Subject: kern/24365: ipsec/setkey/raccon is dangerous for kernel memory
To: None <gnats-bugs@gnats.NetBSD.org>
From: Frank Kardel <kardel@pip.acrys.com>
List: netbsd-bugs
Date: 02/08/2004 18:44:58
>Number:         24365
>Category:       kern
>Synopsis:       ipsec/setkey/raccon is dangerous for kernel memory
>Confidential:   no
>Severity:       critical
>Priority:       medium
>Responsible:    kern-bug-people
>State:          open
>Class:          sw-bug
>Submitter-Id:   net
>Arrival-Date:   Sun Feb 08 18:56:00 UTC 2004
>Closed-Date:
>Last-Modified:
>Originator:     Frank Kardel
>Release:        NetBSD 1.6ZI
>Organization:
	
>Environment:
System: NetBSD pip 1.6ZI NetBSD 1.6ZI (SYSPIP_ISDN) #0: Sun Feb 8 17:40:48 MET 2004 kardel@pip:/fs/IC35L120AVV207-0-e/src/NetBSD/netbsd/sys/arch/i386/compile/obj.i386/SYSPIP_ISDN i386
Architecture: i386
Machine: i386
>Description:
	When playing around with IPSEC(IPv4) i found that currently
	IPSEC is dangerous for kernel memory integrety. By repaetedly
	running /etc/rc.d/ipsec reload, /etc/rc.d/racoon restart and having
	successful negotiations with a partner racoon leading to working
	SAs several kernel panics can be observed. Below is a list of stack 
	traces with different kernels (with and without debug).
	Crashes are in key handling code or corrupt amaps or buffer corruption.

Stackstraces:
(gdb) target kcore netbsd.0.core
panic: bremfree: lost tail
#0  0x00000001 in ?? ()
(gdb) where
#0  0x00000001 in ?? ()
#1  0xc03619d9 in cpu_reboot ()
#2  0xc0293f2c in db_sync_cmd ()
#3  0xc029397f in db_command ()
#4  0xc029369a in db_command_loop ()
#5  0xc0296758 in db_trap ()
#6  0xc035f2ca in kdb_trap ()
#7  0xc036b726 in trap ()
#8  0xc010acab in calltrap ()
#9  0xc02d3741 in panic ()
#10 0xc02edfb1 in bremfree ()
#11 0xc02eef4f in getnewbuf ()
#12 0xc02eebe2 in getblk ()
#13 0xc02ee2ff in bread ()
#14 0xc025ba56 in ext2fs_update ()
#15 0xc02fca38 in VOP_UPDATE ()
#16 0xc02fd69e in genfs_fsync ()
#17 0xc02fc4a4 in VOP_FSYNC ()
#18 0xc025fb19 in ext2fs_sync ()
#19 0xc02f6a36 in sys_sync ()
#20 0xc02f51bb in vfs_shutdown ()
#21 0xc03619ed in cpu_reboot ()
#22 0xc0293f2c in db_sync_cmd ()
#23 0xc029397f in db_command ()
#24 0xc029369a in db_command_loop ()
#25 0xc0296758 in db_trap ()
#26 0xc035f2ca in kdb_trap ()
#27 0xc036b726 in trap ()
#28 0xc010acab in calltrap ()
#29 0xc02d3741 in panic ()
#30 0xc02edfb1 in bremfree ()
#31 0xc02eef4f in getnewbuf ()
#32 0xc02eebe2 in getblk ()
#33 0xc02ee2ff in bread ()
#34 0xc027577c in ffs_read ()
#35 0xc02fc2d4 in VOP_READ ()
#36 0xc0291acb in ufs_readdir ()
#37 0xc02fc674 in VOP_READDIR ()
#38 0xc02fb933 in vn_readdir ()
#39 0xc02faf33 in sys_getdents ()
#40 0xc036b112 in syscall_plain ()
(gdb) 


(gdb)  target kcore netbsd.1.core
#0  0x00000001 in ?? ()
(gdb) where
#0  0x00000001 in ?? ()
#1  0xc03619d9 in cpu_reboot ()
#2  0xc0293f2c in db_sync_cmd ()
#3  0xc029397f in db_command ()
#4  0xc029369a in db_command_loop ()
#5  0xc0296758 in db_trap ()
#6  0xc035f2ca in kdb_trap ()
#7  0xc036b726 in trap ()
#8  0xc010acab in calltrap ()
#9  0xc0163bc5 in ipsec4_delete_pcbpolicy ()
#10 0xc0114765 in in_pcbdetach ()
#11 0xc01299f1 in udp_usrreq ()
#12 0xc02e7bc5 in soclose ()
#13 0xc02da645 in soo_close ()
#14 0xc02b03a2 in closef ()
#15 0xc036b112 in syscall_plain ()
(gdb) 

(gdb) where
#0  0x00000001 in ()
#1  0xc03619bd in cpu_reboot (howto=99479552, bootstr=0x0)
    at /fs/IC35L120AVV207-0-e/src/NetBSD/netbsd/sys/arch/i386/i386/machdep.c:731
#2  0xc0293f44 in db_sync_cmd (addr=1, have_addr=0, count=-1069904570, 
    modif=0xcdfb7b58 "Q_o{\001")
    at /fs/IC35L120AVV207-0-e/src/NetBSD/netbsd/sys/ddb/db_command.c:750
#3  0xc0293997 in db_command (last_cmdp=0xc0517910, cmd_table=0xcdfb7b50)
    at /fs/IC35L120AVV207-0-e/src/NetBSD/netbsd/sys/ddb/db_command.c:464
#4  0xc02936b2 in db_command_loop ()
    at /fs/IC35L120AVV207-0-e/src/NetBSD/netbsd/sys/ddb/db_command.c:255
#5  0xc0296770 in db_trap (type=0, code=0)
    at /fs/IC35L120AVV207-0-e/src/NetBSD/netbsd/sys/ddb/db_trap.c:101
#6  0xc035f2ae in kdb_trap (type=6, code=0, regs=0x0)
    at /fs/IC35L120AVV207-0-e/src/NetBSD/netbsd/sys/arch/i386/i386/db_interface.c:225
#7  0xc036b706 in trap (frame=0xcdfb7d9c)
    at /fs/IC35L120AVV207-0-e/src/NetBSD/netbsd/sys/arch/i386/i386/trap.c:284
#8  0xc010acab in calltrap ()
#9  0xc01679ed in key_newsp (id=0)
    at /fs/IC35L120AVV207-0-e/src/NetBSD/netbsd/sys/netkey/key.c:1114
#10 0xc0167ac9 in key_msg2sp (xpl0=0xc1992a20, len=0, error=0xcdfb7e4c)
    at /fs/IC35L120AVV207-0-e/src/NetBSD/netbsd/sys/netkey/key.c:1165
#11 0xc0163920 in ipsec_set_policy (spp=0xc2525c00, optname=22, 
    request=0xc1992a20 "\002", len=16, priv=1)
    at /fs/IC35L120AVV207-0-e/src/NetBSD/netbsd/sys/netinet6/ipsec.c:1362
#12 0xc011c886 in ip_ctloutput (op=0, so=0xcdfb7b58, level=0, optname=22, 
    mp=0x10)
    at /fs/IC35L120AVV207-0-e/src/NetBSD/netbsd/sys/netinet/ip_output.c:1252
#13 0xc02e943c in sosetopt (so=0xc1abe594, level=0, optname=22, m0=0xc1992a00)
    at /fs/IC35L120AVV207-0-e/src/NetBSD/netbsd/sys/kern/uipc_socket.c:1296
#14 0xc02ec027 in sys_setsockopt (l=0xcdfb7b58, v=0xcdfb7f64, 
    retval=0xcdfb7f5c)
    at /fs/IC35L120AVV207-0-e/src/NetBSD/netbsd/sys/kern/uipc_syscalls.c:834
#15 0xc036b0f2 in syscall_plain (frame=0xcdfb7fa8)
    at /fs/IC35L120AVV207-0-e/src/NetBSD/netbsd/sys/arch/i386/i386/syscall.c:156
(gdb) 

panic: amap_wipeout: corrupt amap
#0  0x00000001 in ?? ()
(gdb) where
#0  0x00000001 in ?? ()
#1  0xc03619bd in cpu_reboot (howto=801165312, bootstr=0x0)
    at /fs/IC35L120AVV207-0-e/src/NetBSD/netbsd/sys/arch/i386/i386/machdep.c:731
#2  0xc0293f44 in db_sync_cmd (addr=1, have_addr=0, count=-1069904570, 
    modif=0xce45fbc8 "Q_E\001")
    at /fs/IC35L120AVV207-0-e/src/NetBSD/netbsd/sys/ddb/db_command.c:750
#3  0xc0293997 in db_command (last_cmdp=0xc0517910, cmd_table=0xce45fbc0)
    at /fs/IC35L120AVV207-0-e/src/NetBSD/netbsd/sys/ddb/db_command.c:464
#4  0xc02936b2 in db_command_loop ()
    at /fs/IC35L120AVV207-0-e/src/NetBSD/netbsd/sys/ddb/db_command.c:255
#5  0xc0296770 in db_trap (type=0, code=0)
    at /fs/IC35L120AVV207-0-e/src/NetBSD/netbsd/sys/ddb/db_trap.c:101
#6  0xc035f2ae in kdb_trap (type=1, code=0, regs=0x0)
    at /fs/IC35L120AVV207-0-e/src/NetBSD/netbsd/sys/arch/i386/i386/db_interface.c:225
#7  0xc036b706 in trap (frame=0xce45fe0c)
    at /fs/IC35L120AVV207-0-e/src/NetBSD/netbsd/sys/arch/i386/i386/trap.c:284
#8  0xc010acab in calltrap ()
can not access 0x1, invalid translation (invalid PTE)
can not access 0x1, invalid translation (invalid PTE)
can not access 0x1, invalid translation (invalid PTE)
can not access 0x1, invalid translation (invalid PTE)
can not access 0x1, invalid translation (invalid PTE)
can not access 0x1, invalid translation (invalid PTE)
#9  0xc02d3759 in panic (fmt=0x1 <Address 0x1 out of bounds>)
    at /fs/IC35L120AVV207-0-e/src/NetBSD/netbsd/sys/kern/subr_prf.c:226
#10 0xc0334d13 in amap_wipeout (amap=0xcdaa5824)
    at /fs/IC35L120AVV207-0-e/src/NetBSD/netbsd/sys/uvm/uvm_amap.c:668
#11 0xc033d3e6 in uvm_unmap_detach (first_entry=0xcdc86f80, flags=0)
    at /fs/IC35L120AVV207-0-e/src/NetBSD/netbsd/sys/uvm/uvm_map.c:479
#12 0xc033f2c8 in uvmspace_free (vm=0xcdacd2ac)
    at /fs/IC35L120AVV207-0-e/src/NetBSD/netbsd/sys/uvm/uvm_map.c:3626
#13 0xc02b47e0 in exit1 (l=0xcd392e78, rv=0)
    at /fs/IC35L120AVV207-0-e/src/NetBSD/netbsd/sys/kern/kern_exit.c:383
#14 0xc02b450f in sys_exit (l=0xcd392e78, v=0xce45fbc8, retval=0xce45ff5c)
    at /fs/IC35L120AVV207-0-e/src/NetBSD/netbsd/sys/kern/kern_exit.c:179
#15 0xc036b0f2 in syscall_plain (frame=0xce45ffa8)
    at /fs/IC35L120AVV207-0-e/src/NetBSD/netbsd/sys/arch/i386/i386/syscall.c:156
(gdb) 

>How-To-Repeat:
        set up working SA associations, repeatedly do
	/etc/rc.d/ipsec reload and /etc/rc.d/racoon restart.
	watch kernel crash after a short time.
>Fix:
        
>Release-Note:
>Audit-Trail:
>Unformatted:
 		current-20040208-090000