Project

General

Profile

Bug #12624

add_drv crashes when given many aliases

Added by Andy Fiddaman 9 months ago. Updated 9 months ago.

Status:
Closed
Priority:
High
Assignee:
Andy Fiddaman
Category:
cmd - userland programs
Start date:
Due date:
% Done:

100%

Estimated time:
Difficulty:
Medium
Tags:
Gerrit CR:

Description

This is seen when installing the driver/cpu/mc package on OmniOS and Indiana:

Installing new actions                         23/25
driver (imcstub) install failed with return code -11
command run was: /usr/sbin/add_drv -u -i "pci8086,2014,p" "pci8086,2016,p" "pci8086,2024,p" "pci8086,2040,p" "pci8086,2044,p" "pci8086,2048,p" "pci8086,2054,p" "pci8086,2055,p" "pci8086,2066,p" "pci8086,208e,p" "pci8086,2f1e,p" "pci8086,2f1f,p" "pci8086,2f28,p" "pci8086,2f60,p" "pci8086,2f68,p" "pci8086,2f6a,p" "pci8086,2f6b,p" "pci8086,2f6c,p" "pci8086,2f6d,p" "pci8086,2f71,p" "pci8086,2f79,p" "pci8086,2fa0,p" "pci8086,2fa8,p" "pci8086,2faa,p" "pci8086,2fab,p" "pci8086,2fac,p" "pci8086,2fad,p" "pci8086,2ffc,p" "pci8086,2ffd,p" "pci8086,3c71,p" "pci8086,3ca0,p" "pci8086,3ca8,p" "pci8086,3caa,p" "pci8086,3cab,p" "pci8086,3cac,p" "pci8086,3cad,p" "pci8086,3ce0,p" "pci8086,3ce3,p" "pci8086,3cf4,p" "pci8086,3cf5,p" "pci8086,3cf6,p" "pci8086,6f1e,p" "pci8086,6f1f,p" "pci8086,6f28,p" "pci8086,6f60,p" "pci8086,6f68,p" "pci8086,6f6a,p" "pci8086,6f6b,p" "pci8086,6f6c,p" "pci8086,6f6d,p" "pci8086,6f71,p" "pci8086,6f79,p" "pci8086,6fa0,p" "pci8086,6fa8,p" "pci8086,6faa,p" "pci8086,6fab,p" "pci8086,6fac,p" "pci8086,6fad,p" "pci8086,6ffc,p" "pci8086,6ffd,p" "pci8086,e1e,p" "pci8086,e1f,p" "pci8086,e60,p" "pci8086,e68,p" "pci8086,e6a,p" "pci8086,e6b,p" "pci8086,e6c,p" "pci8086,e6d,p" "pci8086,e71,p" "pci8086,e79,p" "pci8086,ea0,p" "pci8086,ea8,p" "pci8086,eaa,p" "pci8086,eab,p" "pci8086,eac,p" "pci8086,ead,p" "pci8086,ec8,p" "pci8086,ec9,p" "pci8086,eca,p" "pciex8086,2014" "pciex8086,2016" "pciex8086,2024" "pciex8086,2040" "pciex8086,2044" "pciex8086,2048" "pciex8086,2054" "pciex8086,2055" "pciex8086,2066" "pciex8086,208e" "pciex8086,2f1e" "pciex8086,2f1f" "pciex8086,2f28" "pciex8086,2f60" "pciex8086,2f68" "pciex8086,2f6a" "pciex8086,2f6b" "pciex8086,2f6c" "pciex8086,2f6d" "pciex8086,2f71" "pciex8086,2f79" "pciex8086,2fa0" "pciex8086,2fa8" "pciex8086,2faa" "pciex8086,2fab" "pciex8086,2fac" "pciex8086,2fad" "pciex8086,2ffc" "pciex8086,2ffd" "pciex8086,3c71" "pciex8086,3ca0" "pciex8086,3ca8" "pciex8086,3caa" "pciex8086,3cab" "pciex8086,3cac" "pciex8086,3cad" "pciex8086,3ce0" "pciex8086,3ce3" "pciex8086,3cf4" "pciex8086,3cf5" "pciex8086,3cf6" "pciex8086,6f1e" "pciex8086,6f1f" "pciex8086,6f28" "pciex8086,6f60" "pciex8086,6f68" "pciex8086,6f6a" "pciex8086,6f6b" "pciex8086,6f6c" "pciex8086,6f6d" "pciex8086,6f71" "pciex8086,6f79" "pciex8086,6fa0" "pciex8086,6fa8" "pciex8086,6faa" "pciex8086,6fab" "pciex8086,6fac" "pciex8086,6fad" "pciex8086,6ffc" "pciex8086,6ffd" "pciex8086,e1e" "pciex8086,e1f" "pciex8086,e60" "pciex8086,e68" "pciex8086,e6a" "pciex8086,e6b" "pciex8086,e6c" "pciex8086,e6d" "pciex8086,e71" "pciex8086,e79" "pciex8086,ea0" "pciex8086,ea8" "pciex8086,eaa" "pciex8086,eab" "pciex8086,eac" "pciex8086,ead" "pciex8086,ec8" "pciex8086,ec9" "pciex8086,eca" imcstub

This is a segmentation fault in exec_devfsadm() which assumes that the final command line to drvconfig will have less than MAX_CMD_LINE (256) parameters. This is a buffer overflow in that function.

Related issues

Related to illumos gate - Bug #12625: modload tools should be smatch and gcc warning cleanClosedAndy Fiddaman

Actions
#1

Updated by Andy Fiddaman 9 months ago

Testing my changes shows that drvconfig is being called twice now with a smaller number of arguments:

15186/1:        execve("amd64/add_drv", 0xFFFFFC7FFFDFAF78, 0xFFFFFC7FFFDFAFA8)  argc = 5
15186/1:         argv: ./amd64/add_drv -u -i
15186/1:          "pci8086,2014,p" "pci8086,2016,p" "pci8086,2024,p" "pci8086,2040,p" "pci8086,2044,p" "pci8086,2048,p" "pci8086,2054,p" "pci8086,2055,p" "pci8086,2066,p" "pci8086,208e,p" "pci8086,2f1e,p" "pci8086,2f1f,p" "pci8086,2f28,p" "pci8086,2f60,p" "pci8086,2f68,p" "pci8086,2f6a,p" "pci8086,2f6b,p" "pci8086,2f6c,p" "pci8086,2f6d,p" "pci8086,2f71,p" "pci8086,2f79,p" "pci8086,2fa0,p" "pci8086,2fa8,p" "pci8086,2faa,p" "pci8086,2fab,p" "pci8086,2fac,p" "pci8086,2fad,p" "pci8086,2ffc,p" "pci8086,2ffd,p" "pci8086,3c71,p" "pci8086,3ca0,p" "pci8086,3ca8,p" "pci8086,3caa,p" "pci8086,3cab,p" "pci8086,3cac,p" "pci8086,3cad,p" "pci8086,3ce0,p" "pci8086,3ce3,p" "pci8086,3cf4,p" "pci8086,3cf5,p" "pci8086,3cf6,p" "pci8086,6f1e,p" "pci8086,6f1f,p" "pci8086,6f28,p" "pci8086,6f60,p" "pci8086,6f68,p" "pci8086,6f6a,p" "pci8086,6f6b,p" "pci8086,6f6c,p" "pci8086,6f6d,p" "pci8086,6f71,p" "pci8086,6f79,p" "pci8086,6fa0,p" "pci8086,6fa8,p" "pci8086,6faa,p" "pci8086,6fab,p" "pci8086,6fac,p" "pci8086,6fad,p" "pci8086,6ffc,p" "pci8086,6ffd,p" "pci
15186/1:          imcstub

15187/1:        execve("/usr/sbin/drvconfig", 0xFFFFFC7FFFDF9DE0, 0xFFFFFC7FFFDFAFA8)  argc = 253
15187/1:         argv: drvconfig -b -i imcstub -m 273 -x -a "pci8086,2014,p" -a
15187/1:          "pci8086,2016,p" -a "pci8086,2024,p" -a "pci8086,2040,p" -a
15187/1:          "pci8086,2044,p" -a "pci8086,2048,p" -a "pci8086,2054,p" -a
15187/1:          "pci8086,2055,p" -a "pci8086,2066,p" -a "pci8086,208e,p" -a
15187/1:          "pci8086,2f1e,p" -a "pci8086,2f1f,p" -a "pci8086,2f28,p" -a
15187/1:          "pci8086,2f60,p" -a "pci8086,2f68,p" -a "pci8086,2f6a,p" -a
15187/1:          "pci8086,2f6b,p" -a "pci8086,2f6c,p" -a "pci8086,2f6d,p" -a
15187/1:          "pci8086,2f71,p" -a "pci8086,2f79,p" -a "pci8086,2fa0,p" -a
15187/1:          "pci8086,2fa8,p" -a "pci8086,2faa,p" -a "pci8086,2fab,p" -a
15187/1:          "pci8086,2fac,p" -a "pci8086,2fad,p" -a "pci8086,2ffc,p" -a
15187/1:          "pci8086,2ffd,p" -a "pci8086,3c71,p" -a "pci8086,3ca0,p" -a
15187/1:          "pci8086,3ca8,p" -a "pci8086,3caa,p" -a "pci8086,3cab,p" -a
15187/1:          "pci8086,3cac,p" -a "pci8086,3cad,p" -a "pci8086,3ce0,p" -a
15187/1:          "pci8086,3ce3,p" -a "pci8086,3cf4,p" -a "pci8086,3cf5,p" -a
15187/1:          "pci8086,3cf6,p" -a "pci8086,6f1e,p" -a "pci8086,6f1f,p" -a
15187/1:          "pci8086,6f28,p" -a "pci8086,6f60,p" -a "pci8086,6f68,p" -a
15187/1:          "pci8086,6f6a,p" -a "pci8086,6f6b,p" -a "pci8086,6f6c,p" -a
15187/1:          "pci8086,6f6d,p" -a "pci8086,6f71,p" -a "pci8086,6f79,p" -a
15187/1:          "pci8086,6fa0,p" -a "pci8086,6fa8,p" -a "pci8086,6faa,p" -a
15187/1:          "pci8086,6fab,p" -a "pci8086,6fac,p" -a "pci8086,6fad,p" -a
15187/1:          "pci8086,6ffc,p" -a "pci8086,6ffd,p" -a "pci8086,e1e,p" -a
15187/1:          "pci8086,e1f,p" -a "pci8086,e60,p" -a "pci8086,e68,p" -a
15187/1:          "pci8086,e6a,p" -a "pci8086,e6b,p" -a "pci8086,e6c,p" -a
15187/1:          "pci8086,e6d,p" -a "pci8086,e71,p" -a "pci8086,e79,p" -a
15187/1:          "pci8086,ea0,p" -a "pci8086,ea8,p" -a "pci8086,eaa,p" -a
15187/1:          "pci8086,eab,p" -a "pci8086,eac,p" -a "pci8086,ead,p" -a
15187/1:          "pci8086,ec8,p" -a "pci8086,ec9,p" -a "pci8086,eca,p" -a
15187/1:          "pciex8086,2014" -a "pciex8086,2016" -a "pciex8086,2024" -a
15187/1:          "pciex8086,2040" -a "pciex8086,2044" -a "pciex8086,2048" -a
15187/1:          "pciex8086,2054" -a "pciex8086,2055" -a "pciex8086,2066" -a
15187/1:          "pciex8086,208e" -a "pciex8086,2f1e" -a "pciex8086,2f1f" -a
15187/1:          "pciex8086,2f28" -a "pciex8086,2f60" -a "pciex8086,2f68" -a
15187/1:          "pciex8086,2f6a" -a "pciex8086,2f6b" -a "pciex8086,2f6c" -a
15187/1:          "pciex8086,2f6d" -a "pciex8086,2f71" -a "pciex8086,2f79" -a
15187/1:          "pciex8086,2fa0" -a "pciex8086,2fa8" -a "pciex8086,2faa" -a
15187/1:          "pciex8086,2fab" -a "pciex8086,2fac" -a "pciex8086,2fad" -a
15187/1:          "pciex8086,2ffc" -a "pciex8086,2ffd" -a "pciex8086,3c71" -a
15187/1:          "pciex8086,3ca0" -a "pciex8086,3ca8" -a "pciex8086,3caa" -a
15187/1:          "pciex8086,3cab" -a "pciex8086,3cac" -a "pciex8086,3cad" -a
15187/1:          "pciex8086,3ce0" -a "pciex8086,3ce3" -a "pciex8086,3cf4" -a
15187/1:          "pciex8086,3cf5" -a "pciex8086,3cf6" -a "pciex8086,6f1e" -a
15187/1:          "pciex8086,6f1f" -a "pciex8086,6f28" 

15189/1:        execve("/usr/sbin/drvconfig", 0xFFFFFC7FFFDF9DE0, 0xFFFFFC7FFFDFAFA8)  argc = 77
15189/1:         argv: drvconfig -b -i imcstub -m 273 -x -a "pciex8086,6f60" -a
15189/1:          "pciex8086,6f68" -a "pciex8086,6f6a" -a "pciex8086,6f6b" -a
15189/1:          "pciex8086,6f6c" -a "pciex8086,6f6d" -a "pciex8086,6f71" -a
15189/1:          "pciex8086,6f79" -a "pciex8086,6fa0" -a "pciex8086,6fa8" -a
15189/1:          "pciex8086,6faa" -a "pciex8086,6fab" -a "pciex8086,6fac" -a
15189/1:          "pciex8086,6fad" -a "pciex8086,6ffc" -a "pciex8086,6ffd" -a
15189/1:          "pciex8086,e1e" -a "pciex8086,e1f" -a "pciex8086,e60" -a
15189/1:          "pciex8086,e68" -a "pciex8086,e6a" -a "pciex8086,e6b" -a
15189/1:          "pciex8086,e6c" -a "pciex8086,e6d" -a "pciex8086,e71" -a
15189/1:          "pciex8086,e79" -a "pciex8086,ea0" -a "pciex8086,ea8" -a
15189/1:          "pciex8086,eaa" -a "pciex8086,eab" -a "pciex8086,eac" -a
15189/1:          "pciex8086,ead" -a "pciex8086,ec8" -a "pciex8086,ec9" -a
15189/1:          "pciex8086,eca"

Also checked for leaks in this code path - there were several before.

bloody:illumos:master# LD_PRELOAD=/usr/lib/amd64/libumem.so UMEM_DEBUG=default /usr/bin/amd64/mdb ./amd64/add_drv
> ::bp exit
> ::run  -u -i '"pci8086,2014,p" "pci8086,2016,p" "pci8086,2024,p" "pci8086,2040,p" "pci8086,2044,p" "pci8086,2048,p" "pci8086,2054,p" "pci8086,2055,p" "pci8086,2066,p" "pci8086,208e,p" "pci8086,2f1e,p" "pci8086,2f1f,p" "pci8086,2f28,p" "pci8086,2f60,p" "pci8086,2f68,p" "pci8086,2f6a,p" "pci8086,2f6b,p" "pci8086,2f6c,p" "pci8086,2f6d,p" "pci8086,2f71,p" "pci8086,2f79,p" "pci8086,2fa0,p" "pci8086,2fa8,p" "pci8086,2faa,p" "pci8086,2fab,p" "pci8086,2fac,p" "pci8086,2fad,p" "pci8086,2ffc,p" "pci8086,2ffd,p" "pci8086,3c71,p" "pci8086,3ca0,p" "pci8086,3ca8,p" "pci8086,3caa,p" "pci8086,3cab,p" "pci8086,3cac,p" "pci8086,3cad,p" "pci8086,3ce0,p" "pci8086,3ce3,p" "pci8086,3cf4,p" "pci8086,3cf5,p" "pci8086,3cf6,p" "pci8086,6f1e,p" "pci8086,6f1f,p" "pci8086,6f28,p" "pci8086,6f60,p" "pci8086,6f68,p" "pci8086,6f6a,p" "pci8086,6f6b,p" "pci8086,6f6c,p" "pci8086,6f6d,p" "pci8086,6f71,p" "pci8086,6f79,p" "pci8086,6fa0,p" "pci8086,6fa8,p" "pci8086,6faa,p" "pci8086,6fab,p" "pci8086,6fac,p" "pci8086,6fad,p"' imcstub
mdb: forksys detected: follow (p)arent or (c)hild? p
mdb: target forked child process 15098 (debugger following parent)
ld.so.1: drvconfig: fatal: /usr/lib/amd64/libumem.so: wrong ELF class: ELFCLASS64
System updated but imcstub driver not yet configured.
mdb: stop at exit
mdb: target stopped at:
libc.so.1`exit: pushq  %rbp
mdb: You've got symbols!
Loading modules: [ ld.so.1 libumem.so.1 libc.so.1 ]
> ::umem_status
Status:         ready and active
Concurrency:    32
Logs:           (inactive)
Message buffer:

> ::findleaks
findleaks: no memory leaks detected
#2

Updated by Andy Fiddaman 9 months ago

Also that the right number of entries ends up in driver aliases

# grep -c imcstub /etc/driver_aliases
158
#4

Updated by Andy Fiddaman 9 months ago

ptribble pointed out on IRC that the e1000g driver has even more aliases.
I tested uninstalling and re-installing it and it exhibited the same problem.

This has not been seen before, however, since e1000g is part of the base system for both OmniOS and OpenIndiana and is installed initially in an alternate root, without add_drv being called (thanks toasterson for the hint there).

#5

Updated by Dan McDonald 9 months ago

  • Related to Bug #12625: modload tools should be smatch and gcc warning clean added
#6

Updated by Electric Monk 9 months ago

  • Status changed from In Progress to Closed
  • % Done changed from 0 to 100

git commit e4a991eb9ba3d449515f2fe5f9f2a9e1c33ca0fd

commit  e4a991eb9ba3d449515f2fe5f9f2a9e1c33ca0fd
Author: Andy Fiddaman <omnios@citrus-it.co.uk>
Date:   2020-04-29T16:10:01.000Z

    12624 add_drv crashes when given many aliases
    12625 modload tools should be smatch and gcc warning clean
    Reviewed by: John Levon <john.levon@joyent.com>
    Reviewed by: Dominik Hassler <hadfl@omniosce.org>
    Approved by: Dan McDonald <danmcd@joyent.com>

Also available in: Atom PDF