NetBSD Problem Report #47598

From www@NetBSD.org  Tue Feb 26 17:32:52 2013
Return-Path: <www@NetBSD.org>
Received: from mail.netbsd.org (mail.netbsd.org [149.20.53.66])
	by www.NetBSD.org (Postfix) with ESMTP id E01CE63E522
	for <gnats-bugs@gnats.NetBSD.org>; Tue, 26 Feb 2013 17:32:51 +0000 (UTC)
Message-Id: <20130226173250.55CF863E522@www.NetBSD.org>
Date: Tue, 26 Feb 2013 17:32:50 +0000 (UTC)
From: luke@maurits.id.au
Reply-To: luke@maurits.id.au
To: gnats-bugs@NetBSD.org
Subject: Kernel crash in kauth_cred_uidmatch caused by netstat
X-Send-Pr-Version: www-1.0

>Number:         47598
>Category:       kern
>Synopsis:       Kernel crash in kauth_cred_uidmatch caused by netstat
>Confidential:   no
>Severity:       critical
>Priority:       high
>Responsible:    kern-bug-people
>State:          closed
>Class:          sw-bug
>Submitter-Id:   net
>Arrival-Date:   Tue Feb 26 17:35:00 +0000 2013
>Closed-Date:    Fri Mar 15 09:01:49 +0000 2013
>Last-Modified:  Fri Mar 15 09:01:49 +0000 2013
>Originator:     Luke Maurits
>Release:        6.0 STABLE
>Organization:
>Environment:
NetBSD <hostname> 6.0_STABLE NetBSD 6.0_STABLE (MYKERNEL) #2: Mon Feb  4 03:42:25 UTC 2013  luke@miku.maurits.id.au:/usr/obj/sys/arch/i386/compile/MYKERNEL i386
>Description:
For many months now I have had irregular, random kernel crashes on one of my machines.  The most recent case yielded the following backtrace:

uvm_fault(0xc0af5bd0, 0, 1) -> 0xe
fatal page fault in supervisor mode
trap type 6 code 0 eip c0203a7b cs 9 eflags 10296 cr2 40 ilevel 0
kernel: supervisor trap page fault, code=0                       
Stopped in pid 8877.1 (netstat) at      netbsd:kauth_cred_uidmatch
+0x1b:        m ovl     40(%esi),%
edx kauth_cred_uidmatch
(c12f50c0,0,c12f50c0,c7a378e4,c031ed1b,c0a01120,c12f50c0,c7a3
791c,c02041cd,c12f50c0) at netbsd:kauth_cred_uidmatch+0x1b
secmodel_extensions_network_cb
(c12f50c0,8,0,19,c12dbbb0,0,0,1,0,c1993078) at net
bsd:secmodel_extensions_network_cb+0x5b kauth_authorize_action
(c0a02060,c12f50c0,8,19,c12dbbb0,0,0,c7a37c1c,c0377511,c12 f50c0) at
netbsd:kauth_authorize_action+0x7d kauth_authorize_network
(c12f50c0,8,19,c12dbbb0,0,0,c7a3798c,c05c6ce0,0,6) at net
bsd:kauth_authorize_network+0x3d sysctl_inpcblist
(c7a37c9c,4,0,c7a37cbc,0,0,c7a37c8c,c0f8c7e0,c0a13b40,4) at netb
sd:sysctl_inpcblist+0x171 sysctl_dispatch
(c7a37c8c,8,0,c7a37cbc,0,0,c7a37c8c,c0f8c7e0,c0a13b40,c7a37cbc) a t
netbsd:sysctl_dispatch+0xb7 sys___sysctl
(c0f8c7e0,c7a37d00,c7a37d28,ca,abd17000,0,c7a37d00,c0af0884,2,abf48c
67) at netbsd:sys___sysctl
+0xea syscall
(c7a37d48,b6fb00b3,ab,beb0001f,b6fb001f,8,0,bebfeb40,abf687bc,bebfef98)
a t netbsd:syscall+0xaa

I've recorded 3 of these now, and the backtrace is always through the same series of functions, only the particular pointer values change.

This seems possibly related to kern/43290.  That bug is also caused by a kauth problem in netstat, but it is on kath_cred_getuid where mine is on kauth_cred_uidmatch.

These are happening on a Xen domU (VPS).  Right now it is running NetBSD
6.0_STABLE.  The kernel configuration is derived from the standard XEN3PAE_DOMU with the addition of

no options      INSECURE
options 	PAX_MPROTECT=1 
options		PAX_SEGVGUARD=1
options		PAX_ASLR=1
options         FILEASSOC
options         VERIFIED_EXEC_FP_MD5
options         VERIFIED_EXEC_FP_SHA1
options         VERIFIED_EXEC_FP_RMD160
options         VERIFIED_EXEC_FP_SHA512
options         VERIFIED_EXEC_FP_SHA384
options         VERIFIED_EXEC_FP_SHA256

However, I am pretty certain I got the earliest instances of this crash
earlier on, when it was running 5.1.2 and the stock XEN3PAE_DOMU kernel with no modifications.

The machine in question is primarily a web server, with fairly low traffic.  Things which are typically running all the time are imapproxy, ossec, sshd, php, lighttpd and mysql.  The crash is happening in netstat, but I'm never running it myself at the time of the crashes, so it must be being invoked by something else, most likely one of the above or one of the daily cron scripts.  netstat does not crash if I just run it myself after ssh'ing in, at least not when I pass it no args and it does whatever its defaults are.

I have this machine set to drop to the debugger when it crashes, and I
can access that via my VPS provider's console system, so if anybody
needs me to the next time this happens I can try to provide the values
of variables or anything else which may be necessary.
>How-To-Repeat:

>Fix:

>Release-Note:

>Audit-Trail:
From: Martin Husemann <martin@duskware.de>
To: gnats-bugs@NetBSD.org
Cc: 
Subject: Re: kern/47598: Kernel crash in kauth_cred_uidmatch caused by netstat
Date: Wed, 27 Feb 2013 09:36:38 +0100

 Do you happen to have "curtain" on?
 (sysctl security.curtain, security.models.bsd44.curtain,
 security.models.extensions.curtain)

 Martin

From: Luke Maurits <luke@maurits.id.au>
To: gnats-bugs@NetBSD.org
Cc: 
Subject: Re: kern/47598: Kernel crash in kauth_cred_uidmatch caused by
 netstat
Date: Wed, 27 Feb 2013 01:02:16 -0800

 Yes, I do.  I've got security.curtain=1 in /etc/sysctl.conf.

 Luke

From: Martin Husemann <martin@duskware.de>
To: gnats-bugs@NetBSD.org
Cc: 
Subject: Re: kern/47598: Kernel crash in kauth_cred_uidmatch caused by netstat
Date: Wed, 27 Feb 2013 11:20:54 +0100

 --y0ulUmNC+osPPQO6
 Content-Type: text/plain; charset=us-ascii
 Content-Disposition: inline

 The patch below does two things:

 First hunk should make the kauth code deal with a missing so_cred (which
 would only happen for new connections not yet accepted), denying their
 visibility to everyone.

 Second hunk initializes new sockets credentials earlier during accept(),
 so no sockets with NULL credentials should show up in pcblists.

 An alternative to the second part is to move the intialization of credentials
 to newconn().

 Martin

 --y0ulUmNC+osPPQO6
 Content-Type: text/plain; charset=us-ascii
 Content-Disposition: attachment; filename="newcon.patch"

 Index: secmodel_extensions.c
 ===================================================================
 RCS file: /cvsroot/src/sys/secmodel/extensions/secmodel_extensions.c,v
 retrieving revision 1.4
 diff -u -p -r1.4 secmodel_extensions.c
 --- secmodel_extensions.c	28 Jan 2013 00:51:29 -0000	1.4
 +++ secmodel_extensions.c	27 Feb 2013 10:11:07 -0000
 @@ -481,6 +481,9 @@ secmodel_extensions_network_cb(kauth_cre
  	if (curtain != 0) {
  		struct socket *so = (struct socket *)arg1;

 +		if (__predict_false(so->so_cred == NULL))
 +			return KAUTH_RESULT_DENY;
 +
  		if (!kauth_cred_uidmatch(cred, so->so_cred)) {
  			int error;
  			bool isroot = false;
 Index: uipc_syscalls.c
 ===================================================================
 RCS file: /cvsroot/src/sys/kern/uipc_syscalls.c,v
 retrieving revision 1.160
 diff -u -p -r1.160 uipc_syscalls.c
 --- uipc_syscalls.c	14 Feb 2013 21:57:59 -0000	1.160
 +++ uipc_syscalls.c	27 Feb 2013 10:14:09 -0000
 @@ -236,8 +236,8 @@ do_sys_accept(struct lwp *l, int sock, s
  	fp2->f_data = so2;
  	if (flags & SOCK_NONBLOCK)
  		so2->so_state |= SS_NBIO;
 -	error = soaccept(so2, nam);
  	so2->so_cred = kauth_cred_dup(so->so_cred);
 +	error = soaccept(so2, nam);
  	sounlock(so);
  	if (error) {
  		/* an error occurred, free the file descriptor and mbuf */

 --y0ulUmNC+osPPQO6--

From: Luke Maurits <luke@maurits.id.au>
To: gnats-bugs@NetBSD.org
Cc: 
Subject: Re: kern/47598: Kernel crash in kauth_cred_uidmatch caused by
 netstat
Date: Wed, 27 Feb 2013 08:46:49 -0800

 Thank you very much!  What source branch should I apply those patches
 against, 6.0_STABLE?

 Also, because this is a VPS I can't change the kernel myself directly,
 I need to submit a support ticket and wait for the provider to do it.
 Historically, they've been quite slow to respond to that sort of
 request, so it will probably be a week before I am running with these
 patches (and, of course, it will probably take months after that from me
 to be sure the problem is gone, since it happens so irregularly).  Can
 I assume that in the mean time turning off curtain as a temporary
 workaround should prevent more crashes?

 Luke

From: Martin Husemann <martin@duskware.de>
To: gnats-bugs@NetBSD.org
Cc: 
Subject: Re: kern/47598: Kernel crash in kauth_cred_uidmatch caused by netstat
Date: Wed, 27 Feb 2013 18:01:49 +0100

 On Wed, Feb 27, 2013 at 04:50:08PM +0000, Luke Maurits wrote:
 >  Thank you very much!  What source branch should I apply those patches
 >  against, 6.0_STABLE?

 The patch was against -current, I will commit and request pullup to all
 -6 branches after a bit time for comments from others.

 >  I assume that in the mean time turning off curtain as a temporary
 >  workaround should prevent more crashes?

 Yes, it should.

 Martin

From: Luke Maurits <luke@maurits.id.au>
To: gnats-bugs@NetBSD.org
Cc: 
Subject: Re: kern/47598: Kernel crash in kauth_cred_uidmatch caused by
 netstat
Date: Wed, 27 Feb 2013 09:16:59 -0800

 Ah, I see.  Since it's so slow and painful for me to switch kernels on
 this machine, and I don't want to run current on a system I rely on
 being up, I might just turn of curtain for now and wait until 6.1 comes
 out (which I assume will be soonish since an RC was just announced),
 assuming the fix will have made its way into there.

 Thanks very much for your prompt help with this!

From: "Martin Husemann" <martin@netbsd.org>
To: gnats-bugs@gnats.NetBSD.org
Cc: 
Subject: PR/47598 CVS commit: src/sys/secmodel/extensions
Date: Thu, 28 Feb 2013 15:23:26 +0000

 Module Name:	src
 Committed By:	martin
 Date:		Thu Feb 28 15:23:25 UTC 2013

 Modified Files:
 	src/sys/secmodel/extensions: secmodel_extensions.c

 Log Message:
 Make the callback deal with embryonic connections which do not have
 credentials yet. Fixes PR kern/47598.


 To generate a diff of this commit:
 cvs rdiff -u -r1.4 -r1.5 src/sys/secmodel/extensions/secmodel_extensions.c

 Please note that diffs are not public domain; they are subject to the
 copyright notices on the relevant files.

From: "Martin Husemann" <martin@netbsd.org>
To: gnats-bugs@gnats.NetBSD.org
Cc: 
Subject: PR/47598 CVS commit: src/tests/kernel
Date: Thu, 28 Feb 2013 15:31:23 +0000

 Module Name:	src
 Committed By:	martin
 Date:		Thu Feb 28 15:31:23 UTC 2013

 Modified Files:
 	src/tests/kernel: Makefile
 Added Files:
 	src/tests/kernel: t_kauth_pr_47598.c

 Log Message:
 Add a testprogram for PR 47598.


 To generate a diff of this commit:
 cvs rdiff -u -r1.31 -r1.32 src/tests/kernel/Makefile
 cvs rdiff -u -r0 -r1.1 src/tests/kernel/t_kauth_pr_47598.c

 Please note that diffs are not public domain; they are subject to the
 copyright notices on the relevant files.

From: "Jeff Rizzo" <riz@netbsd.org>
To: gnats-bugs@gnats.NetBSD.org
Cc: 
Subject: PR/47598 CVS commit: [netbsd-6] src/sys/secmodel/extensions
Date: Thu, 14 Mar 2013 21:56:24 +0000

 Module Name:	src
 Committed By:	riz
 Date:		Thu Mar 14 21:56:23 UTC 2013

 Modified Files:
 	src/sys/secmodel/extensions [netbsd-6]: secmodel_extensions.c

 Log Message:
 Pull up following revision(s) (requested by martin in ticket #839):
 	sys/secmodel/extensions/secmodel_extensions.c: revision 1.5
 Make the callback deal with embryonic connections which do not have
 credentials yet. Fixes PR kern/47598.


 To generate a diff of this commit:
 cvs rdiff -u -r1.2.2.1 -r1.2.2.2 \
     src/sys/secmodel/extensions/secmodel_extensions.c

 Please note that diffs are not public domain; they are subject to the
 copyright notices on the relevant files.

From: "Jeff Rizzo" <riz@netbsd.org>
To: gnats-bugs@gnats.NetBSD.org
Cc: 
Subject: PR/47598 CVS commit: [netbsd-6-0] src/sys/secmodel/extensions
Date: Thu, 14 Mar 2013 21:56:42 +0000

 Module Name:	src
 Committed By:	riz
 Date:		Thu Mar 14 21:56:41 UTC 2013

 Modified Files:
 	src/sys/secmodel/extensions [netbsd-6-0]: secmodel_extensions.c

 Log Message:
 Pull up following revision(s) (requested by martin in ticket #839):
 	sys/secmodel/extensions/secmodel_extensions.c: revision 1.5
 Make the callback deal with embryonic connections which do not have
 credentials yet. Fixes PR kern/47598.


 To generate a diff of this commit:
 cvs rdiff -u -r1.2.8.1 -r1.2.8.2 \
     src/sys/secmodel/extensions/secmodel_extensions.c

 Please note that diffs are not public domain; they are subject to the
 copyright notices on the relevant files.

State-Changed-From-To: open->closed
State-Changed-By: martin@NetBSD.org
State-Changed-When: Fri, 15 Mar 2013 09:01:49 +0000
State-Changed-Why:
Fixed and pulled up, thanks for the report!


>Unformatted:

NetBSD Home
NetBSD PR Database Search

(Contact us) $NetBSD: query-full-pr,v 1.39 2013/11/01 18:47:49 spz Exp $
$NetBSD: gnats_config.sh,v 1.8 2006/05/07 09:23:38 tsutsui Exp $
Copyright © 1994-2007 The NetBSD Foundation, Inc. ALL RIGHTS RESERVED.