NetBSD-Bugs archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
kern/48308: User can crash machine using a USB webcam
>Number: 48308
>Category: kern
>Synopsis: non-privileged user can crash machine using a USB webcam
>Confidential: no
>Severity: serious
>Priority: high
>Responsible: kern-bug-people
>State: open
>Class: sw-bug
>Submitter-Id: net
>Arrival-Date: Sun Oct 13 16:25:00 +0000 2013
>Originator: Dave Tyson
>Release: NetBSD 6.99.23
>Organization:
Anduin
>Environment:
System: NetBSD darkstar.anduin.org.uk 6.99.23 NetBSD 6.99.23 (MR) #0: Sun Sep
29 13:58:49 BST 2013
root%darkstar.anduin.org.uk@localhost:/usr/obj/sys/arch/i386/compile/MR i386
Architecture: i386
Machine: i386
>Description:
Plug in a USB webcam supported by the UVC interface. Bring up mplayer to
display video.
Find the system crashes shortly after due to an assert.
panic: kernel diagnostic assertion "(!cpu_intr_p() && !cpu_softintr_p())"
failed: file "/usr/src/sys/kern/subr_kmem.c", line 366 kmem(9) should not be
used from the interrupt context
fatal breakpoint trap in supervisor mode
trap type 1 code 0 eip c027fb04 cs 8 eflags 200246 cr2 ba5fe440 ilevel 4 esp
db469aac
curlwp 0xc3b4ca80 pid 0 lid 3 lowest kstack 0xdb467000
root(darkstar)crash$ crash -M netbsd.10.core
Crash version 6.99.23, image version 6.99.23.
System panicked: kernel diagnostic assertion "(!cpu_intr_p() &&
!cpu_softintr_p())" failed: file "/usr/src/sys/kern/subr_kmem.c", line 366
kmem(9) should not be used from the interrupt context
Backtrace from time of crash is available.
crash> bt
_KERNEL_OPT_NARCNET(c0c9c2c8,104,c060ffc8,8,0,c027fb04,4,104,db469aac,c0818e97)
at 0
_end(104,0,c0c9c2c8,db469ac8,2c,1,1000,db469abc,c09c57df,c0c9c2c8) at db469ac8
vpanic(c0c9c2c8,db469ac8,db469ae0,c080fda9,c0c9c2c8,c0c05eb8,c0c9c2a0,c0c9c188,16e,c0e62c60)
at vpanic+0x12c
kern_assert(c0c9c2c8,c0c05eb8,c0c9c2a0,c0c9c188,16e,c0e62c60,1000,db469b1c,c08fa182,2c)
at kern_assert+0x23
kmem_zalloc(2c,1,6,c413d7b0,c08d30a6,c413d7e4,ffffffff,c446c800,c0ed9100,1000)
at kmem_zalloc+0x43
usb_block_allocmem(db469bc4,0,0,1f9f,5c,0,c4277e58,18,db469b60,c08fa572) at
usb_block_allocmem+0xe2
usb_allocmem_flags(c4137020,fa0,1000,db469bc4,0,db469bd8,c02cd4af,c4137020,fa0,1000)
at usb_allocmem_flags+0x66
usb_allocmem(c4137020,fa0,1000,db469bc4,5000,c4277e58,c4137020,dd12f0a0,c41376f0,8a000)
at usb_allocmem+0x2e
ehci_device_isoc_start(c4277e58,c3b49d00,10,db469bf4,c05b1cae,db469c1c,c4277ea0,c8,c8,c42a1d58)
at ehci_device_isoc_star
t+0x1b9
usbd_transfer(c4277e58,c4ba1bfc,c42a1d58,c429f000,c8,5,c0909fe4,c42a1d58,c8,c42a1d50)
at usbd_transfer+0x93
uvideo_stream_recv_isoc_start1(c4277e58,0,0,db469c5c,0,c42a1d00,dd4c5400,960,c4277e58,c4ba1bfc)
at uvideo_stream_recv_is
oc_start1+0x6a
uvideo_stream_recv_isoc_complete(c4277e58,c42a1d58,0,c0,dd12f000,db469ca8,c08fa78f,0,0,0)
at uvideo_stream_recv_isoc_com
plete+0x9e
usb_transfer_complete(c4277e58,4,20,a,c4277ec4,c8,190,1,dd12f000,c4ba000c) at
usb_transfer_complete+0x2b8
ehci_idone(c4277ec4,4,20,a,0,0,c4137004,c4137000,c42774c8,dc8d0f00) at
ehci_idone+0x150
ehci_softintr(c4137020,db46532c,db469d80,c05afa93,c4137020,0,c0100307,0,0,0) at
ehci_softintr+0x194
usb_soft_intr(c4137020,0,c0100307,0,0,0,0,0,0,c3b4ca80) at usb_soft_intr+0x22
softint_dispatch(c3b4cd20,4,a8300798,49190b6,3a9b9c7a,1aa60ee3,db469d90,db469d28,c3b4ca80,0)
at softint_dispatch+0xba
crash: kvm_read(0x38, 4): invalid translation (invalid PTE)
>How-To-Repeat:
Plug in a USB webcam (in my case one made by Medion). Note that it attaches and
the uvideo device is
present:
uvideo0 at uhub4 port 7 configuration 1 interface 0: vendor 0x04f2 USB2.0 2MP
UVC Camera, rev 2.00/1.00, addr 3
video0 at uvideo0: vendor 0x04f2 USB2.0 2MP UVC Camera, rev 2.00/1.00, addr 3
Bring up mplayer:
mplayer tv:// -tv driver=v4l2:device=/dev/video0 -fps 30
Find system crashes :-)
This same webcam works fine under NetBSD 6.1 I386 so I suspect its released to
changes in the USB area.
>Fix:
no known but probably in the guts of usb rather than the video code
>Unformatted:
Home |
Main Index |
Thread Index |
Old Index