Bug 120055
| Summary: | [linux] kdump(1) segfaults on freebsd6_mmap syscall | ||||||
|---|---|---|---|---|---|---|---|
| Product: | Base System | Reporter: | Patrick Lamaiziere <patpr> | ||||
| Component: | bin | Assignee: | attilio | ||||
| Status: | Closed FIXED | ||||||
| Severity: | Affects Only Me | ||||||
| Priority: | Normal | ||||||
| Version: | Unspecified | ||||||
| Hardware: | Any | ||||||
| OS: | Any | ||||||
| Attachments: |
|
||||||
My apologies, i forgot to say that it was a kdump on a linux program (acroread8) Shall kdump work in this case ? This is a duplicate of kern/119564. (You should use devel/linux_kdump port for Linux binaries.) However I think that it might be reasonable to commit the attached patch to avoid kdump segfaulting on "corrupted" dumps. Responsible Changed From-To: freebsd-bugs->dchagin grab PR, I have solution this patch isn't in HEAD yet. would be nice to have it there. Author: attilio Date: Sat Nov 7 21:46:34 2009 New Revision: 199024 URL: http://svn.freebsd.org/changeset/base/199024 Log: Use a safety belt for cases where corrupted narg can be passed to the ktrsyscall(). print_number() does decrement the number of arguments, leading to infinite loops for negative values. Reported by: Patrick Lamaiziere <patpr at davenulle dot org>, Jonathan Pascal <jkpyvxmzsa at mailinator dot com> Submitted by: jh PR: bin/120055, kern/119564 MFC: 1 week Modified: head/usr.bin/kdump/kdump.c Modified: head/usr.bin/kdump/kdump.c ============================================================================== --- head/usr.bin/kdump/kdump.c Sat Nov 7 21:28:21 2009 (r199023) +++ head/usr.bin/kdump/kdump.c Sat Nov 7 21:46:34 2009 (r199024) @@ -799,7 +799,7 @@ ktrsyscall(struct ktr_syscall *ktr) narg--; } } - while (narg) { + while (narg > 0) { print_number(ip,narg,c); } (void)putchar(')'); _______________________________________________ svn-src-all@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/svn-src-all To unsubscribe, send any mail to "svn-src-all-unsubscribe@freebsd.org" committed to HEAD (r199024) by attilio@. please set pr into patched state. thanks. alex State Changed From-To: open->patched A patch has been committed. Responsible Changed From-To: dchagin->attilio Over to the committer of the patch. patch is in all branches except 6. cheers. alex State Changed From-To: patched->closed Fixed in RELENG_7, RELENG_8 and HEAD. RELENG_6 went EoL. |
kdump crashs with a segfault when dumping the content of the syscall freebsd6_mmap : $ kdump 69472 bash CALL freebsd6_mmap(0x3,0xbfbfdeb8,<invalid>672202704,MAP_SHARED|[CUT],0,0,... <SEGFAULT> I've inserted some printf() in /usr/src/usr.bin/kdump/kdump.c and the problem is that ktr->narg is equal to 3 when ktrsyscall() is called for this syscall. Line 305,/usr/src/usr.bin/kdump/kdump.c void ktrsyscall(struct ktr_syscall *ktr) { int narg = ktr->ktr_narg; register_t *ip; [CUT] #ifdef SYS_freebsd6_mmap } else if (ktr->ktr_code == SYS_freebsd6_mmap) { print_number(ip,narg,c); print_number(ip,narg,c); (void)putchar(','); mmapprotname ((int)*ip); (void)putchar(','); ip++; narg--; mmapflagsname ((int)*ip); ip++; narg--; Here narg = -1 because the macro print_number() decrements narg. So a after, it loops until it segfaults: [CUT] while (narg) { print_number(ip,narg,c); } (void)putchar(')'); For a fix, a "while (narg>0)" will be safer but i don't know if this is a bug on the call, a bug on ktrace or only a bug in kdump. Regards. How-To-Repeat: The krace.out (gziped) can be found here : http://user.lamaiziere.net/patrick/ktrace.out.gz