TeamForge : Post

Forum Topic - Program to Cause a Kernel Panic as an Unprivilieged User: (14 Items)

View: as

Mak Kolybabi

09/25/2009 12:10 PM

post38789

Program to Cause a Kernel Panic as an Unprivilieged User

While porting OpenSSH 5.2p1, I have discovered a way to reliably panic QNX 4. I can't say for sure what versions of 
system components this issue applies to, but I've successfully caused panics on both 4.24 and 4.25.

The minimum required code, a single call to mmap(), can be seen in my demo (http://gist.github.com/193603), and attached
 to this post.

My searches have not found any documentation regarding this issue, but if I have missed a posting/notice I apologize.

Attachment:

panic.c 2.02 KB

Oleg Bolshakov(deleted)

Re: Program to Cause a Kernel Panic as an Unprivilieged User

Oleg Bolshakov(deleted)

09/25/2009 3:01 PM

post38811

Re: Program to Cause a Kernel Panic as an Unprivilieged User

Hi Mak,

I can't reproduce your case. Where I wrong?

-----
# cd test/panic/
# cc -o panic panic.c
/usr/watcom/10.6/bin/wcc386 -zq -ms -4r -i=/usr/watcom/10.6/usr/include -
i=/usr/include panic.c
/usr/watcom/10.6/bin/wlink op quiet form qnx flat na panic op priv=3 op c 
libp /usr/watcom/10.6/usr/lib:/usr/lib:. f /home/oleg/test/panic/panic.o 
op offset=40k op st=32k
# ./panic
# ./panic
# uname -a
QNX 12 O 425 PCI 32
-----

Please show me your sin ver output.

-- 
Respectfully,
Oleg

> While porting OpenSSH 5.2p1, I have discovered a way to reliably panic
> QNX 4. I can't say for sure what versions of system components this
> issue applies to, but I've successfully caused panics on both 4.24 and
> 4.25.
>
> The minimum required code, a single call to mmap(), can be seen in my
> demo (http://gist.github.com/193603), and attached to this post.
>
> My searches have not found any documentation regarding this issue, but
> if I have missed a posting/notice I apologize.
>
>
>
> _______________________________________________
>
> General
> http://community.qnx.com/sf/go/post38789

Mak Kolybabi

Re: Program to Cause a Kernel Panic as an Unprivilieged User

Mak Kolybabi

09/25/2009 3:35 PM

post38816

Re: Program to Cause a Kernel Panic as an Unprivilieged User

Here's my command line that I used just now to compile and run the program:

# cc -o panic panic.c
/usr/watcom/10.6/bin/wcc386 -zq -ms -4r -i=/usr/watcom/10.6/usr/include -i=/usr/include panic.c
/usr/watcom/10.6/bin/wlink op quiet form qnx flat na panic op priv=3 op c libp /usr/watcom/10.6/usr/lib:/usr/lib:/cti/
lib:/usr/local/lib:/usr/local/ssl/lib f panic.o op offset=40k op st=32k
# ./panic

At this point, I get a stack and register dump to the console, manually typed out below:

Version: 424.G Aug 25 1997  Technical Support: +1 (613) 591-0941
Proc fault 1, ldt 100 sys/Proc32; fault d+0
cs:eip=5:7714 ss:esp=d:f7c0f3c efl=12246 ds=d es=8 fs=0 gs=0
eax/10fbeffc ebx/ffffffff ecx/1 edx/0 esi/10fbeffc edi/35ea5 ebp/f7c0f40
Stack (d:f7c0f3c)
10fbeffc 0f7c0f58 ffffffff 00000011 00000001 00007b58 0f7c0f84 0f7c0f84
000029b6 ffffffff 0001a346 0001cbac a800000f 35e98000 0000e000 00000001
00000011 00000000 0f7c0fb0 000029b6 0000339c 00011483 00000001 0000000d
000033ac 0001cbac 00000001 00000001 00000000 0f7c0fec 000052fd 0001cbac
Process Entry (addr 18c5c)
00000000 00000001 00000000 00000001 00000000 00000000 30020207 00001e1e
000051f0 0100000d 00018d14 ffffffff 00000000 00000000 00000000 00000000
00000000 00000000 00000000 00000501 000d000d 00006884 00000000 00000005
00000018 00000000 000001a0 0000d9e0 00000000 00000000 0001c1f4 00000000
00000000 00000000 00000000 ffff0001 00000000 00000000 00000000

Here is the version information for the test box in this example:

# uname -a
QNX 5 G 424 PCI 32

# sin ver
PROGRAM                 NAME         VERSION DATE
sys/Proc32              Proc         4.24G   Aug 25 1997
sys/Proc32              Slib16       4.23G   Oct 04 1996
sys/Slib32              Slib32       4.24A   Feb 04 1997
/bin/Fsys               Fsys32       4.24K   Aug 20 1997
/bin/Fsys               Floppy       4.24B   Aug 19 1997
/bin/Fsys.eide          eide         4.24F   Jul 17 1997
//5/bin/Dev32           Dev32        4.23G   Oct 04 1996
//5/bin/Dev32.ansi      Dev32.ansi   4.23H   Nov 21 1996
//5/bin/Dev32.ser       Dev32.ser    4.23I   Jun 27 1997
//5/bin/Dev32.pty       Dev32.pty    4.23G   Oct 04 1996
//5/bin/Dev32.pty       Dev32.pty    4.23G   Oct 04 1996
//5/bin/Pipe            Pipe         4.23A   Feb 26 1996
//5/bin/Net             Net          4.24B   Jul 31 1997
//5/bin/Net.ct100tx     Net.ct100tx  4.25F   Aug 20 2001
//5/*/5.0/usr/ucb/Tcpip Tcpip        5.00A   Jan 26 2001

# sin
SID   PID PROGRAM                 PRI STATE   BLK   CODE   DATA
 --    -- Microkernel             --- -----   ---  11696      0
  0     1 sys/Proc32              30f READY   ---   114k  1699k
  0     2 sys/Slib32              10r  RECV     0    53k   4096
  0     4 /bin/Fsys               29r  RECV     0    77k   146M
  0     5 /bin/Fsys.eide          22r  RECV     0    57k   110k
  0     8 idle                     0r READY   ---      0    65k
  0    16 //5/bin/Dev32           24f  RECV     0    32k   143k
  0    19 //5/bin/Dev32.ansi      20r  RECV     0    40k   122k
  0    21 //5/bin/Dev32.ser       20r  RECV     0    16k    24k
  0    22 //5/bin/Dev32.pty       20r  RECV     0    12k    57k
  0    23 //5/bin/Dev32.pty       20r  RECV     0    12k    32k
  0    28 //5/bin/Fsys.floppy     10o  RECV     0    20k    40k
  0    29 //5/bin/Pipe            10r  RECV     0    16k    53k
  0    33 //5/bin/Net             23r  RECV     0    32k   106k
  0    37 //5/bin/Net.ct100tx     20r  RECV     0    61k   135k
  0    41 //5/bin/nameloc         20o  RECV     0   6144    20k
  0    42 //5/bin/nameloc         20o REPLY     0   6144    16k
  0    93 //5/*/5.0/usr/ucb/Tcpip 10r  RECV     0   151k   471k
  0   100 //5/*/5.0/usr/ucb/inetd 10o  RECV   102    40k    24k
  0   104 //5/bin/tinit           10o  WAIT    -1    16k    28k
  0   105 //5/bin/dumper          10o  RECV     0    16k    20k
  0   107 //5/*/usr/bin/syslogd   10o  RECV     0    36k    32k
  0   109...

View Full Message

Mak Kolybabi

Re: Program to Cause a Kernel Panic as an Unprivilieged User

Mak Kolybabi

09/25/2009 5:06 PM

post38827

Re: Program to Cause a Kernel Panic as an Unprivilieged User

I apologize. After re-testing on all my development machines, it turns out that I was mistaken about the panic occurring
 on my 4.25 test box.

This box does not panic:

# sin ver
PROGRAM                 NAME         VERSION DATE
/boot/sys/Proc32        Proc         4.25O   Aug 19 2002
/boot/sys/Proc32        Slib16       4.23G   Oct 04 1996
/boot/sys/Slib32        Slib32       4.24B   Aug 12 1997
/bin/Fsys               Fsys32       4.24Y   Apr 23 2002
/bin/Fsys.atapi         atapi        4.25G   Aug 08 2007
//6/bin/Dev32           Dev32        4.23G   Oct 04 1996
//6/bin/Pipe            Pipe         4.23A   Feb 26 1996
//6/bin/Dev32.ser       Dev.ser      4.25A   Feb 14 2003
//6/bin/Dev32.ansi      Dev32.ansi   4.23H   Nov 21 1996
//6/bin/Dev32.par       Dev32.par    4.25A   Jan 08 2001
//6/bin/Dev32.pty       Dev32.pty    4.23G   Oct 04 1996
//6/bin/Net             Net          4.25E   Apr 24 2002
//6/bin/Net.befe124     Net.befe124  4.25C   Nov 27 2004
//6/*/5.0/usr/ucb/Tcpip Tcpip        5.00A   Jan 26 2001

This box (different from the one in my previous post) does panic:

# sin ver
PROGRAM                 NAME         VERSION DATE
sys/Proc32              Proc         4.24G   Aug 25 1997
sys/Proc32              Slib16       4.23G   Oct 04 1996
sys/Slib32              Slib32       4.24A   Feb 04 1997
/bin/Fsys               Fsys32       4.24K   Aug 20 1997
/bin/Fsys               Floppy       4.24B   Aug 19 1997
/bin/Fsys.eide          eide         4.24F   Jul 17 1997
//10/bin/Dev16          Dev16        4.23G   Oct 04 1996
//10/bin/Dev16.ansi     Dev16.ansi   4.23H   Nov 21 1996
//10/bin/Dev16.ser      Dev16.ser    4.23I   Jun 27 1997
//10/bin/Dev16.par      Dev16.par    4.23G   Oct 04 1996
//10/bin/Dev16.pty      Dev16.pty    4.23G   Oct 04 1996
//10/bin/Pipe           Pipe         4.23A   Feb 26 1996
//10/bin/Net            Net          4.24B   Jul 31 1997
//10/bin/Net.ct100tx    Net.ct100tx  4.23C   May 02 1997
//10/*/usr/ucb/Socket   Socket       4.25G   Dec 08 1998
//10/bin/cron           cron         4.23B   Dec 18 1996

Mark Hessling

Re: Program to Cause a Kernel Panic as an Unprivilieged User

Mark Hessling

01/20/2010 11:07 PM

post45605

Re: Program to Cause a Kernel Panic as an Unprivilieged User

> While porting OpenSSH 5.2p1, I have discovered a way to reliably panic QNX 4. 
> I can't say for sure what versions of system components this issue applies to,
>  but I've successfully caused panics on both 4.24 and 4.25.
> 
> The minimum required code, a single call to mmap(), can be seen in my demo (
> http://gist.github.com/193603), and attached to this post.
> 
> My searches have not found any documentation regarding this issue, but if I 
> have missed a posting/notice I apologize.


Hi Mak,

Is your port of OpenSSH 5.2p1 for QNX 4 available to the public.  If so do you have binaries available for download?

TIA, Mark

Mak Kolybabi

Re: Program to Cause a Kernel Panic as an Unprivilieged User

Mak Kolybabi

01/21/2010 9:48 AM

post45643

Re: Program to Cause a Kernel Panic as an Unprivilieged User

> Is your port of OpenSSH 5.2p1 for QNX 4 available to the public.  If so do you
> have binaries available for download?

My port of OpenSSH is actually up to 5.3p1, now. I binaries for both the old (qcrypt) and the new (DES) password format.


I'll ask around here at my company to make sure nobody has any objections, and let you know (hopefully) later today.

Mak Kolybabi

Re: Program to Cause a Kernel Panic as an Unprivilieged User

Mak Kolybabi

01/25/2010 11:54 AM

post45874

Re: Program to Cause a Kernel Panic as an Unprivilieged User

> If so do you have binaries available for download?

See attached. These only work for the new (DES) password style. I can make the Git repository of my changes available if
 you'd like.

The following options should be set in sshd_config:
    UsePrivilegeSeparation no
    Compression no

Compression depends on mmap behaviour that is not provided in 4.24.
Privilege separation causes odd sendmsg errors.

Attachment:

openssh-qnx.tar 6.2 MB

Robert DeFreitas

01/27/2010 6:44 PM

post46094

Re: Program to Cause a Kernel Panic as an Unprivilieged User

Mak,

     Thank you for sharing this!  Can you also post the qcrypt version as well?

Rob

Mak Kolybabi

01/28/2010 5:08 PM

post46161

Re: Program to Cause a Kernel Panic as an Unprivilieged User

> Can you also post the qcrypt version as well?

Attached is a new tarball containing both the DES (sshd.des) and qcrypt (sshd.qcrypt) versions of the OpenSSH-5.3p1 
binaries, linked against OpenSSL-0.9.8l. All other binaries are password-format agnostic. I've also included the SHA-1 
sums of the files, just to be safe.

Enjoy!

Attachment:

openssh-qnx.tar 7.23 MB

Robert DeFreitas

Re: Program to Cause a Kernel Panic as an Unprivilieged User

Robert DeFreitas

01/29/2010 4:45 PM

post46254

Re: Program to Cause a Kernel Panic as an Unprivilieged User

Mak,

     Perfect!  Thanks again for this wonderful contribution to the QNX4 community!  :)

Rob

PS: In researching OpenSSL/SSH on QNX4 the issue was that the Watcom C compiler (version 10.6) doesn't support a 64-bit 
integer (long long).  I found (via google) that you were the person that created an emulated 64-bit integer library!  
Hats off to you!  GREAT JOB!

Leonid Khait(deleted)

02/03/2010 8:20 AM

post46449

Re: Program to Cause a Kernel Panic as an Unprivilieged User

The password authentication work fine, but I have problens with Client Open Key authentication method.

Please show your's sshd_config for properly Open Key authentication.

Mak Kolybabi

02/11/2010 12:54 PM

post47162

Re: Program to Cause a Kernel Panic as an Unprivilieged User

> Please show your's sshd_config for properly Open Key authentication.

Sorry for the delay. I wanted to re-test key authentication before posting the config. The following config is from my 
development system. The two most important lines are UsePrivilegeSeparation and Compression.

-- Start of File --
################################################################################
# DO NOT CHANGE
################################################################################
# Restrict to most secure version.
Protocol 2
HostKey /etc/ssh/ssh_host_rsa_key
HostKey /etc/ssh/ssh_host_dsa_key

# Required for QNX.
UsePrivilegeSeparation no
Compression no
################################################################################
# DO NOT CHANGE
################################################################################

Port 29
PermitRootLogin yes
PermitEmptyPasswords no
-- End of File --

Robert DeFreitas

Re: Program to Cause a Kernel Panic as an Unprivilieged User

Robert DeFreitas

06/17/2010 4:32 PM

post57113

Re: Program to Cause a Kernel Panic as an Unprivilieged User

Mak,

     Is there any possibility of sharing your emulated 64-bit integer library?

Rob

Mak Kolybabi

06/18/2010 12:11 PM

post57181

Re: Program to Cause a Kernel Panic as an Unprivilieged User

> Is there any possibility of sharing your emulated 64-bit integer library?

Sure. See attached.

Attachment:

lib64.zip 4.87 KB

Return