netbsd-bugs: kern/33935: wip/openct can crash NetBSD-current from userspace

Subject: kern/33935: wip/openct can crash NetBSD-current from userspace
To: None <kern-bug-people@netbsd.org, gnats-admin@netbsd.org,>
From: None <ggm@apnic.net>
List: netbsd-bugs
Date: 07/07/2006 05:40:00

>Number:         33935
>Category:       kern
>Synopsis:       (user process) ifdhandler -> ugenpoll causes page fault to ddb> prompt
>Confidential:   no
>Severity:       serious
>Priority:       low
>Responsible:    kern-bug-people
>State:          open
>Class:          sw-bug
>Submitter-Id:   net
>Arrival-Date:   Fri Jul 07 05:40:00 +0000 2006
>Originator:     George Michaelson
>Release:        NetBSD 3.99.21
>Organization:
George Michaelson       |  APNIC                 
Email: ggm@apnic.net    |  PO Box 2131 Milton    
Phone: +61 7 3858 3150  |  QLD 4064 Australia    
  Fax: +61 7 3858 3199  |  http://www.apnic.net  
>Environment:
	
	
System: NetBSD garlique.algebras.org 3.99.21 NetBSD 3.99.21 (GGM_ACPI) #3: Fri Jul 7 10:28:00 EST 2006 ggm@garlique.algebras.org:/data/Build/obj/usr/src/sys/arch/i386/compile/GGM_ACPI i386
Architecture: i386
Machine: i386
>Description:

	I'm trying to get a rainbow iKey 2032 USB security token to work
	in NetBSD current, using the wip/openct package, which uses the
	pcsc library to do ugen device driving.

	when I run the openct-control init process, it detects the key
	from its USB id, and then calls its ifdhandler process to try 
	and open /dev/ugen0 or /dev/ugen1 The device has been recognized
	as USB <whatever> host 2, so I do wonder if this is just about
	it opening a ugen 'controller' rather than an attached device eg
	/dev/ugen1.02 but be that as it may, the ifdhandler process then
	causes a page fault, and I'm dropped to ddb> prompt.
	
	ddb> showed me:

	uvm_fault (0xcc29c7e4,0,1) -> 0xe
	kernel: supervisor trap page fault, code=0
	stopped in pid 177.1 (ifdhandler) at
	netbsd:ugenpoll+0x69 movzbl 0x3 (%eax), %eax


	*one* time, I was able to get the device to recognize and
	list its crypto goodness. all other times, this has happened.

	
>How-To-Repeat:
	
	buy, steal or borrow a rainbow iKey 2032. plug it into a USB
	port, run wip/openct and start the openct-control init process
	as root.

	
>Fix:
	nfi. I am *hoping* this is something about usb/ugen in the kernel
	which can be closed off: I really don't think even root processes
	should pagefault from userspace...
	

>Unformatted: