OpenBSD <= 5.6 Multiple Local Kernel Panics (malformed ELF executable in user-land)

classic Classic list List threaded Threaded
3 messages Options
Reply | Threaded
Open this post in threaded view
|

OpenBSD <= 5.6 Multiple Local Kernel Panics (malformed ELF executable in user-land)

Alejandro Hernández
Hi all,

Last year I reported a local kernel panic in 5.5
(http://seclists.org/bugtraq/2014/Oct/153), however, I’ve found three
more affecting <= 5.6 in sys/uvm/uvm_map.c.
Attached the poc code and the output of trace and ps of one of the panics.

-------------------------------------------------------------------------
- uvm_mapent_addr_insert() -> panic():

       if (res != NULL) {
               panic("uvm_mapent_addr_insert: map %p entry %p "
                   "(0x%lx-0x%lx G=0x%lx F=0x%lx) insert collision "
                   "with entry %p (0x%lx-0x%lx G=0x%lx F=0x%lx)",
       }
-------------------------------------------------------------------------
- uvm_map_isavail() -> KASSERT() -> panic():

       if (*start_ptr == NULL) {
               *start_ptr = uvm_map_entrybyaddr(atree, addr);
               if (*start_ptr == NULL)
                       return 0;
       } else
               KASSERT(*start_ptr == uvm_map_entrybyaddr(atree, addr));
-------------------------------------------------------------------------
- uvm_map_fix_space() -> KASSERT() -> panic():

       KASSERT(entry == NULL || (entry->etype & UVM_ET_FREEMAPPED) == 0);
-------------------------------------------------------------------------

Reproduced under:
- OpenBSD 5.6 i386 snapshot (Nov 25th, 2014)
- OpenBSD 5.6 i386
- OpenBSD 5.5 i386


Regards,
Alejandro

0xb16b00b5.c (5K) Download Attachment
panic_entry_NULL.png (68K) Download Attachment
panic_start_ptr.png (67K) Download Attachment
panic_uvm_mapent_addr_insert.png (67K) Download Attachment
trace_ps.png (54K) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: OpenBSD <= 5.6 Multiple Local Kernel Panics (malformed ELF executable in user-land)

Philip Guenther
On Thu, 9 Apr 2015, Alejandro Hernández wrote:
> Last year I reported a local kernel panic in 5.5 <...> however, I?ve
> found three more affecting <= 5.6 in sys/uvm/uvm_map.c. Attached the poc
> code and the output of trace and ps of one of the panics.

Thank you for this report.  As far as we could tell, there was a single
cause to all three cases in the supplied proof-of-concept code; a fix for
that has been committed to -current.


Philip Guenther
[hidden email]

sam
Reply | Threaded
Open this post in threaded view
|

Re: OpenBSD <= 5.6 Multiple Local Kernel Panics (malformed ELF executable in user-land)

sam
On Sat, 25 Apr 2015 22:42:41 -0700
Philip Guenther <[hidden email]> wrote:

> On Thu, 9 Apr 2015, Alejandro Hernández wrote:
> > Last year I reported a local kernel panic in 5.5 <...> however,
> > I?ve found three more affecting <= 5.6 in sys/uvm/uvm_map.c.
> > Attached the poc code and the output of trace and ps of one of the
> > panics.
>
> Thank you for this report.  As far as we could tell, there was a
> single cause to all three cases in the supplied proof-of-concept
> code; a fix for that has been committed to -current.
>
>
> Philip Guenther
> [hidden email]
>

Hi,

Will this be in the errata for 5.7?

Thank you!