000-0xbffff on isa0
sbc0: <ESS ES1868> at port 0x330-0x331,0x388-0x38b,0x220-0x22f irq 5 drq 0,1 on isa0
pcm0: <ESS 18xx DSP> on sbc0
ata2: <Generic ESDI/IDE/ATA controller> at port 0x36e-0x36f,0x168-0x16f irq 10 on isa0
ata2: [MPSAFE]
unknown: <PNP0303> can't assign resources (port)
unknown: <PNP0f13> can't assign resources (irq)
unknown: <PNP0700> can't assign resources (port)
unknown: <PNP0401> can't assign resources (port)
Timecounter "TSC" frequency 400911461 Hz quality 800
Timecounters tick every 10.000 msec
IP Filter: v3.4.31 initialized. Default = block all, Logging = enabled
GEOM: create disk ad0 dp=0xc2350360
ad0: 9787MB <WDC WD102AA> [19885/16/63] at ata0-master UDMA33
acd0: CDRW <HL-DT-ST RW/DVD GCC-4120B> at ata1-master PIO4
GEOM: create disk ad3 dp=0xc2350160
ad3: 117246MB <Maxtor 6Y120L0> [238216/16/63] at ata1-slave UDMA33
GEOM: create disk cd0 dp=0xc22e7e00
cd0 at ata1 bus 0 target 0 lun 0
cd0: <HL-DT-ST RW/DVD GCC-4120B 2.02> Removable CD-ROM SCSI-0 device
cd0: 16.000MB/s transfers
cd0: Attempt to query device size failed: NOT READY, Medium not present
Mounting root from ufs:/dev/ad0s2a
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 187 bytes
Desc: Digital signature
Url : http://lists.freebsd.org/pipermail/freebsd-current/attachments/20040616/7f1c8015/attachment.bin
More information about the freebsd-current
mailing list