NetBSD Problem Report #54190

From gson@gson.org  Fri May 10 12:01:19 2019
Return-Path: <gson@gson.org>
Received: from mail.netbsd.org (mail.netbsd.org [199.233.217.200])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(Client CN "mail.NetBSD.org", Issuer "mail.NetBSD.org CA" (not verified))
	by mollari.NetBSD.org (Postfix) with ESMTPS id 7F4D27A1AC
	for <gnats-bugs@gnats.NetBSD.org>; Fri, 10 May 2019 12:01:19 +0000 (UTC)
Message-Id: <20190510120113.BFB51989F84@guava.gson.org>
Date: Fri, 10 May 2019 15:01:13 +0300 (EEST)
From: gson@gson.org (Andreas Gustafsson)
Reply-To: gson@gson.org (Andreas Gustafsson)
To: gnats-bugs@NetBSD.org
Subject: pingsize test caused a panic
X-Send-Pr-Version: 3.95

>Number:         54190
>Category:       kern
>Synopsis:       pingsize test caused a panic
>Confidential:   no
>Severity:       critical
>Priority:       high
>Responsible:    kern-bug-people
>State:          open
>Class:          sw-bug
>Submitter-Id:   net
>Arrival-Date:   Fri May 10 12:05:00 +0000 2019
>Last-Modified:  Wed Jun 12 15:38:41 +0000 2019
>Originator:     Andreas Gustafsson
>Release:        NetBSD-current, source date 2019.05.09.13.07.35
>Organization:

>Environment:
System: NetBSD
Architecture: amd64
Machine: amd64
>Description:

Running the ATF tests on real amd64 hardware caused the rump kernel to panic
during the net/icmp/t_ping:pingsize test case:

  [   1.1700090] panic: kernel diagnostic assertion "sp.sp_len <= ETHERMTU + ETHER_HDR_LEN" failed: file "/tmp/bracket/build/2019.05.09.13.07.35-amd64-baremetal/src/sys/rump/net/lib/libshmif/if_shmem.c", line 768 
  [   1.1700090] rump kernel halting...

This is from:

  http://www.gson.org/netbsd/bugs/build/amd64-baremetal/2019/2019.05.09.13.07.35/test.html#net_icmp_t_ping_pingsize

This has only happened once, but I suspect that may be because the
test is sending packets so fast that most of them are lost.

The test is running on server-class hardware with ECC memory, so
a random hardware error is relatively unlikely.

I'm marking the PR confidential until someone can convince me this is
not a remote DoS vulnerability.

>How-To-Repeat:

Perhaps improve the pingsize test to better pace transmissions so that
more of the ping packets actually get through.

>Fix:

>Release-Note:

>Audit-Trail:
From: Andreas Gustafsson <gson@gson.org>
To: gnats-bugs@netbsd.org
Cc: 
Subject: Re: kern/54190: pingsize test caused a panic
Date: Tue, 11 Jun 2019 09:24:33 +0300

 I modified the test program locally to poll for responses repeatedly
 so that responses were received for most of the transmitted ICMP
 packets, but was unable to reproduce the problem.

 This is beginning to look more like some kind of race condition in
 shmif than a network security issue, so there's probably no need
 to keep this PR confidential any longer.
 -- 
 Andreas Gustafsson, gson@gson.org

>Unformatted:
NetBSD Home
NetBSD PR Database Search
(Contact us) $NetBSD: query-full-pr,v 1.43 2018/01/16 07:36:43 maya Exp $
$NetBSD: gnats_config.sh,v 1.9 2014/08/02 14:16:04 spz Exp $
Copyright © 1994-2017 The NetBSD Foundation, Inc. ALL RIGHTS RESERVED.