Subject: kern/30098: nmap causes kern panic in m_pulldown on sparc64
To: None <kern-bug-people@netbsd.org, gnats-admin@netbsd.org,>
From: None <k3rag3z@wp.pl>
List: netbsd-bugs
Date: 04/30/2005 12:10:00
>Number:         30098
>Category:       kern
>Synopsis:       nmap causes kern panic in m_pulldown on sparc64
>Confidential:   no
>Severity:       serious
>Priority:       high
>Responsible:    kern-bug-people
>State:          open
>Class:          sw-bug
>Submitter-Id:   net
>Arrival-Date:   Sat Apr 30 12:10:00 +0000 2005
>Originator:     Adam T. Zegarek
>Release:        2.0.2
>Organization:
>Environment:
System: NetBSD sparc.lan 2.0.2 NetBSD 2.0.2 (GENERIC) #0: Wed Mar 23 01:40:44 UTC 2005 builds@works.netbsd.org:/home/builds/ab/netbsd-2-0-2-RELEASE/sparc64/200503220140Z-obj/home/builds/ab/netbsd-2-0-2-RELEASE/src/sys/arch/sparc64/compile/GENERIC sparc64
Architecture: sparc64
Machine: sparc64

Sun Ultra 5/10 UPA/PCI (UltraSPARC-IIi 270MHZ), Keyboard present
Openboot 3.15, 64 MB memory installed, Serial #1067312
Ethernet address 8:0:20:a2:db:d8, host ID: 80a2bd8 
>Description:
Whenever running nmap-3.81 on 10.0.0.4 (oneself) the kernel panics with "m_pulldown malfunction".

# nmap -sS -sV -P0 -O -vvv -f 10.0.0.4

10.0.0.4 is the DHCP address of the machine obtained from an ADSL router (Thomson 510).

Machine runs OpenSSHd at start-up, installed from a package for NetBSD-2.0/sparc64.

The crash is repetitive. It happens every time with these nmap switches. I haven't been able to single out the only culprit for this misbehaviour.

The panic occurs both when nmap is run localy or via ssh.

>How-To-Repeat:
 - Install NetBSD 2.0.2 from sparc64.iso
 - Install and run openssh (openssh-3.9.1nb5) from packages from 2.0 Release.
 - Grab the pkgsrc (# $NetBSD: Packages.txt,v 1.366 2004/11/30 21:05:24 jlam Exp $).
 - Install net/nmap (deafult compilation, without additional options)
 - Run as root:
     # nmap -sS -sV -P0 -O -vvv -f 10.0.0.4
 - Observe:
Starting nmap 3.81 ( http://www.insecure.org/nmap ) at 2005-04-29 20:33 CEST
Initiatining SYN Stealth Scan againts 10.0.0.4 [1663 ports] at 20:33
Increasing send delay for 10.0.0.4 from 0 to 5 due to 22 out of 73 dropped probes since last increase
Increasing send delay for 10.0.0.4 from 5 to 10 due to max_successful_tryno increase to 4
The SYN Stealth Scan took 35.88s to scan 1663 ports.
Initiating service scan against 1 service on 10.0.0.4 at 20:33
The service scan took 0.93s to scan 1 service on 1 host.
For OOScan assuming that port 22 is open and 1 is closed and neither are firewalled.
panic: m_pulldown malfunction
kdb breakpoint at 1335d28
Stopped in pid 6628.1 (nmap) at netbsd:cpu_Debugger+0x4:   nop
(gdb)


 - Info from gdb:
# gdb /netbsd
(gdb) x 1335d28
0x1335d28 <cpu_Debugger>:    0x91d02001

 - nmap:
% ldd `which nmap`
/usr/pkg/bin/nmap:
         -lpcre.0 => /usr/pkg/lib/libpcre.so.0
         -lpcap.1 => /usr/lib/libpcap.so.1
         -lssl.3 => /usr/lib/libssl.so.3
         -lcrypto.2 => /usr/lib/libcrypto.so.2
         -lstdc++.5 => /usr/lib/libstdc++.so.5
         -lm.0 => /usr/lib/libm.so.0
         -lgcc_s.1 => /usr/lib/libgcc_s.so.1
         -lc.12 => /usr/lib/libc.so.12
% nmap -V
nmap version 3.81 ( http://www.insecure.org/nmap/ )

>Fix:

Workaround: do not use nmap with these switches to scan oneself.