NetBSD Problem Report #39918
From itohy@netbsd.org Fri Nov 14 11:38:18 2008
Return-Path: <itohy@netbsd.org>
Received: from mail.netbsd.org (mail.netbsd.org [204.152.190.11])
by narn.NetBSD.org (Postfix) with ESMTP id BEF8D63B889
for <gnats-bugs@gnats.netbsd.org>; Fri, 14 Nov 2008 11:38:18 +0000 (UTC)
Message-Id: <200811141138.mAEBcDjR021755@v057181.ppp.asahi-net.or.jp>
Date: Fri, 14 Nov 2008 20:38:13 +0900 (JST)
From: ITOH Yasufumi <itohy@netbsd.org>
Reply-To: itohy@netbsd.org
To: gnats-bugs@gnats.netbsd.org
Subject: local user panic regarding unix(4) sockets
X-Send-Pr-Version: 3.95
>Number: 39918
>Category: kern
>Synopsis: local user panic regarding unix(4) sockets
>Confidential: no
>Severity: critical
>Priority: high
>Responsible: kern-bug-people
>State: closed
>Class: sw-bug
>Submitter-Id: net
>Arrival-Date: Fri Nov 14 11:40:00 +0000 2008
>Closed-Date: Sun Mar 01 01:13:13 +0000 2015
>Last-Modified: Mon Aug 13 14:19:56 +0000 2018
>Originator: ITOH Yasufumi
>Release: NetBSD 4.0_STABLE
>Organization:
>Environment:
System: NetBSD narn.netbsd.org 4.0_STABLE NetBSD 4.0_STABLE (NBMAIL) #1: Fri Sep 5 16:31:35 UTC 2008 root@ADMIN:/usr/obj/sys/arch/i386/compile.i386/NBMAIL i386
Architecture: i386
Machine: i386
>Description:
Certain use of UNIX-domain socket (unix(4)) can cause kernel panic.
>How-To-Repeat:
Grab source from
http://www.milw0rm.com/exploits/7091
$ while :; do ./a.out; done
kernel: supervisor trap double fault, code=0
Stopped in pid 21281.1 (a.out) at netbsd:soclose+0x169: movl %ecx,0x14(%esp)
db>
This is probably a kernel stack overflow.
>Fix:
Unknown.
Avoid recursion?
>Release-Note:
>Audit-Trail:
State-Changed-From-To: open->closed
State-Changed-By: christos@NetBSD.org
State-Changed-When: Sat, 28 Feb 2015 20:13:13 -0500
State-Changed-Why:
fixed
From: "Christos Zoulas" <christos@netbsd.org>
To: gnats-bugs@gnats.NetBSD.org
Cc:
Subject: PR/39918 CVS commit: src/sys/kern
Date: Sat, 28 Feb 2015 20:14:41 -0500
Module Name: src
Committed By: christos
Date: Sun Mar 1 01:14:41 UTC 2015
Modified Files:
src/sys/kern: uipc_usrreq.c
Log Message:
PR/39918: ITOH Yasufumi: Replace KASSERT with continue, since the file
descriptor can be closed since closef() does not pay attention to FDEFER.
XXX: Pullup-7
To generate a diff of this commit:
cvs rdiff -u -r1.174 -r1.175 src/sys/kern/uipc_usrreq.c
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
From: "Soren Jacobsen" <snj@netbsd.org>
To: gnats-bugs@gnats.NetBSD.org
Cc:
Subject: PR/39918 CVS commit: [netbsd-7] src/sys/kern
Date: Tue, 14 Apr 2015 04:44:41 +0000
Module Name: src
Committed By: snj
Date: Tue Apr 14 04:44:41 UTC 2015
Modified Files:
src/sys/kern [netbsd-7]: uipc_usrreq.c
Log Message:
Pull up following revision(s) (requested by christos in ticket #678):
sys/kern/uipc_usrreq.c: revision 1.175
PR/39918: ITOH Yasufumi: Replace KASSERT with continue, since the file
descriptor can be closed since closef() does not pay attention to FDEFER.
XXX: Pullup-7
To generate a diff of this commit:
cvs rdiff -u -r1.169.2.2 -r1.169.2.3 src/sys/kern/uipc_usrreq.c
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
>Unformatted:
This is now http://www.exploit-db.com/exploits/7091/
And will be fixed it head SHortly.
(Contact us)
$NetBSD: query-full-pr,v 1.43 2018/01/16 07:36:43 maya Exp $
$NetBSD: gnats_config.sh,v 1.9 2014/08/02 14:16:04 spz Exp $
Copyright © 1994-2017
The NetBSD Foundation, Inc. ALL RIGHTS RESERVED.