NetBSD Problem Report #44190
From www@NetBSD.org Fri Dec 3 17:08:48 2010
Return-Path: <www@NetBSD.org>
Received: from mail.netbsd.org (mail.netbsd.org [204.152.190.11])
by www.NetBSD.org (Postfix) with ESMTP id 672D263BA9C
for <gnats-bugs@gnats.NetBSD.org>; Fri, 3 Dec 2010 17:08:48 +0000 (UTC)
Message-Id: <20101203170848.16C9163B95F@www.NetBSD.org>
Date: Fri, 3 Dec 2010 17:08:48 +0000 (UTC)
From: explorer@flame.org
Reply-To: explorer@flame.org
To: gnats-bugs@NetBSD.org
Subject: Kernel crash when using ioctl(RNDADDDATA) on /dev/random
X-Send-Pr-Version: www-1.0
>Number: 44190
>Category: kern
>Synopsis: Kernel crash when using ioctl(RNDADDDATA) on /dev/random
>Confidential: no
>Severity: serious
>Priority: medium
>Responsible: kern-bug-people
>State: closed
>Class: sw-bug
>Submitter-Id: net
>Arrival-Date: Fri Dec 03 17:10:01 +0000 2010
>Closed-Date: Sat Dec 19 02:36:56 +0000 2015
>Last-Modified: Sat Dec 19 02:36:56 +0000 2015
>Originator: Michael Graff
>Release: 5.1
>Organization:
>Environment:
NetBSD not.flame.org 5.1 NetBSD 5.1 (GENERIC) #0: Sat Nov 20 17:35:12 UCT 2010 root@netbsd-amd64-5.lab.flame.org:/u1/os-build/amd64/obj/sys/arch/amd64/compile/GENERIC amd64
>Description:
I can crash my NetBSD kernel reliably by using the ioctl(RNDADDDATA) call on /dev/random.
>How-To-Repeat:
This code attempts to read from a hardware generator and feed that data into the random pool.
#include <sys/types.h>
#include <sys/ioctl.h>
#include <sys/rnd.h>
#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
#include <fcntl.h>
#include <errno.h>
#include <err.h>
#include <string.h>
int
get_stored_entropy(int fd)
{
rndpoolstat_t rs;
if (ioctl(fd, RNDGETPOOLSTAT, &rs) < 0)
err(1, "ioctl(RNDGETPOOLSTAT)");
return (rs.maxentropy - rs.curentropy);
}
#define min(a, b) ((a) < (b) ? (a) : (b))
void
fill(int devrandom, int trng, int bits)
{
rnddata_t rnddata;
int read_bytes;
int bytes = bits / 8;
bytes = min(bytes, sizeof(rnddata.data));
printf("Filling %d bytes\n", bytes);
read_bytes = read(trng, &rnddata.data, bytes);
rnddata.len = read_bytes;
rnddata.entropy = read_bytes * 8; // pure trng data
if (bytes != read_bytes)
printf("short read: wanted %d, read %d\n", bytes, read_bytes);
if (ioctl(devrandom, RNDADDDATA, &rnddata) < 0)
err(1, "ioctl(RNDADDDATA)");
}
int
main(int argc, char **argv)
{
int fd;
int hw;
int bits;
fd = open("/dev/urandom", O_RDONLY, 0644);
if (fd < 0)
err(1, "open");
hw = open("/dev/ugen0.01", O_RDONLY, 0644);
if (fd < 0)
err(1, "open");
while (1) {
bits = get_stored_entropy(fd);
if (bits > 1024)
fill(fd, hw, bits);
else
usleep(1000);
}
close(fd);
}
>Fix:
>Release-Note:
>Audit-Trail:
From: Antti Kantee <pooka@cs.hut.fi>
To: gnats-bugs@netbsd.org
Cc:
Subject: Re: kern/44190
Date: Sat, 4 Dec 2010 14:12:35 +0200
How does it crash? Are you sure you are running 5.1?
--
älä karot toivorikkauttas, kyl rätei ja lumpui piisaa
From: Michael Graff <explorer@flame.org>
To: gnats-bugs@NetBSD.org
Cc: Antti Kantee <pooka@cs.hut.fi>, kern-bug-people@netbsd.org,
gnats-admin@netbsd.org, netbsd-bugs@netbsd.org
Subject: Re: kern/44190
Date: Sat, 04 Dec 2010 11:24:12 -0600
On 12/4/10 6:15 AM, Antti Kantee wrote:
> The following reply was made to PR kern/44190; it has been noted by GNATS.
>
> From: Antti Kantee <pooka@cs.hut.fi>
> To: gnats-bugs@netbsd.org
> Cc:
> Subject: Re: kern/44190
> Date: Sat, 4 Dec 2010 14:12:35 +0200
>
> How does it crash? Are you sure you are running 5.1?
It crashes with a "trap" -- I have a picture here of the crash,
transcribed for your pleasure:
uvm_fault(0xffffffff809f82c0, 0xffffff8000506f0000, 1) -> e
fatal page fault in supervisor mode
trap type 6 code 0 rip ffffffff80366f48 cs 8 rflags 10202 cr2
ffff800056f0000 cpl 0 rsp ffff80005064b950
kernel: page fault trap, code=0
Stopped in pid 7503.1 (random-feed) at netbsd:rndpool_add_data+0x40:
xorl 0
(%r9),%ecx
I'm running NetBSD 5.1 according to uname -a:
explorer@not:~> uname -a
NetBSD not.flame.org 5.1 NetBSD 5.1 (GENERIC) #0: Sat Nov 20 17:35:12
UCT 2010
root@netbsd-amd64-5.lab.flame.org:/u1/os-build/amd64/obj/sys/arch/amd64/compile/GENERIC
amd64
rnd.c:
$NetBSD: rnd.c,v 1.71.4.2 2009/11/15 05:46:23 snj Exp $
$NetBSD: rnd.c,v 1.71.4.2 2009/11/15 05:46:23 snj Exp $
rndpool.c:
$NetBSD: rndpool.c,v 1.20 2008/04/28 20:23:47 martin Exp $
$NetBSD: rndpool.c,v 1.20 2008/04/28 20:23:47 martin Exp $
CVS/Entries has this for these two files:
/rndpool.c/1.20/Mon Apr 28 20:23:47 2008//Tnetbsd-5
/rnd.c/1.71.4.2/Tue Nov 24 21:28:27 2009//Tnetbsd-5
And here is the output of a diff for them:
explorer@not:/usr/src/sys/dev> cvs diff -u -r HEAD -kk rnd*
explorer@not:/usr/src/sys/dev>
I don't know how much more certain I am running 5.1 and that the same
file is on HEAD as on the netbsd-5 branch I can be without having you
provide me a kernel to run. :)
--Michael
From: "Antti Kantee" <pooka@netbsd.org>
To: gnats-bugs@gnats.NetBSD.org
Cc:
Subject: PR/44190 CVS commit: src/tests/kernel
Date: Sat, 4 Dec 2010 17:38:42 +0000
Module Name: src
Committed By: pooka
Date: Sat Dec 4 17:38:42 UTC 2010
Modified Files:
src/tests/kernel: t_rnd.c
Log Message:
Add test case for suspected reason behind kernel panic described
in PR kern/44190
To generate a diff of this commit:
cvs rdiff -u -r1.1 -r1.2 src/tests/kernel/t_rnd.c
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
State-Changed-From-To: open->feedback
State-Changed-By: pooka@NetBSD.org
State-Changed-When: Sat, 04 Dec 2010 19:43:56 +0200
State-Changed-Why:
feedback req'd
From: Antti Kantee <pooka@cs.hut.fi>
To: Michael Graff <explorer@flame.org>
Cc: gnats-bugs@NetBSD.org
Subject: Re: kern/44190
Date: Sat, 4 Dec 2010 19:43:21 +0200
On Sat Dec 04 2010 at 11:24:12 -0600, Michael Graff wrote:
> On 12/4/10 6:15 AM, Antti Kantee wrote:
> > The following reply was made to PR kern/44190; it has been noted by GNATS.
> >
> > From: Antti Kantee <pooka@cs.hut.fi>
> > To: gnats-bugs@netbsd.org
> > Cc:
> > Subject: Re: kern/44190
> > Date: Sat, 4 Dec 2010 14:12:35 +0200
> >
> > How does it crash? Are you sure you are running 5.1?
>
> It crashes with a "trap" -- I have a picture here of the crash,
> transcribed for your pleasure:
>
> uvm_fault(0xffffffff809f82c0, 0xffffff8000506f0000, 1) -> e
> fatal page fault in supervisor mode
> trap type 6 code 0 rip ffffffff80366f48 cs 8 rflags 10202 cr2
> ffff800056f0000 cpl 0 rsp ffff80005064b950
> kernel: page fault trap, code=0
> Stopped in pid 7503.1 (random-feed) at netbsd:rndpool_add_data+0x40:
> xorl 0
> (%r9),%ecx
ic. Hmm, based on a guess I committed a potential fix in rnd.c rev 1.79.
Can you apply that to 5.1 and see if it helps?
(your application code is still wrong, though)
> I'm running NetBSD 5.1 according to uname -a:
>
> explorer@not:~> uname -a
> NetBSD not.flame.org 5.1 NetBSD 5.1 (GENERIC) #0: Sat Nov 20 17:35:12
> UCT 2010
> root@netbsd-amd64-5.lab.flame.org:/u1/os-build/amd64/obj/sys/arch/amd64/compile/GENERIC
> amd64
Ok. I was just wondering if there was something wrong with a previous
pullup since I committed another fix to the same code some time ago.
--
älä karot toivorikkauttas, kyl rätei ja lumpui piisaa
From: Michael Graff <explorer@flame.org>
To: Antti Kantee <pooka@cs.hut.fi>
Cc: gnats-bugs@NetBSD.org
Subject: Re: kern/44190
Date: Sat, 04 Dec 2010 16:41:45 -0600
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 2010-12-04 11:43 AM, Antti Kantee wrote:
> ic. Hmm, based on a guess I committed a potential fix in rnd.c rev 1.79.
> Can you apply that to 5.1 and see if it helps?
> (your application code is still wrong, though)
Yea, I noticed the bug in my code because of the crash. :)
The fix seems good. Thanks also for adding a test for this.
- --Michael
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.8 (Darwin)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
iEYEARECAAYFAkz6w6kACgkQl6Nz7kJWYWZYRACfTPG8iNIh0AfhcaQsXYJW9r/d
aCUAn1PIX2RDztJsMjv3FoaJwX2cOpfh
=6ZdN
-----END PGP SIGNATURE-----
State-Changed-From-To: feedback->pending-pullups
State-Changed-By: pooka@NetBSD.org
State-Changed-When: Sun, 05 Dec 2010 11:48:31 +0200
State-Changed-Why:
pullup to netbsd-5
State-Changed-From-To: pending-pullups->open
State-Changed-By: dholland@NetBSD.org
State-Changed-When: Fri, 04 Jan 2013 01:42:41 +0000
State-Changed-Why:
No netbsd-5 pullup is on file. Please make sure you actually
sent it.
State-Changed-From-To: open->closed
State-Changed-By: dholland@NetBSD.org
State-Changed-When: Sat, 19 Dec 2015 02:36:56 +0000
State-Changed-Why:
pullup to -5 was never done, but -5 is now EOL
>Unformatted:
(Contact us)
$NetBSD: query-full-pr,v 1.39 2013/11/01 18:47:49 spz Exp $
$NetBSD: gnats_config.sh,v 1.8 2006/05/07 09:23:38 tsutsui Exp $
Copyright © 1994-2007
The NetBSD Foundation, Inc. ALL RIGHTS RESERVED.