Subject: kern/30098: nmap causes kern panic in m_pulldown on sparc64
To: None <kern-bug-people@netbsd.org, gnats-admin@netbsd.org,>
From: None <k3rag3z@wp.pl>
List: netbsd-bugs
Date: 04/30/2005 12:10:00
>Number: 30098
>Category: kern
>Synopsis: nmap causes kern panic in m_pulldown on sparc64
>Confidential: no
>Severity: serious
>Priority: high
>Responsible: kern-bug-people
>State: open
>Class: sw-bug
>Submitter-Id: net
>Arrival-Date: Sat Apr 30 12:10:00 +0000 2005
>Originator: Adam T. Zegarek
>Release: 2.0.2
>Organization:
>Environment:
System: NetBSD sparc.lan 2.0.2 NetBSD 2.0.2 (GENERIC) #0: Wed Mar 23 01:40:44 UTC 2005 builds@works.netbsd.org:/home/builds/ab/netbsd-2-0-2-RELEASE/sparc64/200503220140Z-obj/home/builds/ab/netbsd-2-0-2-RELEASE/src/sys/arch/sparc64/compile/GENERIC sparc64
Architecture: sparc64
Machine: sparc64
Sun Ultra 5/10 UPA/PCI (UltraSPARC-IIi 270MHZ), Keyboard present
Openboot 3.15, 64 MB memory installed, Serial #1067312
Ethernet address 8:0:20:a2:db:d8, host ID: 80a2bd8
>Description:
Whenever running nmap-3.81 on 10.0.0.4 (oneself) the kernel panics with "m_pulldown malfunction".
# nmap -sS -sV -P0 -O -vvv -f 10.0.0.4
10.0.0.4 is the DHCP address of the machine obtained from an ADSL router (Thomson 510).
Machine runs OpenSSHd at start-up, installed from a package for NetBSD-2.0/sparc64.
The crash is repetitive. It happens every time with these nmap switches. I haven't been able to single out the only culprit for this misbehaviour.
The panic occurs both when nmap is run localy or via ssh.
>How-To-Repeat:
- Install NetBSD 2.0.2 from sparc64.iso
- Install and run openssh (openssh-3.9.1nb5) from packages from 2.0 Release.
- Grab the pkgsrc (# $NetBSD: Packages.txt,v 1.366 2004/11/30 21:05:24 jlam Exp $).
- Install net/nmap (deafult compilation, without additional options)
- Run as root:
# nmap -sS -sV -P0 -O -vvv -f 10.0.0.4
- Observe:
Starting nmap 3.81 ( http://www.insecure.org/nmap ) at 2005-04-29 20:33 CEST
Initiatining SYN Stealth Scan againts 10.0.0.4 [1663 ports] at 20:33
Increasing send delay for 10.0.0.4 from 0 to 5 due to 22 out of 73 dropped probes since last increase
Increasing send delay for 10.0.0.4 from 5 to 10 due to max_successful_tryno increase to 4
The SYN Stealth Scan took 35.88s to scan 1663 ports.
Initiating service scan against 1 service on 10.0.0.4 at 20:33
The service scan took 0.93s to scan 1 service on 1 host.
For OOScan assuming that port 22 is open and 1 is closed and neither are firewalled.
panic: m_pulldown malfunction
kdb breakpoint at 1335d28
Stopped in pid 6628.1 (nmap) at netbsd:cpu_Debugger+0x4: nop
(gdb)
- Info from gdb:
# gdb /netbsd
(gdb) x 1335d28
0x1335d28 <cpu_Debugger>: 0x91d02001
- nmap:
% ldd `which nmap`
/usr/pkg/bin/nmap:
-lpcre.0 => /usr/pkg/lib/libpcre.so.0
-lpcap.1 => /usr/lib/libpcap.so.1
-lssl.3 => /usr/lib/libssl.so.3
-lcrypto.2 => /usr/lib/libcrypto.so.2
-lstdc++.5 => /usr/lib/libstdc++.so.5
-lm.0 => /usr/lib/libm.so.0
-lgcc_s.1 => /usr/lib/libgcc_s.so.1
-lc.12 => /usr/lib/libc.so.12
% nmap -V
nmap version 3.81 ( http://www.insecure.org/nmap/ )
>Fix:
Workaround: do not use nmap with these switches to scan oneself.