Bug 238642
| Summary: | netmap: fix kernel pointer printing in netmap_generic.c | ||||||
|---|---|---|---|---|---|---|---|
| Product: | Base System | Reporter: | Fuqian <huangfq.daxian> | ||||
| Component: | kern | Assignee: | Vincenzo Maffione <vmaffione> | ||||
| Status: | Closed FIXED | ||||||
| Severity: | Affects Some People | CC: | afedorov, halfling, net, olevole, vmaffione | ||||
| Priority: | --- | Keywords: | patch, security | ||||
| Version: | CURRENT | Flags: | vmaffione:
mfc-stable12+
vmaffione: mfc-stable11+ |
||||
| Hardware: | Any | ||||||
| OS: | Any | ||||||
| Attachments: |
|
||||||
A commit references this bug: Author: vmaffione Date: Thu Jul 4 21:11:45 UTC 2019 New revision: 349752 URL: https://svnweb.freebsd.org/changeset/base/349752 Log: netmap: fix kernel pointer printing in netmap_generic.c Print the adapter name rather than the address of the adapter to avoid kernel address leakage. PR: Bug 238642 Submitted by: Fuqian Huang <huangfq.daxian@gmail.com> Reviewed by: vmaffione MFC after: 1 week Changes: head/sys/dev/netmap/netmap_generic.c Re-open pending MFC A commit references this bug: Author: vmaffione Date: Thu Jul 11 20:13:52 UTC 2019 New revision: 349920 URL: https://svnweb.freebsd.org/changeset/base/349920 Log: MFC r349752 netmap: fix kernel pointer printing in netmap_generic.c Print the adapter name rather than the address of the adapter to avoid kernel address leakage. PR: Bug 238642 Submitted by: Fuqian Huang <huangfq.daxian@gmail.com> Reviewed by: vmaffione Changes: _U stable/12/ stable/12/sys/dev/netmap/netmap_generic.c A commit references this bug: Author: vmaffione Date: Thu Jul 11 20:29:51 UTC 2019 New revision: 349922 URL: https://svnweb.freebsd.org/changeset/base/349922 Log: MFC r349752 netmap: fix kernel pointer printing in netmap_generic.c Print the adapter name rather than the address of the adapter to avoid kernel address leakage. PR: Bug 238642 Submitted by: Fuqian Huang <huangfq.daxian@gmail.com> Reviewed by: vmaffione Changes: _U stable/11/ stable/11/sys/dev/netmap/netmap_generic.c It seems something goes wrong. With with changes i saw a panic on CURRENT:
root@current:~ # ifconfig vlan0 create up
root@current:~ # vale-ctl -a vale0:vlan0
Fatal trap 12: page fault while in kernel mode
cpuid = 2; apic id = 02
fault virtual address = 0x2a0
fault code = supervisor read data, page not present
instruction pointer = 0x20:0xffffffff80cb96cf
stack pointer = 0x28:0xfffffe008fa48da0
frame pointer = 0x28:0xfffffe008fa48da0
code segment = base rx0, limit 0xfffff, type 0x1b
= DPL 0, pres 1, long 1, def32 0, gran 1
processor eflags = interrupt enabled, resume, IOPL = 0
current process = 665 (vale-ctl)
trap number = 12
panic: page fault
cpuid = 2
time = 1562949961
KDB: stack backtrace:
db_trace_self_wrapper() at db_trace_self_wrapper+0x2b/frame 0xfffffe008fa48a60
vpanic() at vpanic+0x19d/frame 0xfffffe008fa48ab0
panic() at panic+0x43/frame 0xfffffe008fa48b10
trap_fatal() at trap_fatal+0x39c/frame 0xfffffe008fa48b70
trap_pfault() at trap_pfault+0x62/frame 0xfffffe008fa48bc0
trap() at trap+0x2b4/frame 0xfffffe008fa48cd0
calltrap() at calltrap+0x8/frame 0xfffffe008fa48cd0
--- trap 0xc, rip = 0xffffffff80cb96cf, rsp = 0xfffffe008fa48da0, rbp = 0xfffffe008fa48da0 ---
strlen() at strlen+0x1f/frame 0xfffffe008fa48da0
kvprintf() at kvprintf+0xf79/frame 0xfffffe008fa48ec0
vprintf() at vprintf+0x81/frame 0xfffffe008fa48f90
printf() at printf+0x43/frame 0xfffffe008fa48ff0
generic_netmap_attach() at generic_netmap_attach+0x309/frame 0xfffffe008fa49040
netmap_get_hw_na() at netmap_get_hw_na+0x81/frame 0xfffffe008fa49070
netmap_get_bdg_na() at netmap_get_bdg_na+0x213/frame 0xfffffe008fa49100
netmap_vale_attach() at netmap_vale_attach+0xe0/frame 0xfffffe008fa49140
netmap_ioctl() at netmap_ioctl+0x8a9/frame 0xfffffe008fa49200
netmap_ioctl_legacy() at netmap_ioctl_legacy+0x4fd/frame 0xfffffe008fa495b0
netmap_ioctl() at netmap_ioctl+0x16b/frame 0xfffffe008fa49670
freebsd_netmap_ioctl() at freebsd_netmap_ioctl+0x88/frame 0xfffffe008fa496b0
devfs_ioctl() at devfs_ioctl+0xca/frame 0xfffffe008fa49700
VOP_IOCTL_APV() at VOP_IOCTL_APV+0x63/frame 0xfffffe008fa49720
vn_ioctl() at vn_ioctl+0x13d/frame 0xfffffe008fa49830
devfs_ioctl_f() at devfs_ioctl_f+0x1f/frame 0xfffffe008fa49850
kern_ioctl() at kern_ioctl+0x28a/frame 0xfffffe008fa498c0
sys_ioctl() at sys_ioctl+0x15d/frame 0xfffffe008fa49990
amd64_syscall() at amd64_syscall+0x276/frame 0xfffffe008fa49ab0
fast_syscall_common() at fast_syscall_common+0x101/frame 0xfffffe008fa49ab0
--- syscall (54, FreeBSD ELF64, sys_ioctl), rip = 0x80041631a, rsp = 0x7fffffffeab8, rbp = 0x7fffffffeb50 ---
KDB: enter: panic
[ thread pid 665 tid 100131 ]
Stopped at kdb_enter+0x3b: movq $0,kdb_why
db>
This happens due the fact that gna->prev equal zero.
For example old output without this patch:
root@current:~ # vale-ctl -a vale0:vlan0
792.670615 [1130] generic_netmap_attach Emulated adapter for vlan0 created (prev was 0)
^^^^^^^!!!!!
I don't know why, but this if evaluated as false:
1121 if (NM_NA_VALID(ifp)) {
1122 gna->prev = NA(ifp); /* save old na */
1123 netmap_adapter_get(gna->prev);
1124 }
And then:
1129 nm_prinf("Emulated adapter for %s created (prev was %s)", na->name, gna->prev->name);
^^^^!!!!
Null pointer dereference.
Yes, indeed. For some reason when I did not catch this when running the tests. I'll fix it now. *** Bug 239224 has been marked as a duplicate of this bug. *** Regression fix committed in base r349966 MFC'd to stable/11 in base r350007 and stable/12 in base r350006 @Vincenzo If you could include PR: references in all commits (and mfc's) where possible that would be great! If this is now resolved, (no further commits needed), please set mfc-stable* flags to + where appropriate and close issue at your leisure You're right, I will include PR: references in the futures. I also set the flags. Closing, since ci.freebsd.org tells me that the regression is fixed. Thanks |
Created attachment 205163 [details] The patch file Print the adapter name rather than the address of the adapter to avoid kernel address leakage.