>Number: 147839
>Category: kern
>Synopsis: [patch] syscall(2) with wrong argument causing panic on
>WITNESS enabled kernel
>Confidential: no
>Severity: non-critical
>Priority: low
>Responsible: freebsd-bugs
>State: open
>Quarter:
>Keywords:
>Date-Required:
>Class: sw-bug
>Submitter-Id: current-users
>Arrival-Date: Sun Jun 13 20:10:01 UTC 2010
>Closed-Date:
>Last-Modified:
>Originator: Vladislav Movchan
>Release: FreeBSD 9.0-CURRENT i386
>Organization:
>Environment:
FreeBSD vbox 9.0-CURRENT FreeBSD 9.0-CURRENT #0 r208745: Sun Jun 13 20:02:20
EEST 2010 r...@vbox:/usr/obj/usr/src/sys/VBOX i386
>Description:
Calling "syscall" system call with first argument set to zero or to value
higher than ~110000000 (on my host) causing panic on WITNESS enabled kernel.
Fatal trap 12: page fault while in kernel mode
cpuid = 0; apic id = 00
fault virtual address = 0xbfd9ee70
fault code = supervisor read, page not present
instruction pointer = 0x20:0xc08d4adb
stack pointer = 0x28:0xd34a1c64
frame pointer = 0x28:0xd34a1c64
code segment = base 0x0, limit 0xfffff, type 0x1b
= DPL 0, pres 1, def32 1, gran 1
processor eflags = interrupt enabled, resume, IOPL = 0
current process = 1051 (syscall_0)
panic: from debugger
cpuid = 0
Uptime: 2m14s
Physical memory: 751 MB
Dumping 139 MB: 124 108 92 76 60 44 28 12
Reading symbols from /boot/kernel/if_em.ko...Reading symbols from
/boot/kernel/if_em.ko.symbols...done.
done.
Loaded symbols for /boot/kernel/if_em.ko
Reading symbols from /boot/modules/vboxguest.ko...done.
Loaded symbols for /boot/modules/vboxguest.ko
#0 doadump () at pcpu.h:231
231 __asm __volatile("movl %%fs:0,%0" : "=r" (td));
(kgdb) bt
#0 doadump () at pcpu.h:231
#1 0xc089531e in boot (howto=260) at /usr/src/sys/kern/kern_shutdown.c:416
#2 0xc08955f2 in panic (fmt=Variable "fmt" is not available.
) at /usr/src/sys/kern/kern_shutdown.c:590
#3 0xc04d2867 in db_panic (addr=Could not find the frame base for "db_panic".
) at /usr/src/sys/ddb/db_command.c:478
#4 0xc04d2e91 in db_command (last_cmdp=0xc0dd61dc, cmd_table=0x0, dopager=1)
at /usr/src/sys/ddb/db_command.c:445
#5 0xc04d2fea in db_command_loop () at /usr/src/sys/ddb/db_command.c:498
#6 0xc04d4f0d in db_trap (type=12, code=0) at /usr/src/sys/ddb/db_main.c:229
#7 0xc08c7a76 in kdb_trap (type=12, code=0, tf=0xd34a1c24) at
/usr/src/sys/kern/subr_kdb.c:535
#8 0xc0bd4a3f in trap_fatal (frame=0xd34a1c24, eva=3218730608) at
/usr/src/sys/i386/i386/trap.c:929
#9 0xc0bd4c50 in trap_pfault (frame=0xd34a1c24, usermode=0, eva=3218730608) at
/usr/src/sys/i386/i386/trap.c:851
#10 0xc0bd51c3 in trap (frame=0xd34a1c24) at /usr/src/sys/i386/i386/trap.c:531
#11 0xc0bb6b5b in calltrap () at /usr/src/sys/i386/i386/exception.s:165
#12 0xc08d4adb in syscallname (p=0xc4bb1d48, code=3217026068) at
/usr/src/sys/kern/subr_trap.c:270
#13 0xc08d4e70 in syscallret (td=0xc4bc6750, error=78, sa=0xd34a1cf4) at
/usr/src/sys/kern/subr_trap.c:374
#14 0xc0bd4d19 in syscall (frame=0xd34a1d38) at
/usr/src/sys/i386/i386/trap.c:1067
#15 0xc0bb6bc0 in Xint0x80_syscall () at /usr/src/sys/i386/i386/exception.s:261
#16 0x00000033 in ?? ()
Previous frame inner to this frame (corrupt stack?)
>How-To-Repeat:
Execute following two commands on WITNESS enabled kernel (can be done by
unprivileged user):
$ cc -xc - -o syscall_0 << EOF
#include <sys/syscall.h>
#include <unistd.h>
int main() {
return syscall(0);
}
EOF
$ ./syscall_0
>Fix:
Attached patch fixed this problem for me
Patch attached with submission follows:
Index: sys/kern/subr_trap.c
===================================================================
--- sys/kern/subr_trap.c (revision 208745)
+++ sys/kern/subr_trap.c (working copy)
@@ -265,7 +265,7 @@
{
static const char unknown[] = "unknown";
- if (p->p_sysent->sv_syscallnames == NULL)
+ if (p->p_sysent->sv_syscallnames == NULL || code >=
p->p_sysent->sv_size )
return (unknown);
return (p->p_sysent->sv_syscallnames[code]);
}
>Release-Note:
>Audit-Trail:
>Unformatted:
_______________________________________________
freebsd-bugs@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-bugs
To unsubscribe, send any mail to "freebsd-bugs-unsubscr...@freebsd.org"
