Site Navigation

Date:      Mon, 3 Sep 2018 14:51:34 -0400
From:      Mark Johnston <markj@freebsd.org>
To:        Shawn Webb <shawn.webb@hardenedbsd.org>
Cc:        freebsd-current@freebsd.org
Subject:   Re: redzone catching a buffer overflow in swapoff_one
Message-ID:  <20180903185134.GD2751@raichu>
In-Reply-To: <20180903174016.5ofc4p27vilkf2yk@mutt-hbsd>
References:  <20180903174016.5ofc4p27vilkf2yk@mutt-hbsd>

---

next in thread | previous in thread | raw e-mail | index | archive | help

---

On Mon, Sep 03, 2018 at 01:40:16PM -0400, Shawn Webb wrote:
> I'm unsure whether this is a false positive or true positive, but it
> looks like there may be a buffer overflow in swapoff_one:
> 
> Sep  3 13:13:13 hbsd-dev-laptop kernel: [619] REDZONE: Buffer overflow detected. 16 bytes corrupted after 0xfffffe1fe0023248 (2237000 bytes allocated).
> Sep  3 13:13:13 hbsd-dev-laptop kernel: [619] Allocation backtrace:
> Sep  3 13:13:13 hbsd-dev-laptop kernel: [619] #0 0xffffffff80e188e1 at redzone_setup+0xe1
> Sep  3 13:13:13 hbsd-dev-laptop kernel: [619] #1 0xffffffff80ac8007 at malloc+0x1d7
> Sep  3 13:13:13 hbsd-dev-laptop kernel: [619] #2 0xffffffff80b1f449 at blist_create+0x99
> Sep  3 13:13:13 hbsd-dev-laptop kernel: [619] #3 0xffffffff80e1daa7 at swaponsomething+0xe7
> Sep  3 13:13:13 hbsd-dev-laptop kernel: [619] #4 0xffffffff80e1c233 at sys_swapon+0x413
> Sep  3 13:13:13 hbsd-dev-laptop kernel: [619] #5 0xffffffff80fc0e5e at amd64_syscall+0x29e
> Sep  3 13:13:13 hbsd-dev-laptop kernel: [619] #6 0xffffffff80f9dc9d at fast_syscall_common+0x101
> Sep  3 13:13:13 hbsd-dev-laptop kernel: [619] Free backtrace:
> Sep  3 13:13:13 hbsd-dev-laptop kernel: [619] #0 0xffffffff80e18c28 at redzone_check+0x2f8
> Sep  3 13:13:13 hbsd-dev-laptop kernel: [619] #1 0xffffffff80ac85af at free_dbg+0x5f
> Sep  3 13:13:13 hbsd-dev-laptop kernel: [619] #2 0xffffffff80ac84aa at free+0x1a
> Sep  3 13:13:13 hbsd-dev-laptop kernel: [619] #3 0xffffffff80e1cae5 at swapoff_one+0x675
> Sep  3 13:13:13 hbsd-dev-laptop kernel: [619] #4 0xffffffff80e1cc57 at swapoff_all+0xd7
> Sep  3 13:13:13 hbsd-dev-laptop kernel: [619] #5 0xffffffff80b9991a at bufshutdown+0x2ca
> Sep  3 13:13:13 hbsd-dev-laptop kernel: [619] #6 0xffffffff80aec36e at kern_reboot+0x21e
> Sep  3 13:13:13 hbsd-dev-laptop kernel: [619] #7 0xffffffff80aec0f9 at sys_reboot+0x3a9
> Sep  3 13:13:13 hbsd-dev-laptop kernel: [619] #8 0xffffffff80fc0e5e at amd64_syscall+0x29e
> Sep  3 13:13:13 hbsd-dev-laptop kernel: [619] #9 0xffffffff80f9dc9d at fast_syscall_common+0x101
> 
> Of course, I'm running HardenedBSD 12-CURRENT/amd64. I've synced with
> FreeBSD at this commit:
> https://github.com/freebsd/freebsd/commit/2f2449cc1cdfc19ae34b2317e792af489418a01a
> 
> So my src tree is at this commit:
> https://github.com/HardenedBSD/hardenedBSD/commit/98f90fadab000b818a731be4650ac1a47144501c
> 
> I've not yet studied the swap pager's code and plan to start learning
> it soon.

See PR 231116.

---

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20180903185134.GD2751>

Legal Notices | © 1995-2024 The FreeBSD Project. All rights reserved.

Contact