[Bug 246182] Kernel panic with sendfile() on ext2fs mounted filesystems

bugzilla-noreply at freebsd.org bugzilla-noreply at freebsd.org
Mon May 4 17:43:30 UTC 2020 

https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=246182

            Bug ID: 246182
           Summary: Kernel panic with sendfile() on ext2fs mounted
                    filesystems
           Product: Base System
           Version: 12.1-RELEASE
          Hardware: Any
                OS: Any
            Status: New
          Severity: Affects Only Me
          Priority: ---
         Component: kern
          Assignee: bugs at FreeBSD.org
          Reporter: sega01 at go-beyond.org

sendfile() with ext2fs can cause a kernel panic.

Tested on 12.1-RELEASE with x86_64 and ARMv7.

Steps:

1. Mount a filesystem with ext2fs.

2. open() a file under the mount point. Bigger files seem to work best, like
1GiB or so.

3. sendfile() that filedescriptor to the socket of your choice (127.0.0.1 on
some listening port that won't disconnect is fine, like nc -l 1234 >
/dev/null).

It seems to be kind of random for when the kernel panics, but it happens
inevitably. I've had it take anywhere from a second to maybe 10-20.  Data
speed seems to have an effect, but maybe it's just the total amount
transferred. I'm not sure.

A web server like nginx that gives access to files mounted with ext2fs can
trigger this if it's setup to use sendfile (I think most are). Or any user
with access to an ext2fs mounted partition can trigger it. Does not have
to be ran as root.

I don't know if this can be skillfully exploited to give something more
interesting than a kernel panic or not.

Sample code to help with testing:

#include <stdio.h>
#include <string.h>
#include <unistd.h>
#include <sys/types.h>
#include <sys/uio.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include <netinet/tcp.h>
#include <fcntl.h>

char *self;

#define destinationPort 1234

int main(int argc, char **argv) {
    self=argv[0];
    if (argc != 2) {
        fprintf(stderr, "Usage: %s <file>\n", self);
        return(2);
    }
    int srcfp = open(argv[1], O_RDONLY);
    if (srcfp < 0) {
        perror("open");
        return(1);
    }

    int destinationSocket;
    if ((destinationSocket = socket(PF_INET, SOCK_STREAM, 0)) < 0) {
        perror("socket");
        return(1);
    }


    struct sockaddr_in sa;
    bzero(&sa, sizeof(sa));
    sa.sin_addr.s_addr = htonl(INADDR_LOOPBACK);
    sa.sin_family = AF_INET;
    sa.sin_port = htons(destinationPort);
    if (connect(destinationSocket, (struct sockaddr *)&sa, sizeof(sa)) < 0) {
        perror("connect");
        return(1);
    }

    if (sendfile(srcfp, destinationSocket, 0, 0, NULL, 0, 0) != 0) {
        perror("sendfile");
        return(1);
    }

    close(srcfp);
    close(destinationSocket);
    return(0);
}

-- 
You are receiving this mail because:
You are the assignee for the bug.

More information about the freebsd-bugs mailing list