Re: ifnet use after free

From: Shawn Webb <shawn.webb_at_hardenedbsd.org>
Date: Fri, 7 Sep 2018 10:38:23 -0400
On Fri, Aug 24, 2018 at 06:19:55PM -0400, Shawn Webb wrote:
> Hey All,
> 
> Somewhere in the last month or so, a use after free was introduced. I
> don't have the time right now to bisect the commits and figure out
> which commit introduced the breakage. Attached is the core.txt (which
> seems nonsensical because the dump is reporting on a different
> thread). If the core.txt gets scrubbed, I've posted it here:
> https://gist.github.com/796ea88cec19a1fd2a85f4913482286a
> 
> I'm running HardenedBSD 12-CURRENT/amd64, commit 6091fec317a.
> 
> FreeBSD hbsd-dev-laptop 12.0-ALPHA2 FreeBSD 12.0-ALPHA2 #4
> 6091fec317a(hardened/current/master)-dirty: Thu Aug 23 18:37:45 EDT
> 2018
> shawn_at_hbsd-dev-laptop:/usr/obj/usr/src/amd64.amd64/sys/LATT-SEC  amd64

New core.txt: https://gist.github.com/d1ee63e578c09f35d40c977093b402d6

I'm not sure if it's the same issue, but at least I'm getting a proper
backtrace. I wonder if ifp or ifp->if_xname is already freed by the time
ifunit_ref is called.

FreeBSD hbsd-dev-laptop 12.0-ALPHA4 FreeBSD 12.0-ALPHA4 #6  a581146ba17(hardened/current/master)-dirty: Mon Sep  3 12:51:49 EDT 2018     shawn_at_hbsd-dev-laptop:/usr/obj/usr/src/amd64.amd64/sys/LATT-SEC  amd64

panic: vm_fault_hold: fault on nofault entry, addr: 0xfffffe0000685000

GNU gdb (GDB) 8.1.1 [GDB v8.1.1 for FreeBSD]
Copyright (C) 2018 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.  Type "show copying"
and "show warranty" for details.
This GDB was configured as "x86_64-portbld-freebsd12.0".
Type "show configuration" for configuration details.
For bug reporting instructions, please see:
<http://www.gnu.org/software/gdb/bugs/>.
Find the GDB manual and other documentation resources online at:
<http://www.gnu.org/software/gdb/documentation/>.
For help, type "help".
Type "apropos word" to search for commands related to "word"...
Reading symbols from /boot/kernel/kernel...Reading symbols from /usr/lib/debug//boot/kernel/kernel.debug...done.
done.

Unread portion of the kernel message buffer:
[12101] panic: vm_fault_hold: fault on nofault entry, addr: 0xfffffe0000685000
[12101] cpuid = 3
[12101] time = 1536281241
[12101] __HardenedBSD_version = 1200058 __FreeBSD_version = 1200083
[12101] version = FreeBSD 12.0-ALPHA4 #6  a581146ba17(hardened/current/master)-dirty: Mon Sep  3 12:51:49 EDT 2018
[12101]     shawn_at_hbsd-dev-laptop:/usr/obj/usr/src/amd64.amd64/sys/LATT-SEC
[12101] KDB: stack backtrace:
[12101] db_trace_self_wrapper() at db_trace_self_wrapper+0x2b/frame 0xfffffe1fef53d1c0
[12101] vpanic() at vpanic+0x1a8/frame 0xfffffe1fef53d220
[12101] panic() at panic+0x43/frame 0xfffffe1fef53d280
[12101] vm_fault_hold() at vm_fault_hold+0x1faf/frame 0xfffffe1fef53d3d0
[12101] vm_fault() at vm_fault+0x60/frame 0xfffffe1fef53d410
[12101] trap_pfault() at trap_pfault+0x188/frame 0xfffffe1fef53d460
[12101] trap() at trap+0x560/frame 0xfffffe1fef53d570
[12101] calltrap() at calltrap+0x8/frame 0xfffffe1fef53d570
[12101] --- trap 0xc, rip = 0xffffffff80bd5455, rsp = 0xfffffe1fef53d640, rbp = 0xfffffe1fef53d640 ---
[12101] strncmp() at strncmp+0x15/frame 0xfffffe1fef53d640
[12101] ifunit_ref() at ifunit_ref+0x51/frame 0xfffffe1fef53d680
[12101] ifioctl() at ifioctl+0x7bd/frame 0xfffffe1fef53d750
[12101] kern_ioctl() at kern_ioctl+0x2c0/frame 0xfffffe1fef53d7b0
[12101] sys_ioctl() at sys_ioctl+0x16e/frame 0xfffffe1fef53d880
[12101] amd64_syscall() at amd64_syscall+0x29e/frame 0xfffffe1fef53d9b0
[12101] fast_syscall_common() at fast_syscall_common+0x101/frame 0xfffffe1fef53d9b0
[12101] --- syscall (54, FreeBSD ELF64, sys_ioctl), rip = 0x3c2595b7f8a, rsp = 0x7461b1772838, rbp = 0x7461b17728a0 ---
[12101] Uptime: 3h21m41s
[12101] Dumping 8310 out of 65330 MB:..1%..11%..21%..31%..41%..51%..61%..71%..81%..91%

__curthread () at ./machine/pcpu.h:230
230		__asm("movq %%gs:%1,%0" : "=r" (td)
(kgdb) #0  __curthread () at ./machine/pcpu.h:230
#1  doadump (textdump=1) at /usr/src/sys/kern/kern_shutdown.c:368
#2  0xffffffff80aec5b6 in kern_reboot (howto=260)
    at /usr/src/sys/kern/kern_shutdown.c:448
#3  0xffffffff80aeca08 in vpanic (fmt=<optimized out>, ap=0xfffffe1fef53d260)
    at /usr/src/sys/kern/kern_shutdown.c:877
#4  0xffffffff80aec763 in panic (fmt=<unavailable>)
    at /usr/src/sys/kern/kern_shutdown.c:801
#5  0xffffffff80e285cf in vm_fault_hold (map=0xfffff80005001000, 
    vaddr=<optimized out>, fault_type=1 '\001', fault_flags=<optimized out>, 
    m_hold=0x0) at /usr/src/sys/vm/vm_fault.c:585
#6  0xffffffff80e265d0 in vm_fault (map=0xfffff80005001000, 
    vaddr=<optimized out>, fault_type=1 '\001', fault_flags=0)
    at /usr/src/sys/vm/vm_fault.c:536
#7  0xffffffff80fc0648 in trap_pfault (frame=0xfffffe1fef53d580, 
    usermode=<optimized out>) at /usr/src/sys/amd64/amd64/trap.c:829
#8  0xffffffff80fbfcd0 in trap (frame=0xfffffe1fef53d580)
    at /usr/src/sys/amd64/amd64/trap.c:441
#9  <signal handler called>
#10 0xffffffff80bd5455 in strncmp (s1=0xfffffe1fef53d7d0 "epair5b", 
    s2=0xfffffe0000685b28 <error: Cannot access memory at address 0xfffffe0000685b28>, n=16) at /usr/src/sys/libkern/strncmp.c:44
#11 0xffffffff80be9c11 in ifunit_ref (name=0xfffffe1fef53d7d0 "epair5b")
    at /usr/src/sys/net/if.c:2419
#12 0xffffffff80bea4bd in ifioctl (so=0xfffff804c8cbc368, cmd=3223349536, 
    data=0xfffffe1fef53d7d0 "epair5b", td=0xfffff8006298d580)
    at /usr/src/sys/net/if.c:3076
#13 0xffffffff80b58ee0 in fo_ioctl (fp=<optimized out>, com=<optimized out>, 
    active_cred=0x0, td=<optimized out>, data=<optimized out>)
    at /usr/src/sys/sys/file.h:330
#14 kern_ioctl (td=0xfffff8006298d580, fd=3, com=<optimized out>, 
    data=0x10 <error: Cannot access memory at address 0x10>)
    at /usr/src/sys/kern/sys_generic.c:800
#15 0xffffffff80b58b9e in sys_ioctl (td=0xfffff8006298d580, 
    uap=0xfffff8006298d948) at /usr/src/sys/kern/sys_generic.c:712
#16 0xffffffff80fc0e5e in syscallenter (td=0xfffff8006298d580)
    at /usr/src/sys/amd64/amd64/../../kern/subr_syscall.c:135
#17 amd64_syscall (td=0xfffff8006298d580, traced=0)
    at /usr/src/sys/amd64/amd64/trap.c:1043
#18 <signal handler called>
#19 0x000003c2595b7f8a in ?? ()
Backtrace stopped: Cannot access memory at address 0x7461b1772838

Thanks,

-- 
Shawn Webb
Cofounder and Security Engineer
HardenedBSD

Tor-ified Signal:    +1 443-546-8752
Tor+XMPP+OTR:        lattera_at_is.a.hacker.sx
GPG Key ID:          0x6A84658F52456EEE
GPG Key Fingerprint: 2ABA B6BD EF6A F486 BE89  3D9E 6A84 658F 5245 6EEE
Received on Fri Sep 07 2018 - 12:39:25 UTC

This archive was generated by hypermail 2.4.0 : Wed May 19 2021 - 11:41:18 UTC