Matthieu Boutier

Kernel Panic on Mac OS (6/11/2014)

This bug has been fixed on OS X.11 El Capitan (7/10/2015).


The sendmsg system call allow a program to specify some options to modify the behaviour of outgoing packets. One of its option allow to specify the source address of the packets. I had to use this option to take benefit of source-sensitive routing with UDP-based applications.

One interesting thing is that even if Mac OS is based on freeBSD for almost anything, it doesn't use the BSD constants (IP_SENDSRCADDR) for this particular case, but the Linux ones (IP_PKTINFO). Another intersting thing is that we can (currently) crash Mac OS just by sending a message with specific source address over an unbound socket.

Crashing OSX

You can download a 80 lines-of-code program that crash Mac OS by kernel panic. It has been tested on 10.7 and 10.9 on different computers.

The bug is that the kernel wants to have a bound socket, so uncommenting line 60 will avoid the problem. The thing is that we are binding the socket with the (undefined) address, and without specifying a port number: this is without any interest from the programmer point of view. The natural thing would be that the kernel bind itself the socket to that special address. We can hope this will be fixed in a near future...

For now, you can use this « feature » to admire the beautiful Mac OS kernel panic screen, and share this to your friends.