Bug 188510 - [patch] rtadvd(8): "rtadvctl show" crashes on BeagleBone Black due to unaligned access
Summary: [patch] rtadvd(8): "rtadvctl show" crashes on BeagleBone Black due to unalign...
Status: Open
Alias: None
Product: Base System
Classification: Unclassified
Component: bin (show other bugs)
Version: CURRENT
Hardware: Any Any
: Normal Affects Only Me
Assignee: freebsd-bugs mailing list
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2014-04-12 14:10 UTC by guyyur
Modified: 2017-12-31 22:24 UTC (History)
0 users

See Also:


Attachments
rtadvd_control_align.patch (2.84 KB, patch)
2014-04-12 14:10 UTC, guyyur
no flags Details | Diff
file.diff (2.98 KB, patch)
2014-04-12 14:10 UTC, guyyur
no flags Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description guyyur 2014-04-12 14:10:01 UTC
"rtadvctl show" core dumps on Bus error when run on BeagleBone Black.

(gdb) bt
#0  cm_pl2bin (str=<value optimized out>, cp=<value optimized out>)
    at /usr/src/usr.sbin/rtadvctl/../rtadvd/control.c:458
#1  0x0000a59c in action_plgeneric (action=<value optimized out>,
    plstr=<value optimized out>, buf=0xbfffcd6c "\001")
    at /usr/src/usr.sbin/rtadvctl/rtadvctl.c:264
#2  0x0000a3c8 in action_propget (argv=0xbffff2d1 "", cp=0xbfffedf0)
    at /usr/src/usr.sbin/rtadvctl/rtadvctl.c:285
#3  0x00009354 in action_show (argc=<value optimized out>,
    argv=<value optimized out>)
    at /usr/src/usr.sbin/rtadvctl/rtadvctl.c:432
#4  0x00009184 in main (argc=<value optimized out>, argv=0xbffff2d1)
    at /usr/src/usr.sbin/rtadvctl/rtadvctl.c:187
#5  0x00008fdc in __start (argc=2, argv=0xbffffb98, env=0xbffffba4,
    ps_strings=<value optimized out>, obj=0x2003c000,
    cleanup=<value optimized out>) at /usr/src/lib/csu/arm/crt1.c:115
#6  0x2001fd3c in _rtld_get_stack_prot () from /libexec/ld-elf.so.1
#7  0x2001fd3c in _rtld_get_stack_prot () from /libexec/ld-elf.so.1
Current language:  auto; currently minimal

disassembly:
0x0000b0c4 <cm_pl2bin+368>:     str     r0, [r8]

info registers:
...
r8             0xbfffcd87       -1073754745
...
pc             0xb0c4   45252


The protocol between rtadvd and rtadvctl writes a size_t len
followed by a string for each of ifname, key and value.  When
ifname or key is supplied and their length is not a multiple of 4
the write of the next field size_t len will be to an unaligned
address and a trap will be generated on the BeagleBone Black.

Fix: Attached two patches with different ways to resolve the problem.

1. rtadvd_control_align.patch
Round up the strings to align on sizeof(size_t).
Is there a round up macro that can be used instead of explicit calculation?
Requires using matching rtadvd and rtadvctl since the protocol changed.


2. rtadvd_control_packed.patch
Use __packed structure access for the size_t len so byte instructions
will be used to read/write the len on arm.
Protocol doesn't change so compatibility between old and
fixed rtadvd and rtadvctl is kept.


	
How-To-Repeat: Run "rtadvctl show" on an arm machine with trapping
for unaligned access enabled.
Comment 1 Mark Linimon freebsd_committer freebsd_triage 2014-05-04 04:35:33 UTC
Responsible Changed
From-To: freebsd-arm->freebsd-bugs

Although the problem is arm-specific, the patch is not.  Reclassify.
Comment 2 Eitan Adler freebsd_committer freebsd_triage 2017-12-31 07:59:49 UTC
For bugs matching the following criteria:

Status: In Progress Changed: (is less than) 2014-06-01

Reset to default assignee and clear in-progress tags.

Mail being skipped