>Synopsis: opening and closeing bpf rapidly causes problems
>Category: system
>Environment:
System : OpenBSD 7.0
Details : OpenBSD 7.0 (GENERIC.MP) #1332: Thu Sep 30 16:53:51 MDT
2021
dera...@arm64.openbsd.org:/usr/src/sys/arch/arm64/compile/GENERIC.MP
Architecture: OpenBSD.arm64
Machine : arm64
>Description:
Trying to attack a switch on my own network caused my raspberry pi to
freeze (watchdog rebooted it). Though after disabling watchdog it just froze.
Whether there is a panic I could not tell as I'm console-less and my dongle for
serial doesn't reach the wires to my Pi where it's currently located. It'd be
a hardship. Thankfully I can repeat the problem. Other thankfulness is it
can only be done as root in a default system.
>How-To-Repeat:
The following program repeats this:
#include <sys/param.h>
#include <sys/time.h>
#include <sys/ioctl.h>
#include <sys/socket.h>
#include <net/bpf.h>
#include <net/if.h>
#include <errno.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <unistd.h>
#include <fcntl.h>
int open_filter(char *interface);
int
main(void)
{
int fd;
for (int i = 0; i < 10000; i++) {
fd = open_filter("bse0");
if (fd < 0)
continue;
close(fd);
}
exit(0);
}
/*
* open the bpf devices and attach them to the corresponding interface that
* is provided
*/
int
open_filter(char *interface)
{
struct ifreq ifr;
char buf[PATH_MAX];
int i = 0, fd;
u_int hdrcomplete, dltype;
do {
snprintf(buf, sizeof(buf), "/dev/bpf%d", i++);
fd = open(buf, O_RDWR, 0);
} while (fd < 0 && errno == EBUSY);
if (fd < 0) {
perror("open");
return -1;
}
/* set interface on bpf */
memset(&ifr, 0, sizeof(ifr));
strncpy(ifr.ifr_name, interface, sizeof(ifr.ifr_name) - 1);
if (ioctl(fd, BIOCSETIF, &ifr) < 0) {
perror("ioctl 2");
close (fd);
return -1;
}
/* write complete frame headers */
hdrcomplete=1;
if (ioctl(fd, BIOCSHDRCMPLT, &hdrcomplete) < 0) {
perror("ioctl 3");
return -1;
}
/*
* If we're not ethernet return with -1 as there is no point opening
* bpf for a utility that is a ethernet spoofer
*/
if (ioctl(fd, BIOCGDLT, &dltype) < 0) {
perror("ioctl 4");
return -1;
}
if (dltype == DLT_EN10MB)
return (fd);
fprintf(stderr, "dltype != DLT_EN10MB, missing -l flag?\n");
errno = ENOSYS;
close (fd);
return -1;
}
>Fix:
None provided. Unfortunately I don't have a DDB capable console.
dmesg:
OpenBSD 7.0 (GENERIC.MP) #1332: Thu Sep 30 16:53:51 MDT 2021
dera...@arm64.openbsd.org:/usr/src/sys/arch/arm64/compile/GENERIC.MP
real mem = 8417255424 (8027MB)
avail mem = 8126160896 (7749MB)
random: good seed from bootblocks
mainbus0 at root: Raspberry Pi 4 Model B Rev 1.4
psci0 at mainbus0: PSCI 1.1, SMCCC 1.2
cpu0 at mainbus0 mpidr 0: ARM Cortex-A72 r0p3
cpu0: 48KB 64b/line 3-way L1 PIPT I-cache, 32KB 64b/line 2-way L1 D-cache
cpu0: 1024KB 64b/line 16-way L2 cache
cpu0: CRC32,ASID16
cpu1 at mainbus0 mpidr 1: ARM Cortex-A72 r0p3
cpu1: 48KB 64b/line 3-way L1 PIPT I-cache, 32KB 64b/line 2-way L1 D-cache
cpu1: 1024KB 64b/line 16-way L2 cache
cpu1: CRC32,ASID16
cpu2 at mainbus0 mpidr 2: ARM Cortex-A72 r0p3
cpu2: 48KB 64b/line 3-way L1 PIPT I-cache, 32KB 64b/line 2-way L1 D-cache
cpu2: 1024KB 64b/line 16-way L2 cache
cpu2: CRC32,ASID16
cpu3 at mainbus0 mpidr 3: ARM Cortex-A72 r0p3
cpu3: 48KB 64b/line 3-way L1 PIPT I-cache, 32KB 64b/line 2-way L1 D-cache
cpu3: 1024KB 64b/line 16-way L2 cache
cpu3: CRC32,ASID16
efi0 at mainbus0: UEFI 2.7
efi0: https://github.com/pftf/RPi4 rev 0x10000
smbios0 at efi0: SMBIOS 3.3.0
smbios0: vendor https://github.com/pftf/RPi4 version "UEFI Firmware v1.27" date
05/25/2021
smbios0: Raspberry Pi Foundation Raspberry Pi 4 Model B
apm0 at mainbus0
"system" at mainbus0 not configured
"axi" at mainbus0 not configured
simplebus0 at mainbus0: "soc"
bcmclock0 at simplebus0
bcmmbox0 at simplebus0
bcmgpio0 at simplebus0
bcmaux0 at simplebus0
ampintc0 at simplebus0 nirq 256, ncpu 4 ipi: 0, 1: "interrupt-controller"
bcmtmon0 at simplebus0
bcmdmac0 at simplebus0: DMA0 DMA2 DMA4 DMA5 DMA6 DMA7 DMA8 DMA9
"timer" at simplebus0 not configured
pluart0 at simplebus0
com0 at simplebus0: ns16550, no working fifo
"local_intc" at simplebus0 not configured
bcmdog0 at simplebus0
bcmirng0 at simplebus0
"firmware" at simplebus0 not configured
"power" at simplebus0 not configured
"mailbox" at simplebus0 not configured
sdhc0 at simplebus0
sdhc0: SDHC 3.0, 250 MHz base clock
sdmmc0 at sdhc0: 4-bit, sd high-speed, mmc high-speed
"gpiomem" at simplebus0 not configured
"fb" at simplebus0 not configured
"vcsm" at simplebus0 not configured
"clocks" at mainbus0 not configured
"phy" at mainbus0 not configured
"clk-27M" at mainbus0 not configured
"clk-108M" at mainbus0 not configured
simplebus1 at mainbus0: "emmc2bus"
sdhc1 at simplebus1
sdhc1: SDHC 3.0, 100 MHz base clock
sdmmc1 at sdhc1: 8-bit, sd high-speed, mmc high-speed, ddr52, dma
"arm-pmu" at mainbus0 not configured
agtimer0 at mainbus0: 54000 kHz
simplebus2 at mainbus0: "scb"
bcmpcie0 at simplebus2
pci0 at bcmpcie0
ppb0 at pci0 dev 0 function 0 "Broadcom BCM2711" rev 0x10
pci1 at ppb0 bus 1
xhci0 at pci1 dev 0 function 0 "VIA VL805 xHCI" rev 0x01: intx, xHCI 1.0
usb0 at xhci0: USB revision 3.0
uhub0 at usb0 configuration 1 interface 0 "VIA xHCI root hub" rev 3.00/1.00
addr 1
bse0 at simplebus2: address dc:a6:32:cc:db:a7
brgphy0 at bse0 phy 1: BCM54210E 10/100/1000baseT PHY, rev. 2
"dma" at simplebus2 not configured
"hevc-decoder" at simplebus2 not configured
"rpivid-local-intc" at simplebus2 not configured
"h264-decoder" at simplebus2 not configured
"vp9-decoder" at simplebus2 not configured
"leds" at mainbus0 not configured
"sd_io_1v8_reg" at mainbus0 not configured
"sd_vcc_reg" at mainbus0 not configured
"fixedregulator_3v3" at mainbus0 not configured
"fixedregulator_5v0" at mainbus0 not configured
simplebus3 at mainbus0: "v3dbus"
"bootloader" at mainbus0 not configured
simplefb0 at mainbus0: 1920x1080, 32bpp
wsdisplay0 at simplefb0 mux 1: console (std, vt100 emulation)
wsdisplay0: screen 1-5 added (std, vt100 emulation)
dt: 445 probes
sdmmc1: can't enable card
uhub1 at uhub0 port 1 configuration 1 interface 0 "VIA Labs USB2.0 Hub" rev
2.10/4.21 addr 2
bwfm0 at sdmmc0 function 1
manufacturer 0x02d0, product 0xa9a6 at sdmmc0 function 2 not configured
manufacturer 0x02d0, product 0xa9a6 at sdmmc0 function 3 not configured
uhidev0 at uhub1 port 1 configuration 1 interface 0 "American Power Conversion
Back-UPS CS 650 FW:817.v9.I USB FW:v9" rev 1.10/0.06 addr 3
uhidev0: iclass 3/0, 98 report ids
upd0 at uhidev0
uhid0 at uhidev0 reportid 1: input=0, output=0, feature=1
uhid1 at uhidev0 reportid 2: input=0, output=0, feature=1
uhid2 at uhidev0 reportid 3: input=0, output=0, feature=1
uhid3 at uhidev0 reportid 4: input=0, output=0, feature=1
uhid4 at uhidev0 reportid 5: input=0, output=0, feature=1
uhid5 at uhidev0 reportid 6: input=0, output=0, feature=2
uhid6 at uhidev0 reportid 8: input=0, output=0, feature=2
uhid7 at uhidev0 reportid 9: input=0, output=0, feature=2
uhid8 at uhidev0 reportid 10: input=0, output=0, feature=2
uhid9 at uhidev0 reportid 11: input=0, output=0, feature=2
uhid10 at uhidev0 reportid 12: input=1, output=0, feature=1
uhid11 at uhidev0 reportid 13: input=2, output=0, feature=2
uhid12 at uhidev0 reportid 14: input=0, output=0, feature=2
uhid13 at uhidev0 reportid 15: input=0, output=0, feature=1
uhid14 at uhidev0 reportid 16: input=0, output=0, feature=2
uhid15 at uhidev0 reportid 17: input=0, output=0, feature=1
uhid16 at uhidev0 reportid 18: input=0, output=0, feature=2
uhid17 at uhidev0 reportid 19: input=0, output=0, feature=3
uhid18 at uhidev0 reportid 20: input=0, output=0, feature=1
uhid19 at uhidev0 reportid 21: input=0, output=0, feature=2
uhid20 at uhidev0 reportid 22: input=1, output=0, feature=1
uhid21 at uhidev0 reportid 23: input=0, output=0, feature=1
uhid22 at uhidev0 reportid 24: input=0, output=0, feature=2
uhid23 at uhidev0 reportid 25: input=0, output=0, feature=2
uhid24 at uhidev0 reportid 26: input=0, output=0, feature=2
uhid25 at uhidev0 reportid 27: input=0, output=0, feature=1
uhid26 at uhidev0 reportid 28: input=0, output=0, feature=1
uhid27 at uhidev0 reportid 29: input=0, output=0, feature=2
uhid28 at uhidev0 reportid 30: input=0, output=0, feature=2
uhid29 at uhidev0 reportid 31: input=0, output=0, feature=2
uhid30 at uhidev0 reportid 32: input=0, output=0, feature=4
uhid31 at uhidev0 reportid 33: input=0, output=0, feature=1
uhid32 at uhidev0 reportid 34: input=0, output=0, feature=1
uhid33 at uhidev0 reportid 35: input=0, output=0, feature=2
uhid34 at uhidev0 reportid 36: input=0, output=0, feature=2
uhid35 at uhidev0 reportid 37: input=0, output=0, feature=2
uhid36 at uhidev0 reportid 38: input=0, output=0, feature=2
uhid37 at uhidev0 reportid 39: input=0, output=0, feature=2
uhid38 at uhidev0 reportid 40: input=0, output=0, feature=2
uhid39 at uhidev0 reportid 41: input=0, output=0, feature=3
uhid40 at uhidev0 reportid 42: input=0, output=0, feature=2
uhid41 at uhidev0 reportid 43: input=0, output=0, feature=2
uhid42 at uhidev0 reportid 44: input=0, output=0, feature=2
uhid43 at uhidev0 reportid 45: input=0, output=0, feature=2
uhid44 at uhidev0 reportid 46: input=0, output=0, feature=1
uhid45 at uhidev0 reportid 47: input=0, output=0, feature=1
uhid46 at uhidev0 reportid 48: input=0, output=0, feature=1
uhid47 at uhidev0 reportid 49: input=0, output=0, feature=1
uhid48 at uhidev0 reportid 50: input=0, output=0, feature=1
uhid49 at uhidev0 reportid 51: input=2, output=0, feature=2
uhid50 at uhidev0 reportid 52: input=0, output=0, feature=1
uhid51 at uhidev0 reportid 53: input=0, output=0, feature=2
uhid52 at uhidev0 reportid 54: input=0, output=0, feature=1
uhid53 at uhidev0 reportid 55: input=0, output=0, feature=1
uhid54 at uhidev0 reportid 62: input=0, output=0, feature=4
uhid55 at uhidev0 reportid 63: input=0, output=0, feature=4
uhid56 at uhidev0 reportid 64: input=0, output=0, feature=1
uhid57 at uhidev0 reportid 65: input=0, output=0, feature=2
uhid58 at uhidev0 reportid 66: input=0, output=0, feature=1
uhid59 at uhidev0 reportid 69: input=0, output=0, feature=3
uhid60 at uhidev0 reportid 70: input=0, output=0, feature=1
uhid61 at uhidev0 reportid 71: input=0, output=0, feature=1
uhid62 at uhidev0 reportid 72: input=0, output=0, feature=4
uhid63 at uhidev0 reportid 81: input=0, output=0, feature=1
uhid64 at uhidev0 reportid 82: input=0, output=0, feature=2
uhid65 at uhidev0 reportid 96: input=0, output=0, feature=2
uhid66 at uhidev0 reportid 97: input=0, output=0, feature=1
uhid67 at uhidev0 reportid 98: input=0, output=0, feature=4
uhidev1 at uhub1 port 3 configuration 1 interface 0 "Cherry GmbH CHERRY Wired
Keyboard" rev 2.00/1.20 addr 4
uhidev1: iclass 3/1
ukbd0 at uhidev1: 8 variable keys, 6 key codes
wskbd0 at ukbd0: console keyboard, using wsdisplay0
uhidev2 at uhub1 port 3 configuration 1 interface 1 "Cherry GmbH CHERRY Wired
Keyboard" rev 2.00/1.20 addr 4
uhidev2: iclass 3/0
ucc0 at uhidev2: 9 usages, 8 keys, enum
wskbd1 at ucc0 mux 1
wskbd1: connecting to wsdisplay0
uhidev3 at uhub1 port 4 configuration 1 interface 0 "Logitech USB Optical
Mouse" rev 2.00/43.01 addr 5
uhidev3: iclass 3/1
ums0 at uhidev3: 3 buttons, Z dir
wsmouse0 at ums0 mux 0
umass0 at uhub0 port 3 configuration 1 interface 0 "ICY BOX IB-AC704-6G" rev
3.00/1.00 addr 6
umass0: using SCSI over Bulk-Only
scsibus0 at umass0: 2 targets, initiator 0
sd0 at scsibus0 targ 1 lun 0: <ICY BOX, IB-AC704-6G, 0>
serial.174c55aa201712000010
sd0: 953869MB, 512 bytes/sector, 1953525168 sectors
vscsi0 at root
scsibus1 at vscsi0: 256 targets
softraid0 at root
scsibus2 at softraid0: 256 targets
root on sd0a (8c1699786972c1f6.a) swap on sd0b dump on sd0b
WARNING: / was not properly unmounted
WARNING: clock lost 150 days
WARNING: CHECK AND RESET THE DATE!
gpio0 at bcmgpio0: 58 pins
bwfm0: address dc:a6:32:cc:db:a8
usbdevs:
Controller /dev/usb0:
addr 01: 1106:0000 VIA, xHCI root hub
super speed, self powered, config 1, rev 1.00
driver: uhub0
addr 02: 2109:3431 VIA Labs, USB2.0 Hub
high speed, self powered, config 1, rev 4.21
driver: uhub1
addr 03: 051d:0002 American Power Conversion, Back-UPS CS 650 FW:817.v9.I USB
FW:v9
low speed, self powered, config 1, rev 0.06, iSerial 4B1814P12028
driver: uhidev0
addr 04: 046a:0113 Cherry GmbH, CHERRY Wired Keyboard
low speed, power 100 mA, config 1, rev 1.20
driver: uhidev1
driver: uhidev2
addr 05: 046d:c018 Logitech, USB Optical Mouse
low speed, power 100 mA, config 1, rev 43.01
driver: uhidev3
addr 06: 174c:55aa ICY BOX, IB-AC704-6G
super speed, self powered, config 1, rev 1.00, iSerial 201712000010
driver: umass0
