Date: Wed, 1 Feb 2006 10:47:52 -0500 From: Andrew Gallatin <gallatin@cs.duke.edu> To: Pawel Jakub Dawidek <pjd@FreeBSD.org> Cc: cvs-src@FreeBSD.org, src-committers@FreeBSD.org, cvs-all@FreeBSD.org Subject: Re: cvs commit: src/sys/kern kern_malloc.c src/share/man/man9 Makefile redzone.9 src/sys/vm redzone.c redzone.h src/sys/conf NOTES files options Message-ID: <20060201104752.A68774@grasshopper.cs.duke.edu> In-Reply-To: <200601311109.k0VB9MRq025366@repoman.freebsd.org>; from pjd@FreeBSD.org on Tue, Jan 31, 2006 at 11:09:22AM %2B0000 References: <200601311109.k0VB9MRq025366@repoman.freebsd.org>
next in thread | previous in thread | raw e-mail | index | archive | help
Pawel Jakub Dawidek [pjd@FreeBSD.org] wrote:
> pjd 2006-01-31 11:09:22 UTC
>
> FreeBSD src repository
>
> Modified files:
> sys/kern kern_malloc.c
> share/man/man9 Makefile
> sys/conf NOTES files options
> Added files:
> share/man/man9 redzone.9
> sys/vm redzone.c redzone.h
> Log:
> Add buffer corruption protection (RedZone) for kernel's malloc(9).
> It detects both: buffer underflows and buffer overflows bugs at runtime
> (on free(9) and realloc(9)) and prints backtraces from where memory was
> allocated and from where it was freed.
>
If I enable DEBUG_REDZONE on an amd64 machine (UP, 512MB ram),
I get this panic on startup:
FreeBSD 7.0-CURRENT #0: Tue Jan 31 17:17:41 EST 2006
gallatin@venice:/usr/src/sys/amd64/compile/VENICEW
WARNING: WITNESS option enabled, expect reduced performance.
Memory modified after free 0xffffff0000006d00(248) val=5 @ 0xffffff0000006dd0
kernel trap 9 with interrupts disabled
Fatal trap 9: general protection fault while in kernel mode
instruction pointer = 0x8:0xffffffff80302bd0
stack pointer = 0x10:0xffffffff8075c9f0
frame pointer = 0x10:0xffffffff8075cb10
code segment = base 0x0, limit 0xfffff, type 0x1b
= DPL 0, pres 1, long 1, def32 0, gran 1
processor eflags = resume, IOPL = 0
current process = 0 ()
[thread pid 0 tid 0 ]
Stopped at strlen: cmpb $0,0(%rdi)
db> tr
Tracing pid 0 tid 0 td 0xffffffff805d70a0
strlen() at strlen
vsnprintf() at vsnprintf+0x2e
panic() at panic+0x18c
mtrash_ctor() at mtrash_ctor+0x78
uma_zalloc_arg() at uma_zalloc_arg+0x306
malloc() at malloc+0xb0
init_dynamic_kenv() at init_dynamic_kenv+0x6b
mi_startup() at mi_startup+0xd3
btext() at btext+0x2c
db>
The place where it tried to panic is:
(gdb) l *mtrash_ctor +0x78
0xffffffff8039b128 is at ../../../vm/uma_dbg.c:137.
132
133 for (p = mem; cnt > 0; cnt--, p++)
134 if (*p != uma_junk) {
135 printf("Memory modified after free %p(%d) val=%x @ %p\n",
136 mem, size, *p, p);
137 panic("Most recently used by %s\n", (*ksp == NULL)?
138 "none" : (*ksp)->ks_shortdesc);
139 }
140 return (0);
141 }
Removing DEBUG_REDZONE allows me to boot again. Does DEBUG_REDZONE not
work on amd64, or is there a bad interaction in general with the
mtrash'ing done by INVARIANTS, or is this something else entirely?
Drew
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20060201104752.A68774>