panic: malformed IPv4 option passed to ip_optcopy
Stopped at db_enter+0x18: addq $0x8,%rsp
TID PID UID PRFLAGS PFLAGS CPU COMMAND
365949 75496 65534 0x10 0 0 syz-executor1
*101519 75496 65534 0x10 0x4000000 1K syz-executor1
db_enter() at db_enter+0x18 sys/arch/amd64/amd64/db_interface.c:399
panic() at panic+0x147 sys/kern/subr_prf.c:208
ip_fragment(7ea7536a75616f7c,ffffff0074f8d9d9,ffff800000173290) at ip_fragment+0x625
ip_output(d3627c8d2952cf3d,ffffff006f2fc118,ffffff0074f8d900,0,ffffff006d8aec00,ffffff006e71dc08) at ip_output+0xc8d sys/netinet/ip_output.c:501
udp_output(233df67544314163,1400,ffffff006e71dc08,0) at udp_output+0x45a sys/netinet/udp_usrreq.c:1004
sosend(79ac66295e5064d2,ffffff00681b2e20,ffff800021199220,ffff8000211992d0,1000,0) at sosend+0x477 sys/kern/uipc_socket.c:513
dofilewritev(c5d8e032ad849e86,ffff80002108bc38,ffff8000211992d0,1000,ffff8000211992e8) at dofilewritev+0x148 sys/kern/sys_generic.c:364
sys_write(2c8bc2bbbf49ec6a,40,ffff80002108bc38) at sys_write+0x7b sys/kern/sys_generic.c:283
syscall(8a61feb5c2b2d6da) at syscall+0x473 mi_syscall sys/sys/syscall_mi.h:99 [inline]
syscall(8a61feb5c2b2d6da) at syscall+0x473 sys/arch/amd64/amd64/trap.c:583
Xsyscall(6,0,c,0,3,1c2da879010) at Xsyscall+0x128
end of kernel
end trace frame: 0x1c51fb9ba10, count: 5
https://www.openbsd.org/ddb.html describes the minimum info required in bug
reports. Insufficient info makes it difficult to find and fix bugs.
ddb{1}>
ddb{1}> set $lines = 0
ddb{1}> show panic
malformed IPv4 option passed to ip_optcopy
ddb{1}> trace
db_enter() at db_enter+0x18 sys/arch/amd64/amd64/db_interface.c:399
panic() at panic+0x147 sys/kern/subr_prf.c:208
ip_fragment(7ea7536a75616f7c,ffffff0074f8d9d9,ffff800000173290) at ip_fragment+0x625
ip_output(d3627c8d2952cf3d,ffffff006f2fc118,ffffff0074f8d900,0,ffffff006d8aec00,ffffff006e71dc08) at ip_output+0xc8d sys/netinet/ip_output.c:501
udp_output(233df67544314163,1400,ffffff006e71dc08,0) at udp_output+0x45a sys/netinet/udp_usrreq.c:1004
sosend(79ac66295e5064d2,ffffff00681b2e20,ffff800021199220,ffff8000211992d0,1000,0) at sosend+0x477 sys/kern/uipc_socket.c:513
dofilewritev(c5d8e032ad849e86,ffff80002108bc38,ffff8000211992d0,1000,ffff8000211992e8) at dofilewritev+0x148 sys/kern/sys_generic.c:364
sys_write(2c8bc2bbbf49ec6a,40,ffff80002108bc38) at sys_write+0x7b sys/kern/sys_generic.c:283
syscall(8a61feb5c2b2d6da) at syscall+0x473 mi_syscall sys/sys/syscall_mi.h:99 [inline]
syscall(8a61feb5c2b2d6da) at syscall+0x473 sys/arch/amd64/amd64/trap.c:583
Xsyscall(6,0,c,0,3,1c2da879010) at Xsyscall+0x128
end of kernel
end trace frame: 0x1c51fb9ba10, count: -10
ddb{1}> show registers
rdi 0xffffffff81f15558 kprintf_mutex
rsi 0xffffffff8109bf47 db_enter+0x17
rbp 0xffff800021198e50
rbx 0xffff800021198ef0
rdx 0xffff8000042df000
rcx 0x129f __ALIGN_SIZE+0x29f
rax 0xffff8000042df000
r8 0xffff800021198e20
r9 0
r10 0xacb42b66d5a98c40
r11 0xf168591978ec38cf
r12 0x3000000008
r13 0xffff800021198e60
r14 0x100
r15 0xffffffff81c5f94c apollo_udma100_tim+0x10bae
rip 0xffffffff8109bf48 db_enter+0x18
cs 0x8
rflags 0x246
rsp 0xffff800021198e40
ss 0x10
db_enter+0x18: addq $0x8,%rsp
ddb{1}> show proc
PROC (syz-executor1) pid=101519 stat=onproc
flags process=10<SUGID> proc=4000000<THREAD>
pri=81, usrpri=81, nice=20
forw=0xffffffffffffffff, list=0xffff80002108a4c8,0xffffffff81fbf118
process=0xffff8000210646a0 user=0xffff800021194000, vmspace=0xffffff0065979c68
estcpu=36, cpticks=1, pctcpu=0.0
user=0, sys=1, intr=0
ddb{1}> ps
PID TID PPID UID S FLAGS WAIT COMMAND
75496 365949 22087 65534 7 0x10 syz-executor1
*75496 101519 22087 65534 7 0x4000010 syz-executor1
84018 267273 49080 65534 3 0x90 nanosleep syz-executor0
84018 389140 49080 65534 3 0x4000090 piperd syz-executor0
49080 259755 94496 65534 3 0x90 nanosleep syz-executor0
94496 380045 92664 0 3 0x82 wait syz-executor0
22087 358697 8822 65534 3 0x90 nanosleep syz-executor1
8822 40310 92664 0 3 0x82 wait syz-executor1
92046 45666 0 0 3 0x14200 bored sosplice
92664 137206 16025 0 3 0x82 thrsleep syz-fuzzer
92664 80833 16025 0 3 0x4000082 nanosleep syz-fuzzer
92664 203684 16025 0 3 0x4000082 thrsleep syz-fuzzer
92664 126959 16025 0 3 0x4000082 thrsleep syz-fuzzer
92664 279011 16025 0 3 0x4000082 thrsleep syz-fuzzer
92664 144629 16025 0 3 0x4000082 thrsleep syz-fuzzer
92664 452866 16025 0 3 0x4000082 thrsleep syz-fuzzer
92664 59393 16025 0 3 0x4000082 kqread syz-fuzzer
92664 110682 16025 0 3 0x4000082 thrsleep syz-fuzzer
92664 171462 16025 0 3 0x4000082 nanosleep syz-fuzzer
16025 315452 44723 0 3 0x10008a pause ksh
44723 105811 38410 0 3 0x92 select sshd
55938 15106 1 0 3 0x100083 ttyin getty
38410 411362 1 0 3 0x80 select sshd
48566 157821 66366 73 3 0x100090 kqread syslogd
66366 301054 1 0 3 0x100082 netio syslogd
82084 418369 1 77 3 0x100090 poll dhclient
13260 327573 1 0 3 0x80 poll dhclient
37122 387859 0 0 3 0x14200 pgzero zerothread
34260 177508 0 0 3 0x14200 aiodoned aiodoned
1718 468884 0 0 3 0x14200 syncer update
89324 334774 0 0 3 0x14200 cleaner cleaner
22 434730 0 0 3 0x14200 reaper reaper
37355 22422 0 0 3 0x14200 pgdaemon pagedaemon
38494 479977 0 0 3 0x14200 bored crynlk
12255 377899 0 0 3 0x14200 bored crypto
43721 222245 0 0 3 0x40014200 acpi0 acpi0
24472 401461 0 0 3 0x40014200 idle1
61989 159715 0 0 3 0x14200 bored softnet
41099 392852 0 0 3 0x14200 bored systqmp
91597 263306 0 0 3 0x14200 bored systq
48327 147667 0 0 3 0x40014200 bored softclock
77085 476335 0 0 3 0x40014200 idle0
1 292742 0 0 3 0x82 wait init
0 0 -1 0 3 0x10200 scheduler swapper