DragonFly 3.6-RELEASE: how to crash the kernel from userland
Justin Sherrill
justin at shiningsilence.com
Fri Jul 18 06:19:45 PDT 2014
Running this on a DF 3.6.3 system, under VMWare Workstation 9.0.3, gets:
checking if `rename' handles unwritable source/target... ok,source=ok,target=ok
checking that `mmap' is sane... yes
checking signal received if referencing nonexistent part of mmapped
file... Segmentation fault
11
Pulling out the test program and compiling/running it gives me:
# ./conftest
mmap: Bad file descriptor
So, I wasn't able to get a kernel crash out of it.
On Thu, Jul 17, 2014 at 5:08 PM, Nelson H. F. Beebe <beebe at math.utah.edu> wrote:
> I run DragonFly 3.6-RELEASE (and also 3.4) on VMware ESX on Sun AMD64
> hardware, along with dozens of other virtual machines.
>
> Today, I found out how to reliably, and preproducibly, crash the 3.6
> kernel from a user process: build GNU rcs-5.9.1 or rcs-5.9.2, available
> at
>
> ftp://ftp.gnu.org/gnu/rcs/
>
> There is a kernel panic immediately after this report from the
> configure run:
>
> checking signal received if referencing nonexistent part of mmapped file...
>
> I cannot capture the exact panic report easily from the VMware
> console, which puts me into a debugger with prompt "db>", at which
> typing "reset" reboots the system.
>
> After the reboot, examination of /var/log/messages shows something
> similar to what I saw in the VMware console window:
>
> Jul 17 14:52:47 xxx syslogd: kernel boot file is /boot/kernel/kernel
> Jul 17 14:52:47 xxx kernel: pid 23179 (conftest), uid 887: exited on signal 11
> Jul 17 14:52:47 xxx kernel: panic: assertion "ref >= &td->td_toks_base && ref->tr_tok == tok" failed in lwkt_reltoken at /build/home/justin/src/sys/kern/lwkt_token.c:812
> Jul 17 14:52:47 xxx kernel: cpuid = 0
> Jul 17 14:52:47 xxx kernel: Trace beginning at frame 0xffffffe05ce377d8
> Jul 17 14:52:47 xxx kernel: panic() at panic+0x223 0xffffffff80561c0c
> Jul 17 14:52:47 xxx kernel: panic() at panic+0x223 0xffffffff80561c0c
> Jul 17 14:52:47 xxx kernel: lwkt_reltoken() at lwkt_reltoken+0x5d 0xffffffff80575f98
> Jul 17 14:52:47 xxx kernel: sigexit() at sigexit+0xce 0xffffffff80564a78
> Jul 17 14:52:47 xxx kernel: postsig() at postsig+0x1c7 0xffffffff80564c46
> Jul 17 14:52:47 xxx kernel: userret() at userret+0x18d 0xffffffff8092ed6d
> Jul 17 14:52:47 xxx kernel: trap() at trap+0x6b4 0xffffffff8092fb4c
> Jul 17 14:52:47 xxx kernel: calltrap() at calltrap+0x9 0xffffffff80919bef
> Jul 17 14:52:47 xxx kernel: --- trap 000000000000000c, rip = 0000000000400ab4, rsp = ffffffe05ce37ab0, rbp = 00007fffffffe990 ---
> Jul 17 14:52:47 xxx kernel: kernmxps() at 0x400ab4 0x400ab4
> Jul 17 14:52:47 xxx kernel: kernmxps() at 0x400926 0x400926
> Jul 17 14:52:47 xxx kernel: Debugger("panic")
> Jul 17 14:52:47 xxx kernel:
> Jul 17 14:52:47 xxx kernel: CPU0 stopping CPUs: 0x00000000
> Jul 17 14:52:47 xxx kernel: stopped
>
> Can anyone reproduce this crash on physical hardware?
>
> Builds of the two named releases of GNU rcs on DragonflyBSD 3.4 work
> just fine.
>
> All of the files in /boot/kernel on my 3.6 system are dated
> 20-Feb-2014 14:47, and the panic persists even after running
>
> pkg update
> pkg upgrade
>
> to ensure that all software components are current (as expected,
> because the kernel files themselves do not change).
>
> -------------------------------------------------------------------------------
> - Nelson H. F. Beebe Tel: +1 801 581 5254 -
> - University of Utah FAX: +1 801 581 4148 -
> - Department of Mathematics, 110 LCB Internet e-mail: beebe at math.utah.edu -
> - 155 S 1400 E RM 233 beebe at acm.org beebe at computer.org -
> - Salt Lake City, UT 84112-0090, USA URL: http://www.math.utah.edu/~beebe/ -
> -------------------------------------------------------------------------------
More information about the Users
mailing list