Panic from bad length parameter in bind (Possible DOS attack)

From: Ryan Sommers <ryans_at_gamersimpact.com>
Date: Sat, 3 Apr 2004 14:21:08 -0700 (MST)
Whenever I supply a length of 4 as the final bind parameter I get the
following panic. Looks like bind returns fine, however, when the program
exits it stumbles over some mutex associated with the descriptor. The
mutex passed to mtx_destroy() has MTX_RECURSED set. I attempted to find
where the call to bind was clobbering the mutex but couldn't. I attached
the simple program to exploit this. I was able to do it as a regular user.

panic: Assertion (m->mtx_lock & (MTX_RECURSED|MTX_CONTESTED)) == 0 failed
at /usr/src/sys/kern/kern_mutex.c:848
panic messages:
---
panic: Assertion (m->mtx_lock & (MTX_RECURSED|MTX_CONTESTED)) == 0 failed
at /usr/src/sys/kern/kern_mutex.c:848
at line 848 in file /usr/src/sys/kern/kern_mutex.c
Debugger("panic")
Dumping 511 MB
 16 32 48 64 80 96 112 128 144 160 176 192 208 224 240 256 272 288 304 320
336 352 368 384 400 416 432 448 464 480 496
---
Reading symbols from /boot/kernel/radeon.ko...done.
Loaded symbols for /boot/kernel/radeon.ko
Reading symbols from /boot/kernel/acpi.ko...done.
Loaded symbols for /boot/kernel/acpi.ko
Reading symbols from
/usr/obj/usr/src/sys/LILSHADOW/modules/usr/src/sys/modules/linux/linux.ko.debug...done.
Loaded symbols for
/usr/obj/usr/src/sys/LILSHADOW/modules/usr/src/sys/modules/linux/linux.ko.debug
#0  doadump () at /usr/src/sys/kern/kern_shutdown.c:240
240		dumping++;
(kgdb) bt
#0  doadump () at /usr/src/sys/kern/kern_shutdown.c:240
#1  0xc042b962 in db_fncall (dummy1=0, dummy2=0, dummy3=-1067086860,
    dummy4=0xdc56f924 " ìfÀXùVÜ\026\032[ÀXùVÜ\203\032[À\220\a")
    at /usr/src/sys/ddb/db_command.c:551
#2  0xc042b768 in db_command (last_cmdp=0xc0645640, cmd_table=0x0,
    aux_cmd_tablep=0xc0615ef0, aux_cmd_tablep_end=0xc0615ef4)
    at /usr/src/sys/ddb/db_command.c:348
#3  0xc042b848 in db_command_loop () at /usr/src/sys/ddb/db_command.c:475
#4  0xc042dfdd in db_trap (type=3, code=0) at /usr/src/sys/ddb/db_trap.c:73
#5  0xc05b7d41 in kdb_trap (type=3, code=0, regs=0xdc56fa50)
    at /usr/src/sys/i386/i386/db_interface.c:172
#6  0xc05c7b0c in trap (frame=
      {tf_fs = -1067515880, tf_es = -1068695536, tf_ds = 16, tf_edi = 1,
tf_esi = -1067469665, tf_ebp = -598279532, tf_isp = -598279556,
tf_ebx = 0, tf_edx = 0, tf_ecx = -1061076992, tf_eax = 18, tf_trapno
= 3, tf_err = 0, tf_eip = -1067745359, tf_cs = 8, tf_eflags = 662,
tf_esp = -598279480, tf_ss = -598279500}) at
/usr/src/sys/i386/i386/trap.c:579
#7  0xc05b7fb1 in Debugger (msg=0xc05fc09b "panic") at machine/cpufunc.h:60
#8  0xc04bec03 in __panic (file=0xc05fb46e
"/usr/src/sys/kern/kern_mutex.c", line=848,
    fmt=0xc05fb49f "Assertion %s failed at %s:%d")
    at /usr/src/sys/kern/kern_shutdown.c:536
#9  0xc04b7706 in mtx_destroy (m=0x0) at /usr/src/sys/kern/kern_mutex.c:848
#10 0xc052b554 in in_pcbdetach (inp=0xc4257ca8) at
/usr/src/sys/netinet/in_pcb.c:697
#11 0xc053807a in tcp_close (tp=0x0) at /usr/src/sys/netinet/tcp_subr.c:746
#12 0xc053c152 in tcp_disconnect (tp=0xc42598b8)
    at /usr/src/sys/netinet/tcp_usrreq.c:1251
#13 0xc053b164 in tcp_usr_detach (so=0x0) at
/usr/src/sys/netinet/tcp_usrreq.c:179
#14 0xc04f0d0c in soclose (so=0xc4238e10) at
/usr/src/sys/kern/uipc_socket.c:380
#15 0xc04e3cea in soo_close (fp=0x0, td=0xc41b2690) at
/usr/src/sys/kern/sys_socket.c:244
#16 0xc04a7c7f in fdrop_locked (fp=0xc41dc7f8, td=0xc41b2690)
    at /usr/src/sys/sys/file.h:292
#17 0xc04a7078 in fdrop (fp=0xc41dc7f8, td=0xc41b2690)
    at /usr/src/sys/kern/kern_descrip.c:1883
#18 0xc04a704b in closef (fp=0xc41dc7f8, td=0xc41b2690)
    at /usr/src/sys/kern/kern_descrip.c:1869
#19 0xc04a68f3 in fdfree (td=0xc41b2690) at
/usr/src/sys/kern/kern_descrip.c:1586
#20 0xc04abf73 in exit1 (td=0xc41b2690, rv=-256) at
/usr/src/sys/kern/kern_exit.c:253
#21 0xc04abb14 in exit1 (td=0xc41b2690, rv=277) at
/usr/src/sys/kern/kern_exit.c:98
#22 0xc05c8277 in syscall (frame=
      {tf_fs = 47, tf_es = 47, tf_ds = 47, tf_edi = -1077940988, tf_esi =
-1077940980, tf_---Type <return> to continue, or q <return> to
quit---
ebp = -1077941044, tf_isp = -598278796, tf_ebx = 672344908, tf_edx =
672417764, tf_ecx = 671526944, tf_eax = 1, tf_trapno = 12, tf_err = 2,
tf_eip = 671871511, tf_cs = 31, tf_eflags = 662, tf_esp = -1077941072,
tf_ss = 47}) at /usr/src/sys/i386/i386/trap.c:1004
#23 0x280bf217 in ?? ()
---Can't read userspace from dump, or kernel process---

(kgdb) up 10
#10 0xc052b554 in in_pcbdetach (inp=0xc4257ca8) at
/usr/src/sys/netinet/in_pcb.c:697
697		INP_LOCK_DESTROY(inp);
(kgdb) list
692		}
693		if (inp->inp_options)
694			(void)m_free(inp->inp_options);
695		ip_freemoptions(inp->inp_moptions);
696		inp->inp_vflag = 0;
697		INP_LOCK_DESTROY(inp);
698	#ifdef MAC
699		mac_destroy_inpcb(inp);
700	#endif
701		uma_zfree(ipi->ipi_zone, inp);
(kgdb) print inp->inp_mtx
$1 = {mtx_object = {lo_class = 0xc062933c, lo_name = 0xc060548b "inp",
    lo_type = 0xc06064c4 "tcpinp", lo_flags = 4915200, lo_list = {tqe_next
= 0x0,
      tqe_prev = 0x0}, lo_witness = 0x0}, mtx_lock = 3290113681,
mtx_recurse = 1}
(kgdb) print *inp
$2 = {inp_hash = {le_next = 0x0, le_prev = 0x0}, inp_list = {le_next =
0xc4258000,
    le_prev = 0xc0655f7c}, inp_flow = 0, inp_inc = {inc_flags = 0 '\0',
    inc_len = 0 '\0', inc_pad = 0, inc_ie = {ie_fport = 0, ie_lport = 0,
      ie_dependfaddr = {ie46_foreign = {ia46_pad32 = {0, 0, 0}, ia46_addr4
= {
            s_addr = 0}}, ie6_foreign = {__u6_addr = {
            __u6_addr8 = '\0' <repeats 15 times>, __u6_addr16 = {0, 0, 0,
0, 0, 0, 0,
              0}, __u6_addr32 = {0, 0, 0, 0}}}}, ie_dependladdr =
{ie46_local = {
          ia46_pad32 = {0, 0, 0}, ia46_addr4 = {s_addr = 0}}, ie6_local =
{__u6_addr = {
            __u6_addr8 = '\0' <repeats 15 times>, __u6_addr16 = {0, 0, 0,
0, 0, 0, 0,
              0}, __u6_addr32 = {0, 0, 0, 0}}}}}}, inp_ppcb = 0x0,
  inp_pcbinfo = 0xc0655f80, inp_socket = 0xc4238e10, inp_label = 0x0,
inp_flags = 0,
  inp_sp = 0x0, inp_vflag = 0 '\0', inp_ip_ttl = 64 '_at_', inp_ip_p = 0 '\0',
  inp_depend4 = {inp4_ip_tos = 0 '\0', inp4_options = 0x0, inp4_moptions =
0x0},
  inp_depend6 = {inp6_options = 0x0, inp6_outputopts = 0x0, inp6_moptions
= 0x0,
    inp6_icmp6filt = 0x0, inp6_cksum = 0, inp6_ifindex = 0, inp6_hops = 0},
  inp_portlist = {le_next = 0x0, le_prev = 0x0}, inp_phd = 0x0, inp_gencnt
= 13,
  inp_mtx = {mtx_object = {lo_class = 0xc062933c, lo_name = 0xc060548b "inp",
      lo_type = 0xc06064c4 "tcpinp", lo_flags = 4915200, lo_list =
{tqe_next = 0x0,
        tqe_prev = 0x0}, lo_witness = 0x0}, mtx_lock = 3290113681,
mtx_recurse = 1}}
(kgdb) down
#9  0xc04b7706 in mtx_destroy (m=0x0) at /usr/src/sys/kern/kern_mutex.c:848
848			MPASS((m->mtx_lock & (MTX_RECURSED|MTX_CONTESTED)) == 0);
(kgdb) list
843		LOCK_LOG_DESTROY(&m->mtx_object, 0);
844
845		if (!mtx_owned(m))
846			MPASS(mtx_unowned(m));
847		else {
848			MPASS((m->mtx_lock & (MTX_RECURSED|MTX_CONTESTED)) == 0);
849
850			/* Tell witness this isn't locked to make it happy. */
851			WITNESS_UNLOCK(&m->mtx_object, LOP_EXCLUSIVE, __FILE__,
852			    __LINE__);
(kgdb) info args
m = (struct mtx *) 0x0
(kgdb) info locals
No locals.
(kgdb) up
#10 0xc052b554 in in_pcbdetach (inp=0xc4257ca8) at
/usr/src/sys/netinet/in_pcb.c:697
697		INP_LOCK_DESTROY(inp);
(kgdb) info args
inp = (struct inpcb *) 0xc4257ca8
(kgdb) info locals
so = (struct socket *) 0xc4238e10
ipi = (struct inpcbinfo *) 0xc0655f80
(kgdb) quit

-- 
Ryan "leadZERO" Sommers
Gamer's Impact President
ryans_at_gamersimpact.com
ICQ: 1019590
AIM/MSN: leadZERO

-= http://www.gamersimpact.com =-
Received on Sat Apr 03 2004 - 11:21:08 UTC

This archive was generated by hypermail 2.4.0 : Wed May 19 2021 - 11:37:49 UTC