Subject: kern/29124: Invalid TCP connection (from hacker/spam site) causes diagnostic panic
To: None <kern-bug-people@netbsd.org, gnats-admin@netbsd.org,>
From: None <paul@Plectere.com>
List: netbsd-bugs
Date: 01/25/2005 23:13:00
>Number:         29124
>Category:       kern
>Synopsis:       Invalid TCP connection (from hacker/spam site) causes diagnostic panic
>Confidential:   yes
>Severity:       critical
>Priority:       high
>Responsible:    kern-bug-people
>State:          open
>Class:          sw-bug
>Submitter-Id:   net
>Arrival-Date:   Tue Jan 25 23:13:00 +0000 2005
>Originator:     Paul Shupak
>Release:        NetBSD 2.99.14
>Organization:
	
>Environment:
	
	
System: NetBSD cobalt 2.99.14 NetBSD 2.99.14 (COBALT-$Revision: 1.4 $) #795: Sat Jan 22 06:40:33 PST 2005 root@svcs:/sys/arch/i386/compile/COBALT i386
Architecture: i386
Machine: i386
>Description:
	The TCP connection tear-down from a rogue hacker/spammer site will
cause repeatable diagnostic panics at line 281 in file kern_timeout (i.e.
"to_ticks" >= 0").  I have not (yet) successfully captured a copy of the
code transfered of captured a trace of the TCP transaction (it always panics).

	The symptom is independant of the connection method.  Either of many
browsers (e.g. A very old Mosaic, Mozilla, Netscape-linux, lynx, and
Opera-linux have all been attempted) or even using telnet to port 80 on the
machine.  The machine which contains the exploit is "monsterisp.com" at
IP 64.202.167.129.  Attempts to connect through serveral proxies all fail
(but I only tried about 4 public ones and 3 non-public proxies).

	NOTE: neither Win2K or WinXP crashes and the first page contains
no obvious (or likely any) html exploits.  A dump of the root page of the
site is included below (captured using lynx under WinXP):
--------------------------------------------------------------------------------
<html>
<head>
<title>MonsterISP.com Free and Paid Internet Service Provider Dialup and DSL</title>
<META name="description" content="MonsterISP.com lets you stay connected with pay and free internet dialup, DSL, Web/POP email. MonsterConnect brought to you by Create-A-Monster.com">
<META name="keywords" content="dialup, free dialup isp, dialup isp, free dialup, cheap dialup isp, dialup internet access, dialup internet service, best dialup isp, dial up access, dial up, dial up isp, access dial msn numbers up, dial up access numbers, free dial up isp, dsl, dsl service, dsl provider, dsl yahoo, sbc dsl, comcast dsl service, dsl providers, dsl sbc yahoo, sbc global dsl, verizon dsl, monster, monsterisp, monsterconnect, broad band isp, broad band">
</head>
<frameset rows="100%,*" border="0">
<frame src="http://www.affinitypath.com/isp/3534" frameborder="0">
<frame frameborder="0" noresize>
</frameset>
</html>

<!-- m -->
--------------------------------------------------------------------------------

	A full core dump and "-g" kernel is available for diagnosis.

	
>How-To-Repeat:

	Try to browse the site in question (I can repeat it at will on a
few machines) - just be prepared to crash.

	A gdb traceback follows:
Script started on Tue Jan 25 14:57:18 2005
# gdb /var/tmp/netbsd.6*
GNU gdb 5.3nb1
Copyright 2002 Free Software Foundation, Inc.
GDB is free software, covered by the GNU General Public License, and you are
welcome to change it and/or distribute copies of it under certain conditions.
Type "show copying" to see the conditions.
There is absolutely no warranty for GDB.  Type "show warranty" for details.
This GDB was configured as "i386--netbsdelf"...(no debugging symbols found)...
"/var/tmp/netbsd.6.core" is not a core dump: File format not recognized
(gdb) target kcore /var/tmp/netbsd.6.core
#0  0x00000000 in ?? ()
(gdb) file /netbsd.gdb
Reading symbols from /netbsd.gdb...done.
(gdb) where
#0  0x00000000 in ?? ()
#1  0xc094f000 in ?? ()
#2  0xc031b3ed in cpu_reboot (howto=256, bootstr=0x0)
    at ../../../../arch/i386/i386/machdep.c:751
#3  0xc025fc18 in db_sync_cmd (addr=1, have_addr=0, count=-1070164034, 
    modif=0xd0bfba68 "\200\006\205\177\001")
    at ../../../../ddb/db_command.c:750
#4  0xc025f667 in db_command (last_cmdp=0xc0808384, cmd_table=0xc041d0e0)
    at ../../../../ddb/db_command.c:464
#5  0xc025f37a in db_command_loop () at ../../../../ddb/db_command.c:255
#6  0xc026246c in db_trap (type=1, code=0) at ../../../../ddb/db_trap.c:101
#7  0xc0318b4e in kdb_trap (type=1, code=0, regs=0xd0bfbcac)
    at ../../../../arch/i386/i386/db_interface.c:225
#8  0xc0323c4d in trap (frame=0xd0bfbcac)
    at ../../../../arch/i386/i386/trap.c:270
#9  0xc010af1d in calltrap ()
#10 0xc02a8a6d in panic (
    fmt=0xc04c4cc0 "kernel %sassertion \"%s\" failed: file \"%s\", line %d")
    at ../../../../kern/subr_prf.c:226
#11 0xc0405ba4 in __assert (t=0xc044afe3 "diagnostic ", 
can not access 0xc0454da7, invalid translation (invalid PTE)
can not access 0xc0454da7, invalid translation (invalid PTE)
can not access 0xc0454daf, invalid translation (invalid PTE)
can not access 0xc0454daf, invalid translation (invalid PTE)
    f=0xc0493ae0 "../../../../kern/kern_timeout.c", l=281, 
    e=0xc0454da7 "to_ticks >= 0")
    at ../../../../../../lib/libkern/__assert.c:47
#12 0xc02a177d in callout_schedule (c=0xc2f8377c, to_ticks=-350)
    at ../../../../kern/kern_timeout.c:301
#13 0xc0121c6f in tcp_output (tp=0xc2f83770)
    at ../../../../netinet/tcp_output.c:1204
#14 0xc0126636 in tcp_disconnect (tp=0xc2f83770)
    at ../../../../netinet/tcp_usrreq.c:877
#15 0xc0125edf in tcp_usrreq (so=0xc2f84b0c, req=6, m=0x0, nam=0x0, 
    control=0x0, p=0x0) at ../../../../netinet/tcp_usrreq.c:456
#16 0xc02bec17 in sodisconnect (so=0xc2f84b0c)
    at ../../../../kern/uipc_socket.c:703
#17 0xc02be9ae in soclose (so=0xc2f84b0c) at ../../../../kern/uipc_socket.c:585
#18 0xc02affc1 in soo_close (fp=0xd25f4b30, p=0xd2610668)
    at ../../../../kern/sys_socket.c:238
#19 0xc0282bdf in closef (fp=0xd25f4b30, p=0xd2610668)
    at ../../../../kern/kern_descrip.c:1424
#20 0xc03236b3 in syscall_plain (frame=0xd0bfbfa8)
    at ../../../../arch/i386/i386/syscall.c:161
(gdb) quit
# 
Script done on Tue Jan 25 14:58:10 2005

>Fix:
	Sorry, I don't understand the exploit, so have no clue as to the fix.

>Unformatted: