Date: Mon, 8 Oct 2007 08:26:40 GMT From: Vladimir Ermakov <samflanker@gmail.com> To: freebsd-gnats-submit@FreeBSD.org Subject: kern/117010: [linuxolator] linux_getdents() get something like buffer overflow or else Message-ID: <200710080826.l988QeJg046386@www.freebsd.org> Resent-Message-ID: <200710080830.l988U2lJ074102@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help
>Number: 117010 >Category: kern >Synopsis: [linuxolator] linux_getdents() get something like buffer overflow or else >Confidential: no >Severity: critical >Priority: low >Responsible: freebsd-bugs >State: open >Quarter: >Keywords: >Date-Required: >Class: sw-bug >Submitter-Id: current-users >Arrival-Date: Mon Oct 08 08:30:01 GMT 2007 >Closed-Date: >Last-Modified: >Originator: Vladimir Ermakov >Release: 7.0-CURRENT >Organization: _ >Environment: uname -a FreeBSD damask 7.0-CURRENT FreeBSD 7.0-CURRENT #0: Wed Sep 12 17:04:55 SAMST 2007 root at localhost:/usr/obj/usr/src/sys/CS2 i386 >Description: # su hlds -c "ktrace -i ./hlds_run -game cstrike +ip 0.0.0.0 +port 27015 +map de_dust -debug" Auto detecting CPU Using Pentium II Optimised binary. Enabling debug mode Auto-restarting the server on crash Console initialized. scandir failed:/usr/home/hlds/1.6/./platform/SAVE Protocol version 47 Exe version 1.1.2.5/Stdio (cstrike) Exe build: 20:02:49 Oct 24 2006 (3651) STEAM Auth Server couldn't exec language.cfg Server IP address 0.0.0.0:27015 scandir failed:/usr/home/hlds/1.6/./platform/SAVE *** glibc detected *** ./hlds_i686: double free or corruption (!prev): 0x08da3738 *** ======= Backtrace: ========= /lib/libc.so.6[0x2811ac88] /lib/libc.so.6(cfree+0x90)[0x2811e230] /lib/libc.so.6(closedir+0x28)[0x2813ecf8] /lib/libc.so.6(scandir+0x14b)[0x2813f21b] /usr/home/hlds/1.6/filesystem_stdio_i386.so(findFileInDirCaseInsensitive__FPCc+0xe4)[0x28af41d8] /usr/home/hlds/1.6/filesystem_stdio_i386.so(FS_stat__17CFileSystem_StdioPCcP4stat+0x40)[0x28af861c] /usr/home/hlds/1.6/filesystem_stdio_i386.so(FastFindFileSize__15CBaseFileSystemPCQ215CBaseFileSystem11CSearchPathPCc+0x17e)[0x28af572a] /usr/home/hlds/1.6/filesystem_stdio_i386.so(Size__15CBaseFileSystemPCc+0x5b)[0x28af557b] /usr/home/hlds/1.6/engine_i686.so(FS_FileSize+0x2a)[0x2828679e] ======= Memory map: ======== 08048000-08054000 r-xp 0003a000 00:00 1931338 /usr/home/hlds/1.6/hlds_i686 08054000-0805b000 rw-p 0003a000 00:00 1931338 /usr/home/hlds/1.6/hlds_i686 0805b000-0805e000 rw-p 00d60000 00:00 0 0805e000-08dbb000 rwxp 00d60000 00:00 0 28054000-2806d000 r-xp 0001e000 00:00 1719480 /usr/compat/linux/lib/ld-2.5.so 2806d000-2806e000 r-xp 0001e000 00:00 1719480 /usr/compat/linux/lib/ld-2.5.so 2806e000-2806f000 rw-p 00002000 00:00 0 2806f000-28070000 rwxp 00002000 00:00 0 28071000-28073000 r-xp 00004000 00:00 1719493 /usr/compat/linux/lib/libdl-2.5.so 28073000-28074000 r-xp 00004000 00:00 1719493 /usr/compat/linux/lib/libdl-2.5.so 28074000-28075000 rwxp 00004000 00:00 1719493 /usr/compat/linux/lib/libdl-2.5.so 28075000-28076000 rwxp 00001000 00:00 0 28076000-28088000 r-xp 0001e000 00:00 1719511 /usr/compat/linux/lib/libpthread-2.5.so 28088000-28089000 r-xp 0001e000 00:00 1719511 /usr/compat/linux/lib/libpthread-2.5.so 28089000-2808a000 rwxp 0001e000 00:00 1719511 /usr/compat/linuxAbort trap (core dumped) debug.cmds:1: Error in sourced command file: Previous frame inner to this frame (corrupt stack?) email debug.log to linux at valvesoftware.com Wed Sep 12 20:27:04 SAMST 2007: Server restart in 10 seconds Wed Sep 12 20:27:06 SAMST 2007: Server Quit # =================================================== # uname -a FreeBSD damask 7.0-CURRENT FreeBSD 7.0-CURRENT #0: Wed Sep 12 17:04:55 SAMST 2007 root at localhost:/usr/obj/usr/src/sys/CS2 i386 # sysctl compat compat.linux.oss_version: 198144 compat.linux.osrelease: 2.6.16 compat.linux.osname: Linux # kldstat Id Refs Address Size Name 1 14 0xc0400000 3e6ee0 kernel 2 1 0xc07e7000 69514 acpi.ko 3 1 0xc3ddd000 7000 linprocfs.ko 4 2 0xc3de4000 21000 linux.ko 5 1 0xc3e0e000 3000 linsysfs.ko # mount|grep linux linprocfs on /usr/compat/linux/proc (linprocfs, local) linsysfs on /usr/compat/linux/sys (linsysfs, local) # pkg_info | grep linux linux_base-fc6-6_3 Base set of packages needed in Linux mode (for i386/amd64) [private links to debug.log & ktrace.out] please send me message after downloaded this files (for removing) for full description see this topic http://lists.freebsd.org/pipermail/freebsd-emulation/2007-August/003918.html http://lists.freebsd.org/pipermail/freebsd-emulation/2007-September/003960.html http://lists.freebsd.org/pipermail/freebsd-emulation/2007-September/004024.html =========================================================================== On Thu, 13 Sep 2007 16:39:49 +0400 Boris Samorodov wrote: > Just to note once more, that is for CURRENT and > linux_base-fc6/2.6.16: > > Here is the relevant kdump: > > ftp://ftp.ipt.ru/pub/linux/hldc.kdump.txt > And the corresponding dump for linux_base-fc4/2.6.16 (which works > fine): > ftp://ftp.ipt.ru/pub/linux/fc4.dump.txt > You may easily notice the difference if open those urls at two tabs > within your brouser. ;-) Some more info. If cstrike/sound/weapons is moved (ex. renamed) the server loads fine. I've done an RTFS and seen that linux_getdents and linux_getdents64 use different data structures. Linux_base-fc4 uses linux_getdents64 here and succeeds while linux_base-fc6 quite the opposite. The directory cstrike/sound/weapons is the largest (165 files), other directories are way smaller. Seems that linux_getdents() get something like buffer overflow or else. BTW, why does linux_base-fc6 uses linux_getdents everywhere while linux_base-fc4 uses linux_getdents64? WBR -- Boris Samorodov (bsam) Research Engineer, http://www.ipt.ru Telephone & Internet SP FreeBSD committer, http://www.FreeBSD.org The Power To Serve http://lists.freebsd.org/pipermail/freebsd-emulation/2007-September/003965.html >How-To-Repeat: install Counter-Strike 1.6 server on FreeBSD instruction http://weec.ovl.ru/csdivision/index.php?topic=552.0 # su games -c "./hlds_run -game cstrike +ip 0.0.0.0 +port 27015 +map de_dust" >Fix: _ >Release-Note: >Audit-Trail: >Unformatted:
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200710080826.l988QeJg046386>