Discussion:
Signal 11 dumps in telnetd (freebsd 10.3 release)
(too old to reply)
Rustam
2016-04-24 14:30:54 UTC
Permalink
I got a couple of dozen dumps in /usr/libexec/telnetd (signal 11), and I'm
wondering what those could be.

FreeBSD 10.3-RELEASE, built from source.

Dump stack trace:
telrcv+333
ttloop+7C
doit+1687
main+64D

Dump is at address 0x0000000000404713:

.text:0004046E2 loc_4046E2:
.text:0004046E2 test byte ptr cs:diagnostic, 10h ; jumptable
0004046DB cases 11,12
.text:0004046E9 jz short loc_4046F7
.text:0004046EB mov edi, offset fmt ; "td: recv IAC"
.text:0004046F0 mov esi, ebx ; option
.text:0004046F2 call printoption
.text:0004046F7 loc_4046F7:
.text:0004046F7 call ptyflush
.text:0004046FC call init_termbuf
.text:000404701 cmp ebx, 0F7h
.text:000404707 mov eax, 6199D8h
.text:00040470C cmovz rax, r14
.text:000404710 mov rax, [rax]
.text:000404713 mov al, [rax] ; <========== Signal 11 HERE
.text:000404715 cmp al, 0FFh
.text:000404717 jz loc_40495A ; jumptable 0004046DB
default case
.text:00040471D mov rcx, cs:pfrontp
.text:000404724 lea rdx, [rcx+1]
.text:000404728 mov cs:pfrontp, rdx
.text:00040472F mov [rcx], al
.text:000404731 mov cs:telrcv_state, 0
.text:00040473B jmp loc_4049A0


Regards,

Rustam
Tim Zingelman
2016-04-25 19:42:35 UTC
Permalink
See if the attached patch helps.

It applies cleanly to ports/security/krb5-appl, but may need adjustment
for the base system telnetd.

- Tim
Post by Rustam
I got a couple of dozen dumps in /usr/libexec/telnetd (signal 11), and I'm
wondering what those could be.
FreeBSD 10.3-RELEASE, built from source.
telrcv+333
ttloop+7C
doit+1687
main+64D
.text:0004046E2 test byte ptr cs:diagnostic, 10h ; jumptable
0004046DB cases 11,12
.text:0004046E9 jz short loc_4046F7
.text:0004046EB mov edi, offset fmt ; "td: recv IAC"
.text:0004046F0 mov esi, ebx ; option
.text:0004046F2 call printoption
.text:0004046F7 call ptyflush
.text:0004046FC call init_termbuf
.text:000404701 cmp ebx, 0F7h
.text:000404707 mov eax, 6199D8h
.text:00040470C cmovz rax, r14
.text:000404710 mov rax, [rax]
.text:000404713 mov al, [rax] ; <========== Signal 11 HERE
.text:000404715 cmp al, 0FFh
.text:000404717 jz loc_40495A ; jumptable 0004046DB
default case
.text:00040471D mov rcx, cs:pfrontp
.text:000404724 lea rdx, [rcx+1]
.text:000404728 mov cs:pfrontp, rdx
.text:00040472F mov [rcx], al
.text:000404731 mov cs:telrcv_state, 0
.text:00040473B jmp loc_4049A0
Regards,
Rustam
_______________________________________________
https://lists.freebsd.org/mailman/listinfo/freebsd-security
Benjamin Kaduk
2016-04-26 03:07:53 UTC
Permalink
Post by Tim Zingelman
See if the attached patch helps.
It applies cleanly to ports/security/krb5-appl, but may need adjustment for
the base system telnetd.
[Obligatory note that krb5-appl is unmaintained upstream, due to insecure
crypto, among other things.]

-Ben

Loading...