netbsd-bugs: port-i386/14185: reading file in procfs with mc causes kernel to crash

Subject: port-i386/14185: reading file in procfs with mc causes kernel to crash
To: None <gnats-bugs@gnats.netbsd.org>
From: None <stibrany@tenax.sk>
List: netbsd-bugs
Date: 10/07/2001 21:47:26
>Number:         14185
>Category:       port-i386
>Synopsis:       reading file in procfs with mc causes kernel to crash
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    port-i386-maintainer
>State:          open
>Class:          sw-bug
>Submitter-Id:   net
>Arrival-Date:   Sun Oct 07 13:34:00 PDT 2001
>Closed-Date:
>Last-Modified:
>Originator:     Peter Stibrany
>Release:        NetBSD 1.5.2
>Organization:
none
>Environment:
	
System: NetBSD litestar.local 1.5.2 NetBSD 1.5.2 (LITESTAR) #4: Sun Oct 7 16:16:42 CEST 2001 cipso@litestar.local:/usr/src/sys/arch/i386/compile/LITESTAR i386

config (LITESTAR) file:

machine i386
maxusers	32		# estimated number of users
options 	I686_CPU
options 	VM86		# virtual 8086 emulation
options         DUMMY_NOPS
options         EXEC_AOUT       # musi byt
options		EXEC_ELF32	# exec ELF binaries
options 	EXEC_SCRIPT	# exec #! scripts
options 	CPURESET_DELAY=1000

# Standard system options
options 	UCONSOLE	# users can use TIOCCONS (for xconsole)
options 	INSECURE	# disable kernel security levels

options 	RTC_OFFSET=0	# hardware clock is this many mins. west of GMT

options 	KTRACE		# system call tracing via ktrace(1)

options 	SYSVMSG		# System V-like message queues
options 	SYSVSEM		# System V-like semaphores
options 	SYSVSHM		# System V-like memory sharing

options 	LKM		# loadable kernel modules

# Diagnostic/debugging support options
options 	DIAGNOSTIC	# cheap kernel consistency checks
options 	DDB		# in-kernel debugger
options 	DDB_HISTORY_SIZE=512	# enable history editing in DDB

# Compatibility options
options 	COMPAT_LINUX	# binary compatibility with Linux
options 	COMPAT_FREEBSD	# binary compatibility with FreeBSD

# File systems
file-system 	FFS		# UFS
file-system 	EXT2FS		# second extended file system (linux)
file-system 	CD9660		# ISO 9660 + Rock Ridge file system
file-system 	MSDOSFS		# MS-DOS file system
file-system 	FDESC		# /dev/fd
file-system 	KERNFS		# /kern
file-system 	PROCFS		# /proc

# File system options
options 	SOFTDEP         # FFS soft updates support.

# Networking options
options 	INET		# IP + ICMP + TCP + UDP
options 	INET6		# IPV6
options 	PPP_BSDCOMP	# BSD-Compress compression support for PPP
options 	PPP_DEFLATE	# Deflate compression support for PPP
options 	PPP_FILTER	# Active filter support for PPP (requires bpf)
options 	PFIL_HOOKS	# pfil(9) packet filter hooks

# These options enable verbose messages for several subsystems.
# Warning, these may compile large string tables into the kernel!
options 	PCIVERBOSE	# verbose PCI device autoconfig messages
options 	USBVERBOSE	# verbose USB device autoconfig messages

#
# wscons options
#
options 	WSEMUL_VT100		# VT100 / VT220 emulation
options 	WS_KERNEL_FG=WSCOL_GREEN
options 	WSDISPLAY_COMPAT_PCVT		# emulate some ioctls
options 	WSDISPLAY_COMPAT_SYSCONS	# emulate some ioctls
options 	WSDISPLAY_COMPAT_USL		# VT handling
options 	WSDISPLAY_COMPAT_RAWKBD		# can get raw scancodes
options 	PCDISPLAY_SOFTCURSOR

# Kernel root file system and dump configuration.
config		netbsd	root on wd0a type ffs

# Device configuration
mainbus0 at root

apm0	at mainbus0			# Advanced power management

# Basic Bus Support

# PCI bus support
pci*	at mainbus? bus ?
pci*	at ppb? bus ?

# PCI bridges
pchb*	at pci? dev ? function ?	# PCI-Host bridges
pcib*	at pci? dev ? function ?	# PCI-ISA bridges
ppb*	at pci? dev ? function ?	# PCI-PCI bridges

# ISA bus support
isa*	at pcib?

# ISA Plug-and-Play bus support
isapnp0	at isa?

# Coprocessor Support

# Math Coprocessor support
npx0	at isa? port 0xf0 irq 13	# x86 math coprocessor

# Console Devices

# wscons
pckbc0		at isa?			# pc keyboard controller
pckbd*		at pckbc?		# PC keyboard
pmsi*		at pckbc?		# PS/2 "Intelli"mouse for wsmouse
vga*		at pci? dev ? function ?
wsdisplay*	at vga? console ?
wskbd* 		at pckbd? console ?
wsmouse*	at pmsi? mux 0

pcppi0		at isa?
sysbeep0	at pcppi?

# Serial Devices

# ISA serial interfaces
com0	at isa? port 0x3f8 irq 4	# Standard PC serial ports
com1	at isa? port 0x2f8 irq 3

# Parallel Printer Interfaces

# ISA parallel printer interfaces
lpt0	at isa? port 0x378 irq 7	# standard PC parallel ports

# VIA VT82C686A hardware monitor
viapm*	at pci? dev ? function ?
viaenv* at viapm?

# IDE and related devices
# PCI IDE controllers - see pciide(4) for supported hardware.
# The 0x0001 flag force the driver to use DMA, even if the driver doesn't know
# how to set up DMA modes for this chip. This may work, or may cause
# a machine hang with some controllers.
pciide* at pci? dev ? function ? flags 0x0000

# IDE drives
wd*	at pciide? channel ? drive ? flags 0x0000

# ATAPI bus support
atapibus* at pciide? channel ?

# ATAPI devices
cd*	at atapibus? drive ? flags 0x0000	# ATAPI CD-ROM drives

# Miscellaneous mass storage devices

# ISA floppy
fdc0	at isa? port 0x3f0 irq 6 drq 2	# standard PC floppy controllers
fd*	at fdc? drive ?			# the drives themselves

# Network Interfaces

# PCI network interfaces
ne*	at pci? dev ? function ?	# NE2000-compatible Ethernet

# USB Controller and Devices

# PCI USB controllers
uhci*	at pci?	dev ? function ?	# Universal Host Controller (Intel)

# USB bus support
usb*	at uhci?

# USB Hubs
uhub*	at usb?
uhub*	at uhub? port ? configuration ? interface ?

# USB Generic driver
ugen*	at uhub? port ?

# Audio Devices

# PCI audio devices
eap*	at pci? dev ? function ?	# Ensoniq AudioPCI

# Audio support
audio*	at eap?
midi*	at eap?			# 137[01] MIDI port

# disk/mass storage pseudo-devices
pseudo-device	vnd		4	# disk-like interface to files

# network pseudo-devices
pseudo-device	bpfilter	8	# Berkeley packet filter
pseudo-device	loop			# network loopback
pseudo-device	ppp		2	# Point-to-Point Protocol

# miscellaneous pseudo-devices
pseudo-device	pty		64	# pseudo-terminals
pseudo-device	sequencer	1	# MIDI sequencer
pseudo-device	rnd			# /dev/random and in-kernel generator

# mouse & keyboard multiplexor pseudo-devices
pseudo-device	wsmux		2

dmesg: 
NetBSD 1.5.2 (LITESTAR) #4: Sun Oct  7 16:16:42 CEST 2001
    cipso@litestar.local:/usr/src/sys/arch/i386/compile/LITESTAR
cpu0: AMD Athlon Model 4 (Thunderbird) (686-class), 700.08 MHz
total memory = 255 MB
avail memory = 234 MB
using 3297 buffers containing 13188 KB of memory
BIOS32 rev. 0 found at 0xfb4a0
mainbus0 (root)
pci0 at mainbus0 bus 0: configuration mode 1
pci0: i/o space, memory space enabled
pchb0 at pci0 dev 0 function 0
pchb0: VIA Technologies VT8371 (Apollo KX133) Host Bridge (rev. 0x02)
ppb0 at pci0 dev 1 function 0: VIA Technologies VT8371 (Apollo KX133) PCI-PCI Bridge (rev. 0x00)
pci1 at ppb0 bus 1
pci1: i/o space, memory space enabled
vga0 at pci1 dev 0 function 0: S3 Savage4 (rev. 0x03)
wsdisplay0 at vga0: console (80x25, vt100 emulation)
pcib0 at pci0 dev 7 function 0
pcib0: VIA Technologies VT82C686A (Apollo KX133) PCI-ISA Bridge (rev. 0x22)
pciide0 at pci0 dev 7 function 1: VIA Technologies VT82C686A (Apollo KX133) ATA66 controller
pciide0: bus-master DMA support present
pciide0: primary channel configured to compatibility mode
wd0 at pciide0 channel 0 drive 0: <Maxtor 90648D3>
wd0: drive supports 16-sector pio transfers, lba addressing
wd0: 6179 MB, 12556 cyl, 16 head, 63 sec, 512 bytes/sect x 12656448 sectors
wd0: 32-bit data port
wd0: drive supports PIO mode 4, DMA mode 2, Ultra-DMA mode 2
pciide0: primary channel interrupting at irq 14
wd0(pciide0:0:0): using PIO mode 4, Ultra-DMA mode 2 (using DMA data transfers)
pciide0: secondary channel configured to compatibility mode
atapibus0 at pciide0 channel 1
cd0 at atapibus0 drive 0: <ATAPI-CD ROM-DRIVE-52MAX, UM1102  Firmware, VER 52A> type 5 cdrom removable
cd0: 32-bit data port
cd0: drive supports PIO mode 4, DMA mode 2, Ultra-DMA mode 2
pciide0: secondary channel interrupting at irq 15
cd0(pciide0:1:0): using PIO mode 4, Ultra-DMA mode 2 (using DMA data transfers)
uhci0 at pci0 dev 7 function 2: VIA Technologies VT83C572 USB Controller (rev. 0x10)
uhci0: interrupting at irq 10
usb0 at uhci0: USB revision 1.0
uhub0 at usb0
uhub0: VIA Technologie UHCI root hub, class 9/0, rev 1.00/1.00, addr 1
uhub0: 2 ports with 2 removable, self powered
uhci1 at pci0 dev 7 function 3: VIA Technologies VT83C572 USB Controller (rev. 0x10)
uhci1: interrupting at irq 10
usb1 at uhci1: USB revision 1.0
uhub1 at usb1
uhub1: VIA Technologie UHCI root hub, class 9/0, rev 1.00/1.00, addr 1
uhub1: 2 ports with 2 removable, self powered
viapm0 at pci0 dev 7 function 4
ne0 at pci0 dev 11 function 0: RealTek 8029 Ethernet
ne0: 10base2, 10baseT, 10baseT-FDX, auto, default [0x02 0x30] auto
ne0: Ethernet address 52:54:ab:4d:f8:00
ne0: interrupting at irq 10
eap0 at pci0 dev 15 function 0: Ensoniq AudioPCI 97 ES1373B (rev. 0x06)
eap0: interrupting at irq 9
eap0: Crystal CS4297 codec; headphone, 18 bit DAC, 18 bit ADC, no 3D stereo
audio0 at eap0: full duplex, mmap, independent
midi0 at eap0: AudioPCI MIDI UART
pciide1 at pci0 dev 19 function 0: Triones/Highpoint HPT370 IDE Controller
pciide1: bus-master DMA support present
pciide1: primary channel wired to native-PCI mode
pciide1: using irq 11 for native-PCI interrupt
pciide1: secondary channel wired to native-PCI mode
isa0 at pcib0
com0 at isa0 port 0x3f8-0x3ff irq 4: ns16550a, working fifo
com1 at isa0 port 0x2f8-0x2ff irq 3: ns16550a, working fifo
pckbc0 at isa0 port 0x60-0x64
pckbd0 at pckbc0 (kbd slot)
pckbc0: using irq 1 for kbd slot
wskbd0 at pckbd0: console keyboard, using wsdisplay0
pmsi0 at pckbc0 (aux slot)
pckbc0: using irq 12 for aux slot
wsmouse0 at pmsi0 mux 0
lpt0 at isa0 port 0x378-0x37b irq 7
pcppi0 at isa0 port 0x61
sysbeep0 at pcppi0
isapnp0 at isa0 port 0x279: ISA Plug 'n Play device support
npx0 at isa0 port 0xf0-0xff: using exception 16
fdc0 at isa0 port 0x3f0-0x3f7 irq 6 drq 2
fd0 at fdc0 drive 0: 1.44MB, 80 cyl, 2 head, 18 sec
isapnp0: no ISA Plug 'n Play devices found
viaenv0 at viapm0
apm0 at mainbus0: Power Management spec V1.2 (slowidle)
biomask ed65 netmask ed65 ttymask fde7
boot device: <unknown>
root on wd0a dumps on wd0b
wsdisplay0: screen 1 added (80x25, vt100 emulation)
wsdisplay0: screen 2 added (80x25, vt100 emulation)
wsdisplay0: screen 3 added (80x25, vt100 emulation)
wsdisplay0: screen 4 added (80x25, vt100 emulation)
wsdisplay0: screen 5 added (80x25, vt100 emulation)
wsmux1: connecting to wsdisplay0

>Description:
Using View command in Midnight Commander on file /proc/self/fpregs causes
system to crash.  MC need not to be run under root. Thus any user can crash
system just by opening right file!

>How-To-Repeat:

Mount /proc (mount -t procfs /proc /proc).
Start Midnight Commander as normal user (non-root),
go to /proc/self, move pointer to fpregs,
and press F3 to view fpregs file. Kernel jumps into debugger
and prints this:

uvm_fault(0xd2492004, 0x0, 0, 1) -> 1
kernel: page fault trap, code =0, stop

Midnight Commander is installed directly from pkgsrc, its version
is 4.5.51.

>Fix:
>Release-Note:
>Audit-Trail:
>Unformatted: