From root@burrito.p2p.nttmcl.com Fri Mar 27 23:16:48 2009 Return-Path: Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 2991A1065673 for ; Fri, 27 Mar 2009 23:16:48 +0000 (UTC) (envelope-from root@burrito.p2p.nttmcl.com) Received: from burrito.p2p.nttmcl.com (burrito.p2p.nttmcl.com [IPv6:2001:418:200:105::39]) by mx1.freebsd.org (Postfix) with ESMTP id 050D78FC0A for ; Fri, 27 Mar 2009 23:16:47 +0000 (UTC) (envelope-from root@burrito.p2p.nttmcl.com) Received: from burrito.p2p.nttmcl.com (localhost.p2p.nttmcl.com [127.0.0.1]) by burrito.p2p.nttmcl.com (8.14.3/8.14.3) with ESMTP id n2RNA9Ik001424 for ; Fri, 27 Mar 2009 16:10:09 -0700 (PDT) (envelope-from root@burrito.p2p.nttmcl.com) Received: (from root@localhost) by burrito.p2p.nttmcl.com (8.14.3/8.14.3/Submit) id n2RNA985001423; Fri, 27 Mar 2009 16:10:09 -0700 (PDT) (envelope-from root) Message-Id: <200903272310.n2RNA985001423@burrito.p2p.nttmcl.com> Date: Fri, 27 Mar 2009 16:10:09 -0700 (PDT) From: "Eugene M. Kim" <20080111.freebsd.org@ab.ote.we.lv> Reply-To: "Eugene M. Kim" <20080111.freebsd.org@ab.ote.we.lv> To: FreeBSD-gnats-submit@freebsd.org Cc: Subject: Kernel panic with ubsec and cryptodev; induced by non-root users X-Send-Pr-Version: 3.113 X-GNATS-Notify: >Number: 133143 >Category: kern >Synopsis: [ubsec] [panic] Kernel panic with ubsec and cryptodev; induced by non-root users >Confidential: no >Severity: critical >Priority: high >Responsible: freebsd-bugs >State: closed >Quarter: >Keywords: >Date-Required: >Class: sw-bug >Submitter-Id: current-users >Arrival-Date: Fri Mar 27 23:20:03 UTC 2009 >Closed-Date: Tue Feb 22 19:33:03 EST 2011 >Last-Modified: Tue Feb 22 19:33:03 EST 2011 >Originator: Eugene M. Kim >Release: FreeBSD 6.4-RELEASE i386 >Organization: >Environment: System: FreeBSD paperboy.dev.p2p.nttmcl.com 6.4-RELEASE FreeBSD 6.4-RELEASE #1 r190431: Wed Mar 25 19:58:05 PDT 2009 root@burrito.p2p.nttmcl.com:/usr/obj/usr/src/sys/PAPERBOY i386 Hardware: Dell PowerEdge R300 with: -- Intel Xeon E3110 - dual-core, 3.0GHz -- 4GB memory (3326MB visible to the non-PAE kernel) -- PCI-X riser card -- Broadcom BCM95821SSN PCI-X cryptographic accelerator card Kernel configuration: --- BEGIN src/sys/i386/conf/PAPERBOY --- include SMP ident PAPERBOY makeoptions DEBUG=-g options KDB options KDB_TRACE options DDB options GDB options BREAK_TO_DEBUGGER #options ALT_BREAK_TO_DEBUGGER options INVARIANTS options INVARIANT_SUPPORT options FAST_IPSEC device crypto device cryptodev device ubsec options UBSEC_DEBUG --- END src/sys/i386/conf/PAPERBOY --- >Description: The kernel randomly panics when running a multithreaded OpenSSL performance test program (even as a non-root user), with increasing panic probability as the number of threads used by the test program increases. The test program is available at (link valid for 3 years): http://purple.the-7.net/~ab/Temporary/GORCuns5zR/evptest.tar.bz2 --- BEGIN panic message --- Memory modified after free 0xc9049000(4092) val=54c0f2f9 @ 0xc9049138 panic: Most recently used by devbuf cpuid = 1 KDB: enter: panic --- END panic message --- The following stack trace was obtained via a remote GDB session; some argument values do not make sense (e.g. the size argument given to mtrash_ctor(), which should be 4092 but is negative); it might be a bug in GDB itself. --- BEGIN stack trace --- #0 0xc06d75bb in kdb_enter (msg=0x12
) at cpufunc.h:60 #1 0xc06beb9b in panic (fmt=0xc09f730e "Most recently used by %s\n") at /usr/src/sys/kern/kern_shutdown.c:550 #2 0xc084b35d in mtrash_ctor (mem=0xc9049000, size=-1052561408, arg=0x0, flags=1) at /usr/src/sys/vm/uma_dbg.c:137 #3 0xc08494af in uma_zalloc_arg (zone=0xc1461b40, udata=0x0, flags=1) at /usr/src/sys/vm/uma_core.c:1849 #4 0xc06b3cba in malloc (size=3600, mtp=0xc0a5c100, flags=1) at uma.h:277 #5 0xc0638f4b in ubsec_newsession (arg=0xc8830000, sidp=0xeb188bfc, cri=0x12) at /usr/src/sys/dev/ubsec/ubsec.c:947 #6 0xc07d8c68 in crypto_newsession (sid=0xeb188c2c, cri=0xeb188c34, hard=1) at /usr/src/sys/opencrypto/crypto.c:354 #7 0xc07da1e5 in cryptof_ioctl (fp=0x12, cmd=3223085925, data=0x0, active_cred=0xc8ef0800, td=0xc902c480) at /usr/src/sys/opencrypto/cryptodev.c:264 #8 0xc06e2486 in ioctl (td=0xc902c480, uap=0xeb188d04) at file.h:265 #9 0xc0948b3f in syscall (frame= {tf_fs = -1081147333, tf_es = 672464955, tf_ds = -1081147333, tf_edi = 135852444, tf_esi = -1128460528, tf_ebp = -1128460648, tf_isp = -350712476, tf_ebx = 672572564, tf_edx = 0, tf_ecx = 135852416, tf_eax = 54, tf_trapno = 22, tf_err = 2, tf_eip = 673530195, tf_cs = 51, tf_eflags = 2097670, tf_esp = -1128460692, tf_ss = 59}) at /usr/src/sys/i386/i386/trap.c:984 #10 0xc093369f in Xint0x80_syscall () at /usr/src/sys/i386/i386/exception.s:200 #11 0x00000033 in ?? () --- END stack trace --- This could also be a security issue, as non-root users can induce kernel panics, leading to denial of service. >How-To-Repeat: 1. Compile and install a modified kernel with configuration shown above. 2. Reboot. 3. Run the supplied test program (evptest) as any user (root or non-root): $ tar -xjf evptest.tar.bz2 $ cd evptest $ make cleandir $ make depend all $ ./evptest -h # for help message $ ./evptest -t 100 # this uses 100 threads >Fix: None, other than disabling ubsec as a workaround. >Release-Note: >Audit-Trail: State-Changed-From-To: open->feedback State-Changed-By: eadler State-Changed-When: Tue Feb 22 19:14:18 EST 2011 State-Changed-Why: Given link is dead and FreeBSD version is old. Can you provide an updated link and can you reproduce on a recent version of FreeBSD? http://www.freebsd.org/cgi/query-pr.cgi?pr=133143 State-Changed-From-To: feedback->closed State-Changed-By: eadler State-Changed-When: Tue Feb 22 19:32:18 EST 2011 State-Changed-Why: Same reason as before - and submitters mail bounced http://www.freebsd.org/cgi/query-pr.cgi?pr=133143 >Unformatted: