Re: panic when sending garbled packets through bpf

[Peter J. Philipp]

On Mon, May 13, 2013 at 08:40:07PM +0200, Peter J. Philipp wrote:

Hi,

I've had some time to isolate the function where it's panicing and it's
not panicing in the BPF, that was my mistake.  However it does panic on
another function I have written a test program and any unprivileged user
on the local system can panic the -current kernel.

Please contact me off list so I can provide you a sample program.  I will
only email an @openbsd.org address with the code.

-peter


> OpenBSD 5.3-current (SATURN) #19: Sat May 11 23:27:19 CEST 2013
>     p...@saturn.centroid.eu:/usr/src/sys/arch/amd64/compile/SATURN
> RTC BIOS diagnostic error 80<clock_battery>
> real mem = 3987992576 (3803MB)
> avail mem = 3874119680 (3694MB)
> mainbus0 at root
> bios0 at mainbus0: SMBIOS rev. 2.7 @ 0xe3e70 (51 entries)
> bios0: vendor Acer version "V1.08" date 12/06/2011
> bios0: Acer AO722
> acpi0 at bios0: rev 2
> acpi0: sleep states S0 S3 S4 S5
> acpi0: tables DSDT FACP HPET APIC MCFG BOOT SLIC SSDT SSDT
> acpi0: wakeup devices SPB2(S4) GEC_(S4) USB0(S3) USB4(S3) P2P_(S5)
> acpitimer0 at acpi0: 3579545 Hz, 32 bits
> acpihpet0 at acpi0: 14318180 Hz
> acpimadt0 at acpi0 addr 0xfee00000: PC-AT compat
> cpu0 at mainbus0: apid 0 (boot processor)
> cpu0: AMD C-60 APU with Radeon(tm) HD Graphics, 998.33 MHz
> cpu0: 
> FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,MMX,FXSR,SSE,SSE2,HTT,SSE3,MWAIT,SSSE3,CX16,POPCNT,NXE,MMXX,FFXSR,LONG,LAHF,CMPLEG,SVM,EAPICSP,AMCR8,ABM,SSE4A,MASSE,3DNOWP,IBS,SKINIT,ITSC
> cpu0: 32KB 64b/line 2-way I-cache, 32KB 64b/line 8-way D-cache, 512KB 
> 64b/line 16-way L2 cache
> cpu0: 8 4MB entries fully associative
> cpu0: DTLB 40 4KB entries fully associative, 8 4MB entries fully associative
> cpu0: apic clock running at 199MHz
> cpu1 at mainbus0: apid 1 (application processor)
> cpu1: AMD C-60 APU with Radeon(tm) HD Graphics, 997.50 MHz
> cpu1: 
> FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,MMX,FXSR,SSE,SSE2,HTT,SSE3,MWAIT,SSSE3,CX16,POPCNT,NXE,MMXX,FFXSR,LONG,LAHF,CMPLEG,SVM,EAPICSP,AMCR8,ABM,SSE4A,MASSE,3DNOWP,IBS,SKINIT,ITSC
> cpu1: 32KB 64b/line 2-way I-cache, 32KB 64b/line 8-way D-cache, 512KB 
> 64b/line 16-way L2 cache
> cpu1: 8 4MB entries fully associative
> cpu1: DTLB 40 4KB entries fully associative, 8 4MB entries fully associative
> ioapic0 at mainbus0: apid 4 pa 0xfec00000, version 21, 24 pins
> ioapic0: misconfigured as apic 0, remapped to apid 4
> acpimcfg0 at acpi0 addr 0xf8000000, bus 0-63
> acpiprt0 at acpi0: bus 0 (PCI0)
> acpiprt1 at acpi0: bus -1 (PB2_)
> acpiprt2 at acpi0: bus -1 (PB3_)
> acpiprt3 at acpi0: bus -1 (PB4_)
> acpiprt4 at acpi0: bus -1 (PB5_)
> acpiprt5 at acpi0: bus -1 (PB6_)
> acpiprt6 at acpi0: bus -1 (PB7_)
> acpiprt7 at acpi0: bus 2 (SPB0)
> acpiprt8 at acpi0: bus -1 (SPB1)
> acpiprt9 at acpi0: bus 6 (SPB2)
> acpiprt10 at acpi0: bus 7 (SPB3)
> acpiprt11 at acpi0: bus 1 (P2P_)
> acpiec0 at acpi0
> acpicpu0 at acpi0: C2, PSS
> acpicpu1 at acpi0: C2, PSS
> acpibtn0 at acpi0: PWRB
> acpibtn1 at acpi0: SLPB
> acpibat0 at acpi0: BAT1 model "13848633228217409" serial 417d type Lion oem 
> "Sanyo "
> acpiac0 at acpi0: AC unit online
> acpibtn2 at acpi0: LID_
> acpivideo0 at acpi0: VGA_
> acpivout0 at acpivideo0: LCD_
> acpivideo1 at acpi0: VGA_
> acpivideo2 at acpi0: VGA_
> cpu0: 998 MHz: speeds: 1000 800 MHz
> pci0 at mainbus0 bus 0
> pchb0 at pci0 dev 0 function 0 "AMD AMD64 14h Host" rev 0x00
> vga1 at pci0 dev 1 function 0 vendor "ATI", unknown product 0x9807 rev 0x00
> wsdisplay0 at vga1 mux 1: console (80x25, vt100 emulation)
> wsdisplay0: screen 1-5 added (80x25, vt100 emulation)
> azalia0 at pci0 dev 1 function 1 "ATI Radeon HD 6310 HD Audio" rev 0x00: msi
> azalia0: no supported codecs
> ahci0 at pci0 dev 17 function 0 "ATI SBx00 SATA" rev 0x00: apic 4 int 19, 
> AHCI 1.2
> scsibus0 at ahci0: 32 targets
> sd0 at scsibus0 targ 0 lun 0: <ATA, WDC WD3200BPVT-2, 01.0> SCSI3 0/direct 
> fixed naa.50014ee25be3a7df
> sd0: 305245MB, 512 bytes/sector, 625142448 sectors
> ohci0 at pci0 dev 18 function 0 "ATI SB700 USB" rev 0x00: apic 4 int 18, 
> version 1.0, legacy support
> ehci0 at pci0 dev 18 function 2 "ATI SB700 USB2" rev 0x00: apic 4 int 17
> usb0 at ehci0: USB revision 2.0
> uhub0 at usb0 "ATI EHCI root hub" rev 2.00/1.00 addr 1
> ohci1 at pci0 dev 19 function 0 "ATI SB700 USB" rev 0x00: apic 4 int 18, 
> version 1.0, legacy support
> ehci1 at pci0 dev 19 function 2 "ATI SB700 USB2" rev 0x00: apic 4 int 17
> usb1 at ehci1: USB revision 2.0
> uhub1 at usb1 "ATI EHCI root hub" rev 2.00/1.00 addr 1
> piixpm0 at pci0 dev 20 function 0 "ATI SBx00 SMBus" rev 0x42: polling
> iic0 at piixpm0
> spdmem0 at iic0 addr 0x50: 4GB DDR3 SDRAM PC3-10600 SO-DIMM
> azalia1 at pci0 dev 20 function 2 "ATI SBx00 HD Audio" rev 0x40: apic 4 int 16
> azalia1: codecs: Conexant/0x506c
> audio0 at azalia1
> pcib0 at pci0 dev 20 function 3 "ATI SB700 ISA" rev 0x40
> ppb0 at pci0 dev 20 function 4 "ATI SB600 PCI" rev 0x40
> pci1 at ppb0 bus 1
> ppb1 at pci0 dev 21 function 0 "ATI SB800 PCIE" rev 0x00: msi
> pci2 at ppb1 bus 2
> ppb2 at pci0 dev 21 function 2 "ATI SB800 PCIE" rev 0x00
> pci3 at ppb2 bus 6
> alc0 at pci3 dev 0 function 0 "Attansic Technology L2C" rev 0xc1: msi, 
> address dc:0e:a1:54:ba:16
> atphy0 at alc0 phy 0: F2 10/100 PHY, rev. 5
> ppb3 at pci0 dev 21 function 3 "ATI SB800 PCIE" rev 0x00
> pci4 at ppb3 bus 7
> "Atheros AR9485" rev 0x01 at pci4 dev 0 function 0 not configured
> pchb1 at pci0 dev 24 function 0 "AMD AMD64 14h Link Cfg" rev 0x43
> pchb2 at pci0 dev 24 function 1 "AMD AMD64 14h Address Map" rev 0x00
> pchb3 at pci0 dev 24 function 2 "AMD AMD64 14h DRAM Cfg" rev 0x00
> km0 at pci0 dev 24 function 3 "AMD AMD64 14h Misc Cfg" rev 0x00
> pchb4 at pci0 dev 24 function 4 "AMD AMD64 14h CPU Power" rev 0x00
> pchb5 at pci0 dev 24 function 5 "AMD AMD64 14h Reserved" rev 0x00
> pchb6 at pci0 dev 24 function 6 "AMD AMD64 14h NB Power" rev 0x00
> pchb7 at pci0 dev 24 function 7 "AMD AMD64 14h Reserved" rev 0x00
> usb2 at ohci0: USB revision 1.0
> uhub2 at usb2 "ATI OHCI root hub" rev 1.00/1.00 addr 1
> usb3 at ohci1: USB revision 1.0
> uhub3 at usb3 "ATI OHCI root hub" rev 1.00/1.00 addr 1
> isa0 at pcib0
> isadma0 at isa0
> pckbc0 at isa0 port 0x60/5
> pckbd0 at pckbc0 (kbd slot)
> pckbc0: using irq 1 for kbd slot
> wskbd0 at pckbd0: console keyboard, using wsdisplay0
> pms0 at pckbc0 (aux slot #0)
> pckbc0: using irq 12 for aux slot #0
> wsmouse0 at pms0 mux 0
> pms0: Elantech Touchpad, version 2
> pcppi0 at isa0 port 0x61
> spkr0 at pcppi0
> mtrr: Pentium Pro MTRR support
> urtwn0 at uhub0 port 2 "Belkin Components RTL8192CU" rev 2.00/2.00 addr 2
> urtwn0: MAC/BB RTL8192CU, RF 6052 2T2R, address ec:1a:59:0d:fa:1c
> uvideo0 at uhub1 port 1 configuration 1 interface 0 "Chicony Electronics Co., 
> Ltd. WebCam" rev 2.00/82.57 addr 2
> video0 at uvideo0
> vscsi0 at root
> scsibus1 at vscsi0: 256 targets
> softraid0 at root
> scsibus2 at softraid0: 256 targets
> root on sd0a (b7929eff445098b7.a) swap on sd0b dump on sd0b
> usb_transfer_complete: actlen > len -15996 > 4
> usb_transfer_complete: actlen > len -15988 > 4
> panic: rtfree 2
> Stopped at    Debugger+0x5:   leave   
> RUN AT LEAST 'trace' AND 'ps' AND INCLUDE OUTPUT WHEN REPORTING THIS PANIC!
> IF RUNNING SMP, USE 'mach ddbcpu <#>' AND 'trace' ON OTHER PROCESSORS, TOO.
> DO NOT EVEN BOTHER REPORTING THIS WITHOUT INCLUDING THAT INFORMATION!
> ddb{0}> Debugger() at Debugger+0x5
> panic() at panic+0xe4
> rtfree() at rtfree+0xf4
> route_output() at route_output+0x29b
> raw_usrreq() at raw_usrreq+0x227
> route_usrreq() at route_usrreq+0x6e
> sosend() at sosend+0x473
> sendit() at sendit+0x1b8
> sys_sendto() at sys_sendto+0x55
> syscall() at syscall+0x249
> --- syscall (number 133) ---
> end of kernel
> end trace frame: 0x3, count: -10
> 
> The ps got lost because a boot reboot did not reboot the netbook.  I had to
> cold-cycle it, and thank goodness the panic trace was still there.
> 
> You got the dmesg and the backtrace that's all I can send you.  If you're
> interested in the spoofer I can't send you that.  But for what it's worth
> I can give you details.  I was accidentally not including a destination 
> address
> in the spoofer so the ip_dst woudl have been zeroed, it paniced on that.
> 
> Cheers,
> -peter