Changing time causes ipv6 panics

Kris Kennaway kris at obsecurity.org
Fri Feb 10 23:14:21 PST 2006 

On Sat, Feb 11, 2006 at 03:38:56PM +0900, JINMEI Tatuya / ?$B?@L at C#:H wrote:
> >>>>> On Fri, 10 Feb 2006 22:50:25 -0500, 
> >>>>> Kris Kennaway <kris at obsecurity.org> said:
> 
> >> Sorry, not really (we've not got a test environment to reproduce it).
> >> But from a quick review of nd6.c, there seems to be one thing that is
> >> obviously wrong.  The possible bug has been there since rev. 1.19
> >> committed in April 2002.  We've been probably just lucky so far...
> >> 
> >> Could you try the patch attached below?  We'll probably also need to
> >> apply this fix to 4.X and 5.X.
> 
> > The patch did not fix the panic.
> 
> Hmm, but this time the point where the panic happened should be
> different.  Can you identify where it was?

I reduced the hw.physmem size and was able to get a dump:

Fatal trap 12: page fault while in kernel mode
cpuid = 0; apic id = 00
fault virtual address   = 0xffffffff80862198
fault code              = supervisor write, protection violation
instruction pointer     = 0x8:0xffffffff80333a86
stack pointer           = 0x10:0xffffffffabc31b50
frame pointer           = 0x10:0xffffffffabc31b80
code segment            = base 0x0, limit 0xfffff, type 0x1b
                        = DPL 0, pres 1, long 1, def32 0, gran 1
processor eflags        = interrupt enabled, resume, IOPL = 0
current process         = 14 (swi4: clock sio)
Dumping 3071 MB (2 chunks)
  chunk 0: 1MB (151 pages) ... ok
  chunk 1: 3071MB (786176 pages) 3056 3040 3024 3008 2992 2976 2960 2944 2928 2912 2896 2880 2864 2848 2832 2816 2800 2784 2768 2752 2736 2720 2704 2688 2672 2656 2640 2624 2608 2592 2576 2560 2544 2528 2512 2496 2480 2464 2448 2432 2416 2400 2384 2368 2352 2336 2320 2304 2288 2272 2256 2240 2224 2208 2192 2176 2160 2144 2128 2112 2096 2080 2064 2048 2032 2016 2000 1984 1968 1952 1936 1920 1904 1888 1872 1856 1840 1824 1808 1792 1776 1760 1744 1728 1712 1696 1680 1664 1648 1632 1616 1600 1584 1568 1552 1536 1520 1504 1488 1472 1456 1440 1424 1408 1392 1376 1360 1344 1328 1312 1296 1280 1264 1248 1232 1216 1200 1184 1168 1152 1136 1120 1104 1088 1072 1056 1040 1024 1008 992 976 960 944 928 912 896 880 864 848 832 816 800 784 768 752 736 720 704 688 672 656 640 624 608 592 576 560 544 528 512 496 480 464 448 432 416 400 384 368 352 336 320 304 288 272 256 240 224 208 192 176 160 144 128 112 96 80 64 48 32 16

#0  doadump () at pcpu.h:172
172     pcpu.h: No such file or directory.
        in pcpu.h
(kgdb) bt
#0  doadump () at pcpu.h:172
#1  0xffffffff80181f31 in db_fncall (dummy1=0, dummy2=0, dummy3=0, dummy4=0x0) at ../../../ddb/db_command.c:489
#2  0xffffffff80181c80 in db_command (last_cmdp=0xffffffff805cfea8, cmd_table=0x0, aux_cmd_tablep=0xffffffff8047ebd0,
    aux_cmd_tablep_end=0xffffffff8047ebd8) at ../../../ddb/db_command.c:404
#3  0xffffffff80181da7 in db_command_loop () at ../../../ddb/db_command.c:455
#4  0xffffffff80183feb in db_trap (type=-1413277552, code=0) at ../../../ddb/db_main.c:221
#5  0xffffffff80280d0c in kdb_trap (type=12, code=0, tf=0xffffffffabc31aa0) at ../../../kern/subr_kdb.c:485
#6  0xffffffff803ea0ab in trap_fatal (frame=0xffffffffabc31aa0, eva=18446744071570858392)
    at ../../../amd64/amd64/trap.c:687
#7  0xffffffff803e9d1c in trap_pfault (frame=0xffffffffabc31aa0, usermode=0) at ../../../amd64/amd64/trap.c:609
#8  0xffffffff803e9915 in trap (frame=
      {tf_rdi = -2141607072, tf_rsi = -1096395428656, tf_rdx = 64, tf_rcx = 4, tf_r8 = 0, tf_r9 = 4, tf_rax = 80, tf_rbx = -2138693632, tf_rbp = -1413276800, tf_r10 = -1096385087968, tf_r11 = 140737488296312, tf_r12 = 0, tf_r13 = -2138689536, tf_r14 = 0, tf_r15 = -2144126592, tf_trapno = 12, tf_addr = -2138693224, tf_flags = -2750381062159859712, tf_err = 3, tf_rip = -2144126330, tf_cs = 8, tf_rflags = 66054, tf_rsp = -1413276832, tf_ss = 16})
    at ../../../amd64/amd64/trap.c:383
#9  0xffffffff803d46ab in calltrap () at ../../../amd64/amd64/exception.S:168
#10 0xffffffff80333a86 in nd6_timer (ignored_arg=0xffffffff8059ab60) at ../../../netinet6/nd6.c:585
#11 0xffffffff80270bf9 in softclock (dummy=0xffffffff8059ab60) at ../../../kern/kern_timeout.c:290
#12 0xffffffff802442a6 in ithread_execute_handlers (p=0xffffffff8059ab60, ie=0xffffff000087b800)
    at ../../../kern/kern_intr.c:662
#13 0xffffffff80244423 in ithread_loop (arg=0xffffffff8059ab60) at ../../../kern/kern_intr.c:745
#14 0xffffffff80242c4a in fork_exit (callout=0xffffffff802443b0 <ithread_loop>, arg=0xffffff00000364e0,
    frame=0xffffffffabc31c90) at ../../../kern/kern_fork.c:802
#15 0xffffffff803d4a0e in fork_trampoline () at ../../../amd64/amd64/exception.S:394
#16 0x0000000000000000 in ?? ()
Previous frame identical to this frame (corrupt stack?)
(kgdb) frame 10
#10 0xffffffff80333a86 in nd6_timer (ignored_arg=0xffffffff8059ab60) at ../../../netinet6/nd6.c:585
585                             ia6->ia6_flags |= IN6_IFF_DEPRECATED;

That's the same place it was before.  Note that this is a
use-after-free situation: memguard is monitoring the ifaddr malloc
type, and caused the panic when this code attempted to write into a
malloced structure after it had been freed.

Kris

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 187 bytes
Desc: not available
Url : http://lists.freebsd.org/pipermail/freebsd-net/attachments/20060211/f201cdd3/attachment.bin

More information about the freebsd-net mailing list