NetBSD Problem Report #47217

From martin@duskware.de  Mon Nov 19 14:50:14 2012
Return-Path: <martin@duskware.de>
Received: from mail.netbsd.org (mail.netbsd.org [149.20.53.66])
	by www.NetBSD.org (Postfix) with ESMTP id E58E163E6C6
	for <gnats-bugs@gnats.NetBSD.org>; Mon, 19 Nov 2012 14:50:13 +0000 (UTC)
From: martin@NetBSD.org
Reply-To: martin@NetBSD.org
To: gnats-bugs@gnats.NetBSD.org
Subject: t_fstatat crashes the kernel
X-Send-Pr-Version: 3.95

>Number:         47217
>Category:       kern
>Synopsis:       t_fstatat crashes the kernel
>Confidential:   no
>Severity:       critical
>Priority:       high
>Responsible:    martin
>State:          closed
>Class:          sw-bug
>Submitter-Id:   net
>Arrival-Date:   Mon Nov 19 14:55:00 +0000 2012
>Closed-Date:    Mon Nov 19 15:03:34 +0000 2012
>Last-Modified:  Mon Nov 19 15:05:02 +0000 2012
>Originator:     Martin Husemann
>Release:        NetBSD 6.99.15
>Organization:
The NetBSD Foundation, Inc.
>Environment:
System: NetBSD thirdstage.duskware.de 6.99.15 NetBSD 6.99.15 (MODULAR) #17: Mon Nov 19 10:50:38 CET 2012 martin@night-porter.duskware.de:/usr/src/sys/arch/sparc64/compile/MODULAR sparc64
Architecture: sparc64
Machine: sparc64
>Description:

The t_fstatat ATF test reproducably crashes my kernel. It seems to try to
write to an invalid stack address (a userland address confused with kernel
spac?) at:

(gdb) list *(do_sys_statat+0x7c)
0x15468dc is in do_sys_statat (../../../../kern/vfs_syscalls.c:3061).
3056            error = fd_nameiat(l, fdat, &nd);
3057            if (error != 0) {
3058                    pathbuf_destroy(pb);
3059                    return error;
3060            }
3061            error = vn_stat(nd.ni_vp, sb);
3062            vput(nd.ni_vp);
3063            pathbuf_destroy(pb);
3064            return error;
3065    }

Note that you do not need to be root to crash the machine now...

>How-To-Repeat:

	cd /usr/tests/lib/libc/c063 && atf-run t_fstatat 

>Fix:
yes!

>Release-Note:

>Audit-Trail:

Responsible-Changed-From-To: kern-bug-people->martin
Responsible-Changed-By: martin@NetBSD.org
Responsible-Changed-When: Mon, 19 Nov 2012 15:03:34 +0000
Responsible-Changed-Why:
I fixed it


State-Changed-From-To: open->closed
State-Changed-By: martin@NetBSD.org
State-Changed-When: Mon, 19 Nov 2012 15:03:34 +0000
State-Changed-Why:
fixed


From: "Martin Husemann" <martin@netbsd.org>
To: gnats-bugs@gnats.NetBSD.org
Cc: 
Subject: PR/47217 CVS commit: src/sys/kern
Date: Mon, 19 Nov 2012 15:01:18 +0000

 Module Name:	src
 Committed By:	martin
 Date:		Mon Nov 19 15:01:17 UTC 2012

 Modified Files:
 	src/sys/kern: vfs_syscalls.c

 Log Message:
 Use copyout to copy data from kernel out to userland!
 Fixes PR kern/47217.


 To generate a diff of this commit:
 cvs rdiff -u -r1.460 -r1.461 src/sys/kern/vfs_syscalls.c

 Please note that diffs are not public domain; they are subject to the
 copyright notices on the relevant files.

>Unformatted:
NetBSD Home
NetBSD PR Database Search
(Contact us) $NetBSD: query-full-pr,v 1.39 2013/11/01 18:47:49 spz Exp $
$NetBSD: gnats_config.sh,v 1.8 2006/05/07 09:23:38 tsutsui Exp $
Copyright © 1994-2007 The NetBSD Foundation, Inc. ALL RIGHTS RESERVED.