Site Navigation

Date:      Mon, 3 Sep 2018 13:09:39 -0700
From:      Mark Millard <marklmi@yahoo.com>
To:        shawn.webb@ardenedbsd.org, FreeBSD Current <freebsd-current@freebsd.org>
Subject:   Re: redzone catching a buffer overflow in swapoff_one
Message-ID:  <74FA848C-A569-463A-810D-E19567A9616F@yahoo.com>

---

next in thread | raw e-mail | index | archive | help

---

Shawn Webb shawn.webb at hardenedbsd.org wrote on
Mon Sep 3 17:41:17 UTC 2018 :

> I'm unsure whether this is a false positive or true positive, but it
> looks like there may be a buffer overflow in swapoff_one:
>=20
> Sep  3 13:13:13 hbsd-dev-laptop kernel: [619] REDZONE: Buffer overflow =
detected. 16 bytes corrupted after 0xfffffe1fe0023248 (2237000 bytes =
allocated).
> Sep  3 13:13:13 hbsd-dev-laptop kernel: [619] Allocation backtrace:
> Sep  3 13:13:13 hbsd-dev-laptop kernel: [619] #0 0xffffffff80e188e1 at =
redzone_setup+0xe1
> Sep  3 13:13:13 hbsd-dev-laptop kernel: [619] #1 0xffffffff80ac8007 at =
malloc+0x1d7
> Sep  3 13:13:13 hbsd-dev-laptop kernel: [619] #2 0xffffffff80b1f449 at =
blist_create+0x99
> Sep  3 13:13:13 hbsd-dev-laptop kernel: [619] #3 0xffffffff80e1daa7 at =
swaponsomething+0xe7
> Sep  3 13:13:13 hbsd-dev-laptop kernel: [619] #4 0xffffffff80e1c233 at =
sys_swapon+0x413
> Sep  3 13:13:13 hbsd-dev-laptop kernel: [619] #5 0xffffffff80fc0e5e at =
amd64_syscall+0x29e
> Sep  3 13:13:13 hbsd-dev-laptop kernel: [619] #6 0xffffffff80f9dc9d at =
fast_syscall_common+0x101
> Sep  3 13:13:13 hbsd-dev-laptop kernel: [619] Free backtrace:
> Sep  3 13:13:13 hbsd-dev-laptop kernel: [619] #0 0xffffffff80e18c28 at =
redzone_check+0x2f8
> Sep  3 13:13:13 hbsd-dev-laptop kernel: [619] #1 0xffffffff80ac85af at =
free_dbg+0x5f
> Sep  3 13:13:13 hbsd-dev-laptop kernel: [619] #2 0xffffffff80ac84aa at =
free+0x1a
> Sep  3 13:13:13 hbsd-dev-laptop kernel: [619] #3 0xffffffff80e1cae5 at =
swapoff_one+0x675
> Sep  3 13:13:13 hbsd-dev-laptop kernel: [619] #4 0xffffffff80e1cc57 at =
swapoff_all+0xd7
> Sep  3 13:13:13 hbsd-dev-laptop kernel: [619] #5 0xffffffff80b9991a at =
bufshutdown+0x2ca
> Sep  3 13:13:13 hbsd-dev-laptop kernel: [619] #6 0xffffffff80aec36e at =
kern_reboot+0x21e
> Sep  3 13:13:13 hbsd-dev-laptop kernel: [619] #7 0xffffffff80aec0f9 at =
sys_reboot+0x3a9
> Sep  3 13:13:13 hbsd-dev-laptop kernel: [619] #8 0xffffffff80fc0e5e at =
amd64_syscall+0x29e
> Sep  3 13:13:13 hbsd-dev-laptop kernel: [619] #9 0xffffffff80f9dc9d at =
fast_syscall_common+0x101

See:

https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D231116

for "Out of bounds memory access in blist_create()" with
a Mark Johnston patch in Comment #2.

=3D=3D=3D
Mark Millard
marklmi at yahoo.com
( dsl-only.net went
away in early 2018-Mar)

---

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?74FA848C-A569-463A-810D-E19567A9616F>

Legal Notices | © 1995-2024 The FreeBSD Project. All rights reserved.

Contact