Re: Panic in kern_access

From: Mel Flynn <mel.flynn+fbsd.current_at_mailing.thruhere.net>
Date: Tue, 15 Sep 2009 14:03:50 +0200
On Tuesday 15 September 2009 13:14:31 Kostik Belousov wrote:
> On Mon, Sep 14, 2009 at 08:24:49PM +0200, Mel Flynn wrote:
> > Hi,
> >
> > below some crash info. However, since kib_at_ made some fixes that seem
> > to relate to this, I shall rebuild my kernel with new sources.
> 
> No my fixes were related to the issue, AFAIR.
> 
> > At the time I was building various ports in a jail and asleep, so no
> > other contributing factors.
> >
> > panic: free: address 0xc62e0e00(0xc62e0000) has not been allocated.
> >
> > #0  doadump () at pcpu.h:246
> > 246   pcpu.h: No such file or directory.
> >    in pcpu.h
> > (kgdb) #0  doadump () at pcpu.h:246
> > #1  0xc0642b57 in boot (howto=260) at
> > /usr/src/sys/kern/kern_shutdown.c:416 #2  0xc0642e49 in panic
> > (fmt=Variable "fmt" is not available.
> > ) at /usr/src/sys/kern/kern_shutdown.c:579
> > #3  0xc062fcfe in free (addr=0x0, mtp=0xc091c330)
> >     at /usr/src/sys/kern/kern_malloc.c:444
> > #4  0xc063b018 in crfree (cr=0xc795ea80) at
> > /usr/src/sys/kern/kern_prot.c:1840
> 
> I want to see the output of
> p/x cr
> and
> p/x cr->cr_groups
> from the frame 4.

(kgdb) p/x cr
$1 = 0xc795ea80
(kgdb) p/x cr->cr_groups
$2 = 0xc62e0e00
(kgdb) p/x *cr->cr_groups
$3 = 0x0
(kgdb) p/x *cr
$4 = {cr_ref = 0x0, cr_uid = 0x0, cr_ruid = 0x0, cr_svuid = 0x0, cr_ngroups = 0x2,
  cr_rgid = 0x0, cr_svgid = 0x0, cr_uidinfo = 0xc5523380, cr_ruidinfo = 0xc5523380,
  cr_prison = 0xcc3a0800, cr_pspare = 0x0, cr_flags = 0x0, cr_pspare2 = {0x0, 0x0},
  cr_label = 0x0, cr_audit = {ai_auid = 0xffffffff, ai_mask = {am_success = 0x0,
      am_failure = 0x0}, ai_termid = {at_port = 0x0, at_type = 0x4, at_addr = {0x0, 0x0,
        0x0, 0x0}}, ai_asid = 0x0, ai_flags = 0x0}, cr_groups = 0xc62e0e00,
  cr_agroups = 0x10}


Hmm, since this is in credentials, would it be relevant that I have patched kern_jail.c
to allow /dev/io access? I don't touch credentials,though and X wasn't running in the jail
at the crash time. Just in case, patch is below.
-- 
Mel

Index: sys/kern/kern_jail.c
===================================================================
--- sys/kern/kern_jail.c	(revision 197210)
+++ sys/kern/kern_jail.c	(working copy)
_at__at_ -160,6 +160,7 _at__at_
 	"allow.mount",
 	"allow.quotas",
 	"allow.socket_af",
+	"allow.dev_io",
 };
 
 static char *pr_allow_nonames[] = {
_at__at_ -170,6 +171,7 _at__at_
 	"allow.nomount",
 	"allow.noquotas",
 	"allow.nosocket_af",
+	"allow.nodev_io",
 };
 
 #define	JAIL_DEFAULT_ALLOW		PR_ALLOW_SET_HOSTNAME
_at__at_ -3738,6 +3740,17 _at__at_
 	case PRIV_NETINET_GETCRED:
 		return (0);
 
+		/*
+		 * Allow access to /dev/io in a jail if the non-jailed admin
+		 * requests this and if /dev/io exists in the jail. This
+		 * allows Xorg to probe a card.
+		 */
+	case PRIV_IO:
+		if (cred->cr_prison->pr_allow & PR_ALLOW_DEV_IO)
+			return (0);
+		else
+			return (EPERM);
+
 	default:
 		/*
 		 * In all remaining cases, deny the privilege request.  This
_at__at_ -3988,6 +4001,10 _at__at_
     CTLTYPE_INT | CTLFLAG_RW | CTLFLAG_MPSAFE,
     NULL, PR_ALLOW_MOUNT, sysctl_jail_default_allow, "I",
     "Processes in jail can mount/unmount jail-friendly file systems");
+SYSCTL_PROC(_security_jail, OID_AUTO, dev_io_allow,
+    CTLTYPE_INT | CTLFLAG_RW | CTLFLAG_MPSAFE,
+    NULL, PR_ALLOW_DEV_IO, sysctl_jail_default_allow, "I",
+    "Processes in jail can access /dev/io");
 
 static int
 sysctl_jail_default_level(SYSCTL_HANDLER_ARGS)
_at__at_ -4114,6 +4131,8 _at__at_
     "B", "Jail may set file quotas");
 SYSCTL_JAIL_PARAM(_allow, socket_af, CTLTYPE_INT | CTLFLAG_RW,
     "B", "Jail may create sockets other than just UNIX/IPv4/IPv6/route");
+SYSCTL_JAIL_PARAM(_allow, dev_io, CTLTYPE_INT | CTLFLAG_RW,
+    "B", "Jail can access /dev/io if present");
 
 
 #ifdef DDB
Index: sys/sys/jail.h
===================================================================
--- sys/sys/jail.h	(revision 197210)
+++ sys/sys/jail.h	(working copy)
_at__at_ -207,7 +207,8 _at__at_
 #define	PR_ALLOW_MOUNT			0x0010
 #define	PR_ALLOW_QUOTAS			0x0020
 #define	PR_ALLOW_SOCKET_AF		0x0040
-#define	PR_ALLOW_ALL			0x007f
+#define	PR_ALLOW_DEV_IO			0x0080
+#define	PR_ALLOW_ALL			0x00ff
 
 /*
  * OSD methods
Received on Tue Sep 15 2009 - 10:03:54 UTC

This archive was generated by hypermail 2.4.0 : Wed May 19 2021 - 11:39:55 UTC