Project

General

Profile

Actions

Bug #5907

closed

xdrmblk_getpos() is unreliable

Added by Marcel Telka over 6 years ago. Updated about 6 years ago.

Status:
Closed
Priority:
Normal
Assignee:
Category:
kernel
Start date:
2015-05-04
Due date:
% Done:

100%

Estimated time:
Difficulty:
Medium
Tags:
needs-triage
Gerrit CR:

Description

The xdrmblk_getpos() implementation does not work as expected and it could easily panic the system, if not used carefully.

To reproduce the issue try the following (use the attached module.c file)::

# /opt/gcc/4.4.4/bin/gcc -Wall -D_KERNEL -m64 -mcmodel=kernel -mno-red-zone -ffreestanding -nodefaultlibs -c module.c
# /usr/ccs/bin/ld -r -o module module.o
# modload module

After the modload this will appear in the /var/adm/messages:

May  5 01:26:44 t1 genunix: [ID 344344 kern.info] NOTICE: Position #0: 0
May  5 01:26:46 t1 genunix: [ID 344344 kern.info] NOTICE: Position #1: 4
May  5 01:26:48 t1 genunix: [ID 344344 kern.info] NOTICE: Position #2: 0
May  5 01:26:50 t1 genunix: [ID 344344 kern.info] NOTICE: Position #3: 4

and the machine panices with this:

> ::status
debugging crash dump vmcore.1 (64-bit) from t1
operating system: 5.11 illumos-4e90188 (i86pc)
image uuid: 312165a1-d276-c83b-981d-9451c4004354
panic message: 
BAD TRAP: type=e (#pf Page fault) rp=ffffff0002e68c10 addr=18 occurred in module "genunix" due to a NULL pointer dereference
dump content: kernel pages only
> ::stack
xdrmblk_getpos+0x28(ffffff0002e68d30)
module`_init+0xee()
modinstall+0x8a(ffffff00d24c2bf0)
mod_hold_installed_mod+0x79(ffffff00c885e580, 0, 0, ffffff0002e68e3c)
modctl_modload+0xa0(0, fffffd7fffdff910, fffffd7fffdffd1c)
modctl+0xb9(0, 0, fffffd7fffdff910, fffffd7fffdffd1c, 0, 0)
sys_syscall+0x17a()
>

The immediate root cause for the panic is that the xdrmblk_getint32() could leave the x_base set to zero and xdrmblk_getpos() does not check that.

In addition to the panic, the correct log after the module is loaded should look like this:

May  5 01:26:44 t1 genunix: [ID 344344 kern.info] NOTICE: Position #0: 0
May  5 01:26:46 t1 genunix: [ID 344344 kern.info] NOTICE: Position #1: 4
May  5 01:26:48 t1 genunix: [ID 344344 kern.info] NOTICE: Position #2: 8
May  5 01:26:50 t1 genunix: [ID 344344 kern.info] NOTICE: Position #3: 12
...

IOW, the position should monotonously increase.


Files

module.c (1.07 KB) module.c Marcel Telka, 2015-05-15 05:42 PM

Related issues

Related to illumos gate - Bug #6747: xdr_READDIR4res() bypass the XDR mblk APIClosedMarcel Telka2016-03-13

Actions
Blocks illumos gate - Bug #6090: IOPS, bandwidth, and latency kstats for NFS serverRejected2015-07-29

Actions
Actions

Also available in: Atom PDF