Summary: | netmap: fix kernel pointer printing in netmap_generic.c | ||||||
---|---|---|---|---|---|---|---|
Product: | Base System | Reporter: | Fuqian <huangfq.daxian> | ||||
Component: | kern | Assignee: | Vincenzo Maffione <vmaffione> | ||||
Status: | Closed FIXED | ||||||
Severity: | Affects Some People | CC: | afedorov, halfling, net, olevole, vmaffione | ||||
Priority: | --- | Keywords: | patch, security | ||||
Version: | CURRENT | Flags: | vmaffione:
mfc-stable12+
vmaffione: mfc-stable11+ |
||||
Hardware: | Any | ||||||
OS: | Any | ||||||
Attachments: |
|
A commit references this bug: Author: vmaffione Date: Thu Jul 4 21:11:45 UTC 2019 New revision: 349752 URL: https://svnweb.freebsd.org/changeset/base/349752 Log: netmap: fix kernel pointer printing in netmap_generic.c Print the adapter name rather than the address of the adapter to avoid kernel address leakage. PR: Bug 238642 Submitted by: Fuqian Huang <huangfq.daxian@gmail.com> Reviewed by: vmaffione MFC after: 1 week Changes: head/sys/dev/netmap/netmap_generic.c Re-open pending MFC A commit references this bug: Author: vmaffione Date: Thu Jul 11 20:13:52 UTC 2019 New revision: 349920 URL: https://svnweb.freebsd.org/changeset/base/349920 Log: MFC r349752 netmap: fix kernel pointer printing in netmap_generic.c Print the adapter name rather than the address of the adapter to avoid kernel address leakage. PR: Bug 238642 Submitted by: Fuqian Huang <huangfq.daxian@gmail.com> Reviewed by: vmaffione Changes: _U stable/12/ stable/12/sys/dev/netmap/netmap_generic.c A commit references this bug: Author: vmaffione Date: Thu Jul 11 20:29:51 UTC 2019 New revision: 349922 URL: https://svnweb.freebsd.org/changeset/base/349922 Log: MFC r349752 netmap: fix kernel pointer printing in netmap_generic.c Print the adapter name rather than the address of the adapter to avoid kernel address leakage. PR: Bug 238642 Submitted by: Fuqian Huang <huangfq.daxian@gmail.com> Reviewed by: vmaffione Changes: _U stable/11/ stable/11/sys/dev/netmap/netmap_generic.c It seems something goes wrong. With with changes i saw a panic on CURRENT: root@current:~ # ifconfig vlan0 create up root@current:~ # vale-ctl -a vale0:vlan0 Fatal trap 12: page fault while in kernel mode cpuid = 2; apic id = 02 fault virtual address = 0x2a0 fault code = supervisor read data, page not present instruction pointer = 0x20:0xffffffff80cb96cf stack pointer = 0x28:0xfffffe008fa48da0 frame pointer = 0x28:0xfffffe008fa48da0 code segment = base rx0, limit 0xfffff, type 0x1b = DPL 0, pres 1, long 1, def32 0, gran 1 processor eflags = interrupt enabled, resume, IOPL = 0 current process = 665 (vale-ctl) trap number = 12 panic: page fault cpuid = 2 time = 1562949961 KDB: stack backtrace: db_trace_self_wrapper() at db_trace_self_wrapper+0x2b/frame 0xfffffe008fa48a60 vpanic() at vpanic+0x19d/frame 0xfffffe008fa48ab0 panic() at panic+0x43/frame 0xfffffe008fa48b10 trap_fatal() at trap_fatal+0x39c/frame 0xfffffe008fa48b70 trap_pfault() at trap_pfault+0x62/frame 0xfffffe008fa48bc0 trap() at trap+0x2b4/frame 0xfffffe008fa48cd0 calltrap() at calltrap+0x8/frame 0xfffffe008fa48cd0 --- trap 0xc, rip = 0xffffffff80cb96cf, rsp = 0xfffffe008fa48da0, rbp = 0xfffffe008fa48da0 --- strlen() at strlen+0x1f/frame 0xfffffe008fa48da0 kvprintf() at kvprintf+0xf79/frame 0xfffffe008fa48ec0 vprintf() at vprintf+0x81/frame 0xfffffe008fa48f90 printf() at printf+0x43/frame 0xfffffe008fa48ff0 generic_netmap_attach() at generic_netmap_attach+0x309/frame 0xfffffe008fa49040 netmap_get_hw_na() at netmap_get_hw_na+0x81/frame 0xfffffe008fa49070 netmap_get_bdg_na() at netmap_get_bdg_na+0x213/frame 0xfffffe008fa49100 netmap_vale_attach() at netmap_vale_attach+0xe0/frame 0xfffffe008fa49140 netmap_ioctl() at netmap_ioctl+0x8a9/frame 0xfffffe008fa49200 netmap_ioctl_legacy() at netmap_ioctl_legacy+0x4fd/frame 0xfffffe008fa495b0 netmap_ioctl() at netmap_ioctl+0x16b/frame 0xfffffe008fa49670 freebsd_netmap_ioctl() at freebsd_netmap_ioctl+0x88/frame 0xfffffe008fa496b0 devfs_ioctl() at devfs_ioctl+0xca/frame 0xfffffe008fa49700 VOP_IOCTL_APV() at VOP_IOCTL_APV+0x63/frame 0xfffffe008fa49720 vn_ioctl() at vn_ioctl+0x13d/frame 0xfffffe008fa49830 devfs_ioctl_f() at devfs_ioctl_f+0x1f/frame 0xfffffe008fa49850 kern_ioctl() at kern_ioctl+0x28a/frame 0xfffffe008fa498c0 sys_ioctl() at sys_ioctl+0x15d/frame 0xfffffe008fa49990 amd64_syscall() at amd64_syscall+0x276/frame 0xfffffe008fa49ab0 fast_syscall_common() at fast_syscall_common+0x101/frame 0xfffffe008fa49ab0 --- syscall (54, FreeBSD ELF64, sys_ioctl), rip = 0x80041631a, rsp = 0x7fffffffeab8, rbp = 0x7fffffffeb50 --- KDB: enter: panic [ thread pid 665 tid 100131 ] Stopped at kdb_enter+0x3b: movq $0,kdb_why db> This happens due the fact that gna->prev equal zero. For example old output without this patch: root@current:~ # vale-ctl -a vale0:vlan0 792.670615 [1130] generic_netmap_attach Emulated adapter for vlan0 created (prev was 0) ^^^^^^^!!!!! I don't know why, but this if evaluated as false: 1121 if (NM_NA_VALID(ifp)) { 1122 gna->prev = NA(ifp); /* save old na */ 1123 netmap_adapter_get(gna->prev); 1124 } And then: 1129 nm_prinf("Emulated adapter for %s created (prev was %s)", na->name, gna->prev->name); ^^^^!!!! Null pointer dereference. Yes, indeed. For some reason when I did not catch this when running the tests. I'll fix it now. *** Bug 239224 has been marked as a duplicate of this bug. *** Regression fix committed in base r349966 MFC'd to stable/11 in base r350007 and stable/12 in base r350006 @Vincenzo If you could include PR: references in all commits (and mfc's) where possible that would be great! If this is now resolved, (no further commits needed), please set mfc-stable* flags to + where appropriate and close issue at your leisure You're right, I will include PR: references in the futures. I also set the flags. Closing, since ci.freebsd.org tells me that the regression is fixed. Thanks |
Created attachment 205163 [details] The patch file Print the adapter name rather than the address of the adapter to avoid kernel address leakage.