DragonFly 3.6-RELEASE: how to crash the kernel from userland

Justin Sherrill justin at shiningsilence.com
Fri Jul 18 06:19:45 PDT 2014


Running this on a DF 3.6.3 system, under VMWare Workstation 9.0.3, gets:

checking if `rename' handles unwritable source/target... ok,source=ok,target=ok
checking that `mmap' is sane... yes
checking signal received if referencing nonexistent part of mmapped
file... Segmentation fault
11

Pulling out the test program and compiling/running it gives me:

# ./conftest
mmap: Bad file descriptor

So, I wasn't able to get a kernel crash out of it.



On Thu, Jul 17, 2014 at 5:08 PM, Nelson H. F. Beebe <beebe at math.utah.edu> wrote:
> I run DragonFly 3.6-RELEASE (and also 3.4) on VMware ESX on Sun AMD64
> hardware, along with dozens of other virtual machines.
>
> Today, I found out how to reliably, and preproducibly, crash the 3.6
> kernel from a user process: build GNU rcs-5.9.1 or rcs-5.9.2, available
> at
>
>         ftp://ftp.gnu.org/gnu/rcs/
>
> There is a kernel panic immediately after this report from the
> configure run:
>
>     checking signal received if referencing nonexistent part of mmapped file...
>
> I cannot capture the exact panic report easily from the VMware
> console, which puts me into a debugger with prompt "db>", at which
> typing "reset" reboots the system.
>
> After the reboot, examination of /var/log/messages shows something
> similar to what I saw in the VMware console window:
>
>     Jul 17 14:52:47 xxx syslogd: kernel boot file is /boot/kernel/kernel
>     Jul 17 14:52:47 xxx kernel: pid 23179 (conftest), uid 887: exited on signal 11
>     Jul 17 14:52:47 xxx kernel: panic: assertion "ref >= &td->td_toks_base && ref->tr_tok == tok" failed in lwkt_reltoken at /build/home/justin/src/sys/kern/lwkt_token.c:812
>     Jul 17 14:52:47 xxx kernel: cpuid = 0
>     Jul 17 14:52:47 xxx kernel: Trace beginning at frame 0xffffffe05ce377d8
>     Jul 17 14:52:47 xxx kernel: panic() at panic+0x223 0xffffffff80561c0c
>     Jul 17 14:52:47 xxx kernel: panic() at panic+0x223 0xffffffff80561c0c
>     Jul 17 14:52:47 xxx kernel: lwkt_reltoken() at lwkt_reltoken+0x5d 0xffffffff80575f98
>     Jul 17 14:52:47 xxx kernel: sigexit() at sigexit+0xce 0xffffffff80564a78
>     Jul 17 14:52:47 xxx kernel: postsig() at postsig+0x1c7 0xffffffff80564c46
>     Jul 17 14:52:47 xxx kernel: userret() at userret+0x18d 0xffffffff8092ed6d
>     Jul 17 14:52:47 xxx kernel: trap() at trap+0x6b4 0xffffffff8092fb4c
>     Jul 17 14:52:47 xxx kernel: calltrap() at calltrap+0x9 0xffffffff80919bef
>     Jul 17 14:52:47 xxx kernel: --- trap 000000000000000c, rip = 0000000000400ab4, rsp = ffffffe05ce37ab0, rbp = 00007fffffffe990 ---
>     Jul 17 14:52:47 xxx kernel: kernmxps() at 0x400ab4 0x400ab4
>     Jul 17 14:52:47 xxx kernel: kernmxps() at 0x400926 0x400926
>     Jul 17 14:52:47 xxx kernel: Debugger("panic")
>     Jul 17 14:52:47 xxx kernel:
>     Jul 17 14:52:47 xxx kernel: CPU0 stopping CPUs: 0x00000000
>     Jul 17 14:52:47 xxx kernel: stopped
>
> Can anyone reproduce this crash on physical hardware?
>
> Builds of the two named releases of GNU rcs on DragonflyBSD 3.4 work
> just fine.
>
> All of the files in /boot/kernel on my 3.6 system are dated
> 20-Feb-2014 14:47, and the panic persists even after running
>
>         pkg update
>         pkg upgrade
>
> to ensure that all software components are current (as expected,
> because the kernel files themselves do not change).
>
> -------------------------------------------------------------------------------
> - Nelson H. F. Beebe                    Tel: +1 801 581 5254                  -
> - University of Utah                    FAX: +1 801 581 4148                  -
> - Department of Mathematics, 110 LCB    Internet e-mail: beebe at math.utah.edu  -
> - 155 S 1400 E RM 233                       beebe at acm.org  beebe at computer.org -
> - Salt Lake City, UT 84112-0090, USA    URL: http://www.math.utah.edu/~beebe/ -
> -------------------------------------------------------------------------------



More information about the Users mailing list