Re: svn commit: r360233 - in head: contrib/jemalloc . . . : This partially breaks a 2-socket 32-bit powerpc (old PowerMac G4) based on head -r360311

[This report just shows an interesting rpcbind crash:
a pointer was filled with part of a string instead,
leading to a failed memory access attempt from the junk
address produced.]

Core was generated by `/usr/sbin/rpcbind'.
Program terminated with signal SIGSEGV, Segmentation fault.
#0  0x5024405c in rendezvous_request (xprt=<optimized out>, msg=<optimized out>) at /usr/src/lib/libc/rpc/svc_vc.c:335
335		cd->recvsize = r->recvsize;

(gdb) list
330			_setsockopt(sock, IPPROTO_TCP, TCP_NODELAY, &len, sizeof (len));
331		}
332	
333		cd = (struct cf_conn *)newxprt->xp_p1;
334	
335		cd->recvsize = r->recvsize;
336		cd->sendsize = r->sendsize;
337		cd->maxrec = r->maxrec;
338	
339		if (cd->maxrec != 0) {

(gdb) print/c *cd
Cannot access memory at address 0x2d202020

FYI:

. . .
   0x50244050 <+452>:	bl      0x502e3404 <00000000.plt_pic32._setsockopt>
   0x50244054 <+456>:	lwz     r27,80(r29)
   0x50244058 <+460>:	lwz     r3,4(r24)
=> 0x5024405c <+464>:	stw     r3,436(r27)

Note the 80(r29) use.

(gdb) info reg
r0             0x50244020          1344552992
r1             0xffffb400          4294947840
r2             0x500a1018          1342836760
r3             0x2328              9000
r4             0x32ef559c          854545820
r5             0x0                 0
r6             0xffffb360          4294947680
r7             0xffffb364          4294947684
r8             0x5004733c          1342468924
r9             0x0                 0
r10            0x20                32
r11            0x50252ea0          1344614048
r12            0x24200ca0          606080160
r13            0x0                 0
r14            0x0                 0
r15            0xffffbc28          4294949928
r16            0x10002848          268445768
r17            0x10040000          268697600
r18            0x2                 2
r19            0x0                 0
r20            0x1                 1
r21            0x5004c044          1342488644
r22            0xffffb63c          4294948412
r23            0x80                128
r24            0x50048010          1342472208
r25            0x14                20
r26            0xffffb630          4294948400
r27            0x2d202020          757080096
r28            0xf                 15
r29            0x50047308          1342468872
r30            0x5030112c          1345327404
r31            0x10040000          268697600
pc             0x5024405c          0x5024405c <rendezvous_request+464>
msr            <unavailable>
cr             0x842000a0          2216689824
lr             0x50244020          0x50244020 <rendezvous_request+404>
ctr            0x50252ea0          1344614048
xer            0x0                 0
fpscr          0x0                 0
vscr           <unavailable>
vrsave         <unavailable>

(gdb) x/s 0x50047308+72
0x50047350:	" -      -       -\n"

So it tried to use "-   " as a pointer value.

It appears that the r29 value was from:

   0x50243f90 <+260>:	mr      r28,r3
   0x50243f94 <+264>:	lwz     r4,0(r24)
   0x50243f98 <+268>:	lwz     r5,4(r24)
   0x50243f9c <+272>:	mr      r3,r28
   0x50243fa0 <+276>:	bl      0x5024308c <makefd_xprt>
   0x50243fa4 <+280>:	lwz     r27,36(r1)
   0x50243fa8 <+284>:	mr      r29,r3

The makefd_xprt being used as part of:

        /*
         * make a new transporter (re-uses xprt)
         */
        newxprt = makefd_xprt(sock, r->sendsize, r->recvsize);
        newxprt->xp_rtaddr.buf = mem_alloc(len);
        if (newxprt->xp_rtaddr.buf == NULL)
                return (FALSE);
        memcpy(newxprt->xp_rtaddr.buf, &addr, len);
        newxprt->xp_rtaddr.len = len;
#ifdef PORTMAP
        if (addr.ss_family == AF_INET || addr.ss_family == AF_LOCAL) {
                newxprt->xp_raddr = *(struct sockaddr_in *)newxprt->xp_rtaddr.buf;
                newxprt->xp_addrlen = sizeof (struct sockaddr_in);
        }
#endif                          /* PORTMAP */
        if (__rpc_fd2sockinfo(sock, &si) && si.si_proto == IPPROTO_TCP) {
                len = 1;
                /* XXX fvdl - is this useful? */
                _setsockopt(sock, IPPROTO_TCP, TCP_NODELAY, &len, sizeof (len));
        }
 
        cd = (struct cf_conn *)newxprt->xp_p1;
 
        cd->recvsize = r->recvsize;
        cd->sendsize = r->sendsize;
        cd->maxrec = r->maxrec;

FYI:

(gdb) print *r
$5 = {sendsize = 9000, recvsize = 9000, maxrec = 9000}

There is more evidence of strings in pointers in *newxprt
(xp_tp, oa_base, xp_p1, xp_p2, xp_p3):

(gdb) print *newxprt
$7 = {xp_fd = 15, xp_port = 0, xp_ops = 0x50329e1c, xp_addrlen = 16, xp_raddr = {sin_len = 16 '\020', sin_family = 1 '\001', sin_port = 0, sin_addr = {s_addr = 0}, 
    sin_zero = "\000\000\000\000\000\000\000"}, xp_ops2 = 0x756e6978, xp_tp = 0x2020 <error: Cannot access memory at address 0x2020>, 
  xp_netid = 0x10010000 <error: Cannot access memory at address 0x10010000>, xp_ltaddr = {maxlen = 0, len = 0, buf = 0x0}, xp_rtaddr = {maxlen = 539828256, len = 16, buf = 0x50047330}, xp_verf = {
    oa_flavor = 0, oa_base = 0x202d2020 <error: Cannot access memory at address 0x202d2020>, oa_length = 538976288}, xp_p1 = 0x2d202020, xp_p2 = 0x20202020, xp_p3 = 0x2d0a0079, xp_type = 543780384}

(gdb) print (char*)(&newxprt->xp_verf.oa_base)
$24 = 0x50047350 " -      -       -\n"

(gdb) print (char*)(&newxprt->xp_p3)+3
$13 = 0x50047363 "y in FreeBSD.\n"

(gdb) print (char*)(&newxprt->xp_type)
$25 = 0x50047364 " in FreeBSD.\n"



===
Mark Millard
marklmi at yahoo.com
( dsl-only.net went
away in early 2018-Mar)