freebsd stable - Mar 2006 - threads/80435: panic on high loads

[stable is included]

On Saturday 11 March 2006 19:40, Martin wrote:
> 
> The following reply was made to PR threads/80435; it has been noted by 
GNATS.
> 
> From: Martin <nakal@nurfuerspam.de>
> To: bug-followup@FreeBSD.org
> Cc:  
> Subject: Re: threads/80435: panic on high loads
> Date: Sat, 11 Mar 2006 12:36:04 +0100
> 
>  Hi,
>  
>  I've a similar panic. Not exactly the same, but in a similar
>  situation. You can trigger it with a slightly modified fork bomb:
>  
>  #include <stdlib.h>
>  #include <unistd.h>
>  
>  int main(void)
>  {
>     while(1) {
>  	fork();
>  	malloc(1024);
>     }
>     return 0;
>  }
>  
>  
>  The resulting panic is:
>  
>  fault code = supervisor write, page not present
>  
>  backtrace:
>  pmap_qenter()
>  vm_thread_new()
>  thread_init()
>  slab_zalloc()
>  uma_zone_slab()
>  uma_zalloc_bucket()
>  uma_zalloc_arg()
>  thread_alloc()
>  proc_init()
>  slab_zalloc()
>  uma_zone_slab()
>  uma_zalloc_bucket()
>  uma_zalloc_arg()
>  fork1()
>  fork()
>  syscall()
>  Xint0x80()
>  -- syscall (2, FreeBSD ELF32, fork)
>  
>  Reproducible on: -STABLE
>  uname -a:
>  FreeBSD klotz.local 6.1-PRERELEASE FreeBSD 6.1-PRERELEASE #0: Mon Mar  6 
>  00:21:54 CET 2006     root@klotz.local:/usr/obj/usr/src/sys/KLOTZ  i386
>  
>  --
>  Martin
This bug unlikely should be reported on thread@, your code is a fork
bomb, I think it is a warning why recent days the kernel crashed by
such attack, can you reproduce it on 6.0 ?

David Xu

David Xu wrote:
> This bug unlikely should be reported on thread@, your code is a fork
> bomb, I think it is a warning why recent days the kernel crashed by
> such attack, can you reproduce it on 6.0 ?
I just appended it to a similar bug. Sorry.

I don't have access to a machine running 6.0R until tomorrow at work.

Martin

Martin wrote:
> David Xu wrote:
>> This bug unlikely should be reported on thread@, your code is a fork
>> bomb, I think it is a warning why recent days the kernel crashed by
>> such attack, can you reproduce it on 6.0 ?
6.0R seems to work fine with this fork bomb.

Martin

On Tuesday 14 March 2006 01:39, Martin wrote:
> 
> Martin wrote:
> > David Xu wrote:
> >> This bug unlikely should be reported on thread@, your code is a
fork
> >> bomb, I think it is a warning why recent days the kernel crashed
by
> >> such attack, can you reproduce it on 6.0 ?
> 
> 6.0R seems to work fine with this fork bomb.
> 
> Martin
> 
Can anyone add this to 6.1 todo list ? this definitely should be fixed before
6.1R.

David Xu

David Xu wrote:
> Can anyone add this to 6.1 todo list ? this definitely should be fixed
before
> 6.1R.
One of my friends also has found kern/94278:
http://www.freebsd.org/cgi/query-pr.cgi?pr=94278

There is no comment on it so far. This crash (without panic)
is not less important, in my opinion.

Martin

On Tuesday 14 March 2006 15:27, Martin wrote:
> 
> David Xu wrote:
> 
> > Can anyone add this to 6.1 todo list ? this definitely should be fixed
before
> > 6.1R.
> 
> One of my friends also has found kern/94278:
> http://www.freebsd.org/cgi/query-pr.cgi?pr=94278
> 
> There is no comment on it so far. This crash (without panic)
> is not less important, in my opinion.
> 
> Martin
Yeah, fifo refuses to work if the caller did not allocate a FILE structure
for it, but ktrace insists that it should work without a FILE, it believes
a vnode is enough for everything,  I am really tired of such arch breakage.

David Xu

On Tue, Mar 14, 2006 at 04:41:32PM +0800, David Xu
wrote:
> On Tuesday 14 March 2006 15:27, Martin wrote:
> > 
> > David Xu wrote:
> > 
> > > Can anyone add this to 6.1 todo list ? this definitely should be
fixed
> before
> > > 6.1R.
> > 
> > One of my friends also has found kern/94278:
> > http://www.freebsd.org/cgi/query-pr.cgi?pr=94278
> > 
> > There is no comment on it so far. This crash (without panic)
> > is not less important, in my opinion.
> > 
> > Martin
> 
> Yeah, fifo refuses to work if the caller did not allocate a FILE structure
> for it, but ktrace insists that it should work without a FILE, it believes
> a vnode is enough for everything,  I am really tired of such arch breakage.
> 
> David Xu
In fact, the problem affects most places where kernel tries writing
to the file, because usually code does not allocate file descriptor
for write, but uses direct vnode access. I found approximately a dozen
such places. BTW, the case for fhopen seems to be remotely exploitable.

Long-term fix would be to correctly integrate fifo into VFS instead
of overloading file op structure for vnodes.

For now, please, try the following patch:

Index: compat/linux/linux_misc.c
==================================================================RCS file:
/usr/local/arch/ncvs/src/sys/compat/linux/linux_misc.c,v
retrieving revision 1.172
diff -u -r1.172 linux_misc.c
--- compat/linux/linux_misc.c	28 Dec 2005 07:08:54 -0000	1.172
+++ compat/linux/linux_misc.c	14 Mar 2006 11:45:57 -0000
@@ -310,6 +310,21 @@
 	 * XXX: This should use vn_open() so that it is properly authorized,
 	 * and to reduce code redundancy all over the place here.
 	 */
+	if (vp->v_type == VLNK) {
+		error = EMLINK;
+		goto cleanup;
+	}
+	if (vp->v_type == VSOCK) {
+		error = EOPNOTSUPP;
+		goto cleanup;
+	}
+	if (vp->v_type == VFIFO) {
+		/* Due to way fifo works (by overloading f_ops),
+		 * tricking kernel into write to the fifo leads to
+		 * panic. Make a band-aid to filter the case. */
+		error = EOPNOTSUPP;
+		goto cleanup;
+	}
 #ifdef MAC
 	error = mac_check_vnode_open(td->td_ucred, vp, FREAD);
 	if (error)
Index: fs/fifofs/fifo_vnops.c
==================================================================RCS file:
/usr/local/arch/ncvs/src/sys/fs/fifofs/fifo_vnops.c,v
retrieving revision 1.132
diff -u -r1.132 fifo_vnops.c
--- fs/fifofs/fifo_vnops.c	1 Oct 2005 20:15:41 -0000	1.132
+++ fs/fifofs/fifo_vnops.c	14 Mar 2006 11:46:07 -0000
@@ -168,6 +168,7 @@
 		int  a_mode;
 		struct ucred *a_cred;
 		struct thread *a_td;
+		int a_fdidx;
 	} */ *ap;
 {
 	struct vnode *vp = ap->a_vp;
Index: kern/vfs_syscalls.c
==================================================================RCS file:
/usr/local/arch/ncvs/src/sys/kern/vfs_syscalls.c,v
retrieving revision 1.411
diff -u -r1.411 vfs_syscalls.c
--- kern/vfs_syscalls.c	4 Mar 2006 00:09:09 -0000	1.411
+++ kern/vfs_syscalls.c	14 Mar 2006 11:46:10 -0000
@@ -4101,6 +4101,13 @@
 		error = EOPNOTSUPP;
 		goto bad;
 	}
+	if (vp->v_type == VFIFO) {
+		/* Due to way fifo works (by overloading f_ops),
+		 * tricking kernel into write to the fifo leads to
+		 * panic. Make a band-aid to filter the case. */
+		error = EOPNOTSUPP;
+		goto bad;
+	}
 	mode = 0;
 	if (fmode & (FWRITE | O_TRUNC)) {
 		if (vp->v_type == VDIR) {
Index: kern/vfs_vnops.c
==================================================================RCS file:
/usr/local/arch/ncvs/src/sys/kern/vfs_vnops.c,v
retrieving revision 1.238
diff -u -r1.238 vfs_vnops.c
--- kern/vfs_vnops.c	11 Mar 2006 17:14:05 -0000	1.238
+++ kern/vfs_vnops.c	14 Mar 2006 11:46:10 -0000
@@ -194,6 +194,13 @@
 		error = EOPNOTSUPP;
 		goto bad;
 	}
+	if ((vp->v_type == VFIFO) && (fdidx < 0)) {
+		/* Due to way fifo works (by overloading f_ops),
+		 * tricking kernel into write to the fifo leads to
+		 * panic. Make a band-aid to filter the case. */
+		error = EOPNOTSUPP;
+		goto bad;
+	}
 	mode = 0;
 	if (fmode & (FWRITE | O_TRUNC)) {
 		if (vp->v_type == VDIR) {

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
Url :
http://lists.freebsd.org/pipermail/freebsd-stable/attachments/20060314/cc357746/attachment.pgp

Sorry for garbled patch. I do not know why mutt decided to encode
some "=" as =3D.


Index: compat/linux/linux_misc.c
==================================================================RCS file:
/usr/local/arch/ncvs/src/sys/compat/linux/linux_misc.c,v
retrieving revision 1.172
diff -u -r1.172 linux_misc.c
--- compat/linux/linux_misc.c	28 Dec 2005 07:08:54 -0000	1.172
+++ compat/linux/linux_misc.c	14 Mar 2006 11:45:57 -0000
@@ -310,6 +310,21 @@
 	 * XXX: This should use vn_open() so that it is properly authorized,
 	 * and to reduce code redundancy all over the place here.
 	 */
+	if (vp->v_type == VLNK) {
+		error = EMLINK;
+		goto cleanup;
+	}
+	if (vp->v_type == VSOCK) {
+		error = EOPNOTSUPP;
+		goto cleanup;
+	}
+	if (vp->v_type == VFIFO) {
+		/* Due to way fifo works (by overloading f_ops),
+		 * tricking kernel into write to the fifo leads to
+		 * panic. Make a band-aid to filter the case. */
+		error = EOPNOTSUPP;
+		goto cleanup;
+	}
 #ifdef MAC
 	error = mac_check_vnode_open(td->td_ucred, vp, FREAD);
 	if (error)
Index: fs/fifofs/fifo_vnops.c
==================================================================RCS file:
/usr/local/arch/ncvs/src/sys/fs/fifofs/fifo_vnops.c,v
retrieving revision 1.132
diff -u -r1.132 fifo_vnops.c
--- fs/fifofs/fifo_vnops.c	1 Oct 2005 20:15:41 -0000	1.132
+++ fs/fifofs/fifo_vnops.c	14 Mar 2006 11:46:07 -0000
@@ -168,6 +168,7 @@
 		int  a_mode;
 		struct ucred *a_cred;
 		struct thread *a_td;
+		int a_fdidx;
 	} */ *ap;
 {
 	struct vnode *vp = ap->a_vp;
Index: kern/vfs_syscalls.c
==================================================================RCS file:
/usr/local/arch/ncvs/src/sys/kern/vfs_syscalls.c,v
retrieving revision 1.411
diff -u -r1.411 vfs_syscalls.c
--- kern/vfs_syscalls.c	4 Mar 2006 00:09:09 -0000	1.411
+++ kern/vfs_syscalls.c	14 Mar 2006 11:46:10 -0000
@@ -4101,6 +4101,13 @@
 		error = EOPNOTSUPP;
 		goto bad;
 	}
+	if (vp->v_type == VFIFO) {
+		/* Due to way fifo works (by overloading f_ops),
+		 * tricking kernel into write to the fifo leads to
+		 * panic. Make a band-aid to filter the case. */
+		error = EOPNOTSUPP;
+		goto bad;
+	}
 	mode = 0;
 	if (fmode & (FWRITE | O_TRUNC)) {
 		if (vp->v_type == VDIR) {
Index: kern/vfs_vnops.c
==================================================================RCS file:
/usr/local/arch/ncvs/src/sys/kern/vfs_vnops.c,v
retrieving revision 1.238
diff -u -r1.238 vfs_vnops.c
--- kern/vfs_vnops.c	11 Mar 2006 17:14:05 -0000	1.238
+++ kern/vfs_vnops.c	14 Mar 2006 11:46:10 -0000
@@ -194,6 +194,13 @@
 		error = EOPNOTSUPP;
 		goto bad;
 	}
+	if ((vp->v_type == VFIFO) && (fdidx < 0)) {
+		/* Due to way fifo works (by overloading f_ops),
+		 * tricking kernel into write to the fifo leads to
+		 * panic. Make a band-aid to filter the case. */
+		error = EOPNOTSUPP;
+		goto bad;
+	}
 	mode = 0;
 	if (fmode & (FWRITE | O_TRUNC)) {
 		if (vp->v_type == VDIR) {
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
Url :
http://lists.freebsd.org/pipermail/freebsd-stable/attachments/20060314/f597eeec/attachment.pgp

On Tuesday 14 March 2006 21:02, Kostik Belousov wrote:
> Sorry for garbled patch. I do not know why mutt decided to encode
> some "=" as =3D.
> 
> 
> Index: compat/linux/linux_misc.c
> ==================================================================> RCS
file: /usr/local/arch/ncvs/src/sys/compat/linux/linux_misc.c,v
> retrieving revision 1.172
> diff -u -r1.172 linux_misc.c
> --- compat/linux/linux_misc.c	28 Dec 2005 07:08:54 -0000	1.172
> +++ compat/linux/linux_misc.c	14 Mar 2006 11:45:57 -0000
> @@ -310,6 +310,21 @@
>  	 * XXX: This should use vn_open() so that it is properly authorized,
>  	 * and to reduce code redundancy all over the place here.
>  	 */
> +	if (vp->v_type == VLNK) {
> +		error = EMLINK;
> +		goto cleanup;
> +	}
> +	if (vp->v_type == VSOCK) {
> +		error = EOPNOTSUPP;
> +		goto cleanup;
> +	}
> +	if (vp->v_type == VFIFO) {
> +		/* Due to way fifo works (by overloading f_ops),
> +		 * tricking kernel into write to the fifo leads to
> +		 * panic. Make a band-aid to filter the case. */
> +		error = EOPNOTSUPP;
> +		goto cleanup;
> +	}
>  #ifdef MAC
>  	error = mac_check_vnode_open(td->td_ucred, vp, FREAD);
>  	if (error)
> Index: fs/fifofs/fifo_vnops.c
> ==================================================================> RCS
file: /usr/local/arch/ncvs/src/sys/fs/fifofs/fifo_vnops.c,v
> retrieving revision 1.132
> diff -u -r1.132 fifo_vnops.c
> --- fs/fifofs/fifo_vnops.c	1 Oct 2005 20:15:41 -0000	1.132
> +++ fs/fifofs/fifo_vnops.c	14 Mar 2006 11:46:07 -0000
> @@ -168,6 +168,7 @@
>  		int  a_mode;
>  		struct ucred *a_cred;
>  		struct thread *a_td;
> +		int a_fdidx;
>  	} */ *ap;
>  {
>  	struct vnode *vp = ap->a_vp;
> Index: kern/vfs_syscalls.c
> ==================================================================> RCS
file: /usr/local/arch/ncvs/src/sys/kern/vfs_syscalls.c,v
> retrieving revision 1.411
> diff -u -r1.411 vfs_syscalls.c
> --- kern/vfs_syscalls.c	4 Mar 2006 00:09:09 -0000	1.411
> +++ kern/vfs_syscalls.c	14 Mar 2006 11:46:10 -0000
> @@ -4101,6 +4101,13 @@
>  		error = EOPNOTSUPP;
>  		goto bad;
>  	}
> +	if (vp->v_type == VFIFO) {
> +		/* Due to way fifo works (by overloading f_ops),
> +		 * tricking kernel into write to the fifo leads to
> +		 * panic. Make a band-aid to filter the case. */
> +		error = EOPNOTSUPP;
> +		goto bad;
> +	}
>  	mode = 0;
>  	if (fmode & (FWRITE | O_TRUNC)) {
>  		if (vp->v_type == VDIR) {
> Index: kern/vfs_vnops.c
> ==================================================================> RCS
file: /usr/local/arch/ncvs/src/sys/kern/vfs_vnops.c,v
> retrieving revision 1.238
> diff -u -r1.238 vfs_vnops.c
> --- kern/vfs_vnops.c	11 Mar 2006 17:14:05 -0000	1.238
> +++ kern/vfs_vnops.c	14 Mar 2006 11:46:10 -0000
> @@ -194,6 +194,13 @@
>  		error = EOPNOTSUPP;
>  		goto bad;
>  	}
> +	if ((vp->v_type == VFIFO) && (fdidx < 0)) {
> +		/* Due to way fifo works (by overloading f_ops),
> +		 * tricking kernel into write to the fifo leads to
> +		 * panic. Make a band-aid to filter the case. */
> +		error = EOPNOTSUPP;
> +		goto bad;
> +	}
>  	mode = 0;
>  	if (fmode & (FWRITE | O_TRUNC)) {
>  		if (vp->v_type == VDIR) {
> 
I know, someone will work out such a messy patch, but is it reasonable ?
why does not the fifi code suddenly work with well defined vnode interface ?
why did someone want to break the well defined FILE->vnode->fs->device
layers ? sigh.

David Xu

On Tue, Mar 14, 2006 at 09:17:49PM +0800, David Xu
wrote:
> I know, someone will work out such a messy patch, but is it reasonable ?
> why does not the fifi code suddenly work with well defined vnode interface
?
> why did someone want to break the well defined
FILE->vnode->fs->device
> layers ? sigh.
From CVS history for sys/fs/fifofs//fifo_vnops.c:

Revision 1.105 Wed Nov 17 07:30:02 2004 UTC (15 months, 3 weeks ago) by phk

 Make vnode bypass for fifos (read, write, poll) mandatory.

Revision 1.104 Mon Nov 15 14:51:44 2004 UTC (15 months, 3 weeks ago) by phk

 Add file ops to fifofs so that we can bypass vnodes (and Giant) for the
 heavy-duty operations (read, write, poll/select, kqueue).

 Disabled for now, enable with "vfs.fifofs.fops=1" in loader.conf.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
Url :
http://lists.freebsd.org/pipermail/freebsd-stable/attachments/20060314/2ee2cfd0/attachment.pgp