Re: redzone catching a buffer overflow in swapoff_one

From: Mark Millard <marklmi_at_yahoo.com>
Date: Mon, 3 Sep 2018 13:09:39 -0700
Shawn Webb shawn.webb at hardenedbsd.org wrote on
Mon Sep 3 17:41:17 UTC 2018 :

> I'm unsure whether this is a false positive or true positive, but it
> looks like there may be a buffer overflow in swapoff_one:
> 
> Sep  3 13:13:13 hbsd-dev-laptop kernel: [619] REDZONE: Buffer overflow detected. 16 bytes corrupted after 0xfffffe1fe0023248 (2237000 bytes allocated).
> Sep  3 13:13:13 hbsd-dev-laptop kernel: [619] Allocation backtrace:
> Sep  3 13:13:13 hbsd-dev-laptop kernel: [619] #0 0xffffffff80e188e1 at redzone_setup+0xe1
> Sep  3 13:13:13 hbsd-dev-laptop kernel: [619] #1 0xffffffff80ac8007 at malloc+0x1d7
> Sep  3 13:13:13 hbsd-dev-laptop kernel: [619] #2 0xffffffff80b1f449 at blist_create+0x99
> Sep  3 13:13:13 hbsd-dev-laptop kernel: [619] #3 0xffffffff80e1daa7 at swaponsomething+0xe7
> Sep  3 13:13:13 hbsd-dev-laptop kernel: [619] #4 0xffffffff80e1c233 at sys_swapon+0x413
> Sep  3 13:13:13 hbsd-dev-laptop kernel: [619] #5 0xffffffff80fc0e5e at amd64_syscall+0x29e
> Sep  3 13:13:13 hbsd-dev-laptop kernel: [619] #6 0xffffffff80f9dc9d at fast_syscall_common+0x101
> Sep  3 13:13:13 hbsd-dev-laptop kernel: [619] Free backtrace:
> Sep  3 13:13:13 hbsd-dev-laptop kernel: [619] #0 0xffffffff80e18c28 at redzone_check+0x2f8
> Sep  3 13:13:13 hbsd-dev-laptop kernel: [619] #1 0xffffffff80ac85af at free_dbg+0x5f
> Sep  3 13:13:13 hbsd-dev-laptop kernel: [619] #2 0xffffffff80ac84aa at free+0x1a
> Sep  3 13:13:13 hbsd-dev-laptop kernel: [619] #3 0xffffffff80e1cae5 at swapoff_one+0x675
> Sep  3 13:13:13 hbsd-dev-laptop kernel: [619] #4 0xffffffff80e1cc57 at swapoff_all+0xd7
> Sep  3 13:13:13 hbsd-dev-laptop kernel: [619] #5 0xffffffff80b9991a at bufshutdown+0x2ca
> Sep  3 13:13:13 hbsd-dev-laptop kernel: [619] #6 0xffffffff80aec36e at kern_reboot+0x21e
> Sep  3 13:13:13 hbsd-dev-laptop kernel: [619] #7 0xffffffff80aec0f9 at sys_reboot+0x3a9
> Sep  3 13:13:13 hbsd-dev-laptop kernel: [619] #8 0xffffffff80fc0e5e at amd64_syscall+0x29e
> Sep  3 13:13:13 hbsd-dev-laptop kernel: [619] #9 0xffffffff80f9dc9d at fast_syscall_common+0x101

See:

https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=231116

for "Out of bounds memory access in blist_create()" with
a Mark Johnston patch in Comment #2.

===
Mark Millard
marklmi at yahoo.com
( dsl-only.net went
away in early 2018-Mar)
Received on Mon Sep 03 2018 - 18:09:45 UTC

This archive was generated by hypermail 2.4.0 : Wed May 19 2021 - 11:41:18 UTC