Actions
Bug #12624
closed
add_drv crashes when given many aliases
Start date:
Due date:
% Done:
100%
Estimated time:
Difficulty:
Medium
Tags:
Gerrit CR:
Description
This is seen when installing the driver/cpu/mc package on OmniOS and Indiana:
Installing new actions 23/25 driver (imcstub) install failed with return code -11 command run was: /usr/sbin/add_drv -u -i "pci8086,2014,p" "pci8086,2016,p" "pci8086,2024,p" "pci8086,2040,p" "pci8086,2044,p" "pci8086,2048,p" "pci8086,2054,p" "pci8086,2055,p" "pci8086,2066,p" "pci8086,208e,p" "pci8086,2f1e,p" "pci8086,2f1f,p" "pci8086,2f28,p" "pci8086,2f60,p" "pci8086,2f68,p" "pci8086,2f6a,p" "pci8086,2f6b,p" "pci8086,2f6c,p" "pci8086,2f6d,p" "pci8086,2f71,p" "pci8086,2f79,p" "pci8086,2fa0,p" "pci8086,2fa8,p" "pci8086,2faa,p" "pci8086,2fab,p" "pci8086,2fac,p" "pci8086,2fad,p" "pci8086,2ffc,p" "pci8086,2ffd,p" "pci8086,3c71,p" "pci8086,3ca0,p" "pci8086,3ca8,p" "pci8086,3caa,p" "pci8086,3cab,p" "pci8086,3cac,p" "pci8086,3cad,p" "pci8086,3ce0,p" "pci8086,3ce3,p" "pci8086,3cf4,p" "pci8086,3cf5,p" "pci8086,3cf6,p" "pci8086,6f1e,p" "pci8086,6f1f,p" "pci8086,6f28,p" "pci8086,6f60,p" "pci8086,6f68,p" "pci8086,6f6a,p" "pci8086,6f6b,p" "pci8086,6f6c,p" "pci8086,6f6d,p" "pci8086,6f71,p" "pci8086,6f79,p" "pci8086,6fa0,p" "pci8086,6fa8,p" "pci8086,6faa,p" "pci8086,6fab,p" "pci8086,6fac,p" "pci8086,6fad,p" "pci8086,6ffc,p" "pci8086,6ffd,p" "pci8086,e1e,p" "pci8086,e1f,p" "pci8086,e60,p" "pci8086,e68,p" "pci8086,e6a,p" "pci8086,e6b,p" "pci8086,e6c,p" "pci8086,e6d,p" "pci8086,e71,p" "pci8086,e79,p" "pci8086,ea0,p" "pci8086,ea8,p" "pci8086,eaa,p" "pci8086,eab,p" "pci8086,eac,p" "pci8086,ead,p" "pci8086,ec8,p" "pci8086,ec9,p" "pci8086,eca,p" "pciex8086,2014" "pciex8086,2016" "pciex8086,2024" "pciex8086,2040" "pciex8086,2044" "pciex8086,2048" "pciex8086,2054" "pciex8086,2055" "pciex8086,2066" "pciex8086,208e" "pciex8086,2f1e" "pciex8086,2f1f" "pciex8086,2f28" "pciex8086,2f60" "pciex8086,2f68" "pciex8086,2f6a" "pciex8086,2f6b" "pciex8086,2f6c" "pciex8086,2f6d" "pciex8086,2f71" "pciex8086,2f79" "pciex8086,2fa0" "pciex8086,2fa8" "pciex8086,2faa" "pciex8086,2fab" "pciex8086,2fac" "pciex8086,2fad" "pciex8086,2ffc" "pciex8086,2ffd" "pciex8086,3c71" "pciex8086,3ca0" "pciex8086,3ca8" "pciex8086,3caa" "pciex8086,3cab" "pciex8086,3cac" "pciex8086,3cad" "pciex8086,3ce0" "pciex8086,3ce3" "pciex8086,3cf4" "pciex8086,3cf5" "pciex8086,3cf6" "pciex8086,6f1e" "pciex8086,6f1f" "pciex8086,6f28" "pciex8086,6f60" "pciex8086,6f68" "pciex8086,6f6a" "pciex8086,6f6b" "pciex8086,6f6c" "pciex8086,6f6d" "pciex8086,6f71" "pciex8086,6f79" "pciex8086,6fa0" "pciex8086,6fa8" "pciex8086,6faa" "pciex8086,6fab" "pciex8086,6fac" "pciex8086,6fad" "pciex8086,6ffc" "pciex8086,6ffd" "pciex8086,e1e" "pciex8086,e1f" "pciex8086,e60" "pciex8086,e68" "pciex8086,e6a" "pciex8086,e6b" "pciex8086,e6c" "pciex8086,e6d" "pciex8086,e71" "pciex8086,e79" "pciex8086,ea0" "pciex8086,ea8" "pciex8086,eaa" "pciex8086,eab" "pciex8086,eac" "pciex8086,ead" "pciex8086,ec8" "pciex8086,ec9" "pciex8086,eca" imcstub
This is a segmentation fault in exec_devfsadm() which assumes that the final command line to drvconfig will have less than MAX_CMD_LINE (256) parameters. This is a buffer overflow in that function.
Related issues
Updated by Andy Fiddaman about 1 year ago
Testing my changes shows that drvconfig is being called twice now with a smaller number of arguments:
15186/1: execve("amd64/add_drv", 0xFFFFFC7FFFDFAF78, 0xFFFFFC7FFFDFAFA8) argc = 5
15186/1: argv: ./amd64/add_drv -u -i
15186/1: "pci8086,2014,p" "pci8086,2016,p" "pci8086,2024,p" "pci8086,2040,p" "pci8086,2044,p" "pci8086,2048,p" "pci8086,2054,p" "pci8086,2055,p" "pci8086,2066,p" "pci8086,208e,p" "pci8086,2f1e,p" "pci8086,2f1f,p" "pci8086,2f28,p" "pci8086,2f60,p" "pci8086,2f68,p" "pci8086,2f6a,p" "pci8086,2f6b,p" "pci8086,2f6c,p" "pci8086,2f6d,p" "pci8086,2f71,p" "pci8086,2f79,p" "pci8086,2fa0,p" "pci8086,2fa8,p" "pci8086,2faa,p" "pci8086,2fab,p" "pci8086,2fac,p" "pci8086,2fad,p" "pci8086,2ffc,p" "pci8086,2ffd,p" "pci8086,3c71,p" "pci8086,3ca0,p" "pci8086,3ca8,p" "pci8086,3caa,p" "pci8086,3cab,p" "pci8086,3cac,p" "pci8086,3cad,p" "pci8086,3ce0,p" "pci8086,3ce3,p" "pci8086,3cf4,p" "pci8086,3cf5,p" "pci8086,3cf6,p" "pci8086,6f1e,p" "pci8086,6f1f,p" "pci8086,6f28,p" "pci8086,6f60,p" "pci8086,6f68,p" "pci8086,6f6a,p" "pci8086,6f6b,p" "pci8086,6f6c,p" "pci8086,6f6d,p" "pci8086,6f71,p" "pci8086,6f79,p" "pci8086,6fa0,p" "pci8086,6fa8,p" "pci8086,6faa,p" "pci8086,6fab,p" "pci8086,6fac,p" "pci8086,6fad,p" "pci8086,6ffc,p" "pci8086,6ffd,p" "pci
15186/1: imcstub
15187/1: execve("/usr/sbin/drvconfig", 0xFFFFFC7FFFDF9DE0, 0xFFFFFC7FFFDFAFA8) argc = 253
15187/1: argv: drvconfig -b -i imcstub -m 273 -x -a "pci8086,2014,p" -a
15187/1: "pci8086,2016,p" -a "pci8086,2024,p" -a "pci8086,2040,p" -a
15187/1: "pci8086,2044,p" -a "pci8086,2048,p" -a "pci8086,2054,p" -a
15187/1: "pci8086,2055,p" -a "pci8086,2066,p" -a "pci8086,208e,p" -a
15187/1: "pci8086,2f1e,p" -a "pci8086,2f1f,p" -a "pci8086,2f28,p" -a
15187/1: "pci8086,2f60,p" -a "pci8086,2f68,p" -a "pci8086,2f6a,p" -a
15187/1: "pci8086,2f6b,p" -a "pci8086,2f6c,p" -a "pci8086,2f6d,p" -a
15187/1: "pci8086,2f71,p" -a "pci8086,2f79,p" -a "pci8086,2fa0,p" -a
15187/1: "pci8086,2fa8,p" -a "pci8086,2faa,p" -a "pci8086,2fab,p" -a
15187/1: "pci8086,2fac,p" -a "pci8086,2fad,p" -a "pci8086,2ffc,p" -a
15187/1: "pci8086,2ffd,p" -a "pci8086,3c71,p" -a "pci8086,3ca0,p" -a
15187/1: "pci8086,3ca8,p" -a "pci8086,3caa,p" -a "pci8086,3cab,p" -a
15187/1: "pci8086,3cac,p" -a "pci8086,3cad,p" -a "pci8086,3ce0,p" -a
15187/1: "pci8086,3ce3,p" -a "pci8086,3cf4,p" -a "pci8086,3cf5,p" -a
15187/1: "pci8086,3cf6,p" -a "pci8086,6f1e,p" -a "pci8086,6f1f,p" -a
15187/1: "pci8086,6f28,p" -a "pci8086,6f60,p" -a "pci8086,6f68,p" -a
15187/1: "pci8086,6f6a,p" -a "pci8086,6f6b,p" -a "pci8086,6f6c,p" -a
15187/1: "pci8086,6f6d,p" -a "pci8086,6f71,p" -a "pci8086,6f79,p" -a
15187/1: "pci8086,6fa0,p" -a "pci8086,6fa8,p" -a "pci8086,6faa,p" -a
15187/1: "pci8086,6fab,p" -a "pci8086,6fac,p" -a "pci8086,6fad,p" -a
15187/1: "pci8086,6ffc,p" -a "pci8086,6ffd,p" -a "pci8086,e1e,p" -a
15187/1: "pci8086,e1f,p" -a "pci8086,e60,p" -a "pci8086,e68,p" -a
15187/1: "pci8086,e6a,p" -a "pci8086,e6b,p" -a "pci8086,e6c,p" -a
15187/1: "pci8086,e6d,p" -a "pci8086,e71,p" -a "pci8086,e79,p" -a
15187/1: "pci8086,ea0,p" -a "pci8086,ea8,p" -a "pci8086,eaa,p" -a
15187/1: "pci8086,eab,p" -a "pci8086,eac,p" -a "pci8086,ead,p" -a
15187/1: "pci8086,ec8,p" -a "pci8086,ec9,p" -a "pci8086,eca,p" -a
15187/1: "pciex8086,2014" -a "pciex8086,2016" -a "pciex8086,2024" -a
15187/1: "pciex8086,2040" -a "pciex8086,2044" -a "pciex8086,2048" -a
15187/1: "pciex8086,2054" -a "pciex8086,2055" -a "pciex8086,2066" -a
15187/1: "pciex8086,208e" -a "pciex8086,2f1e" -a "pciex8086,2f1f" -a
15187/1: "pciex8086,2f28" -a "pciex8086,2f60" -a "pciex8086,2f68" -a
15187/1: "pciex8086,2f6a" -a "pciex8086,2f6b" -a "pciex8086,2f6c" -a
15187/1: "pciex8086,2f6d" -a "pciex8086,2f71" -a "pciex8086,2f79" -a
15187/1: "pciex8086,2fa0" -a "pciex8086,2fa8" -a "pciex8086,2faa" -a
15187/1: "pciex8086,2fab" -a "pciex8086,2fac" -a "pciex8086,2fad" -a
15187/1: "pciex8086,2ffc" -a "pciex8086,2ffd" -a "pciex8086,3c71" -a
15187/1: "pciex8086,3ca0" -a "pciex8086,3ca8" -a "pciex8086,3caa" -a
15187/1: "pciex8086,3cab" -a "pciex8086,3cac" -a "pciex8086,3cad" -a
15187/1: "pciex8086,3ce0" -a "pciex8086,3ce3" -a "pciex8086,3cf4" -a
15187/1: "pciex8086,3cf5" -a "pciex8086,3cf6" -a "pciex8086,6f1e" -a
15187/1: "pciex8086,6f1f" -a "pciex8086,6f28"
15189/1: execve("/usr/sbin/drvconfig", 0xFFFFFC7FFFDF9DE0, 0xFFFFFC7FFFDFAFA8) argc = 77
15189/1: argv: drvconfig -b -i imcstub -m 273 -x -a "pciex8086,6f60" -a
15189/1: "pciex8086,6f68" -a "pciex8086,6f6a" -a "pciex8086,6f6b" -a
15189/1: "pciex8086,6f6c" -a "pciex8086,6f6d" -a "pciex8086,6f71" -a
15189/1: "pciex8086,6f79" -a "pciex8086,6fa0" -a "pciex8086,6fa8" -a
15189/1: "pciex8086,6faa" -a "pciex8086,6fab" -a "pciex8086,6fac" -a
15189/1: "pciex8086,6fad" -a "pciex8086,6ffc" -a "pciex8086,6ffd" -a
15189/1: "pciex8086,e1e" -a "pciex8086,e1f" -a "pciex8086,e60" -a
15189/1: "pciex8086,e68" -a "pciex8086,e6a" -a "pciex8086,e6b" -a
15189/1: "pciex8086,e6c" -a "pciex8086,e6d" -a "pciex8086,e71" -a
15189/1: "pciex8086,e79" -a "pciex8086,ea0" -a "pciex8086,ea8" -a
15189/1: "pciex8086,eaa" -a "pciex8086,eab" -a "pciex8086,eac" -a
15189/1: "pciex8086,ead" -a "pciex8086,ec8" -a "pciex8086,ec9" -a
15189/1: "pciex8086,eca"
Also checked for leaks in this code path - there were several before.
bloody:illumos:master# LD_PRELOAD=/usr/lib/amd64/libumem.so UMEM_DEBUG=default /usr/bin/amd64/mdb ./amd64/add_drv > ::bp exit > ::run -u -i '"pci8086,2014,p" "pci8086,2016,p" "pci8086,2024,p" "pci8086,2040,p" "pci8086,2044,p" "pci8086,2048,p" "pci8086,2054,p" "pci8086,2055,p" "pci8086,2066,p" "pci8086,208e,p" "pci8086,2f1e,p" "pci8086,2f1f,p" "pci8086,2f28,p" "pci8086,2f60,p" "pci8086,2f68,p" "pci8086,2f6a,p" "pci8086,2f6b,p" "pci8086,2f6c,p" "pci8086,2f6d,p" "pci8086,2f71,p" "pci8086,2f79,p" "pci8086,2fa0,p" "pci8086,2fa8,p" "pci8086,2faa,p" "pci8086,2fab,p" "pci8086,2fac,p" "pci8086,2fad,p" "pci8086,2ffc,p" "pci8086,2ffd,p" "pci8086,3c71,p" "pci8086,3ca0,p" "pci8086,3ca8,p" "pci8086,3caa,p" "pci8086,3cab,p" "pci8086,3cac,p" "pci8086,3cad,p" "pci8086,3ce0,p" "pci8086,3ce3,p" "pci8086,3cf4,p" "pci8086,3cf5,p" "pci8086,3cf6,p" "pci8086,6f1e,p" "pci8086,6f1f,p" "pci8086,6f28,p" "pci8086,6f60,p" "pci8086,6f68,p" "pci8086,6f6a,p" "pci8086,6f6b,p" "pci8086,6f6c,p" "pci8086,6f6d,p" "pci8086,6f71,p" "pci8086,6f79,p" "pci8086,6fa0,p" "pci8086,6fa8,p" "pci8086,6faa,p" "pci8086,6fab,p" "pci8086,6fac,p" "pci8086,6fad,p"' imcstub mdb: forksys detected: follow (p)arent or (c)hild? p mdb: target forked child process 15098 (debugger following parent) ld.so.1: drvconfig: fatal: /usr/lib/amd64/libumem.so: wrong ELF class: ELFCLASS64 System updated but imcstub driver not yet configured. mdb: stop at exit mdb: target stopped at: libc.so.1`exit: pushq %rbp mdb: You've got symbols! Loading modules: [ ld.so.1 libumem.so.1 libc.so.1 ] > ::umem_status Status: ready and active Concurrency: 32 Logs: (inactive) Message buffer: > ::findleaks findleaks: no memory leaks detected
Updated by Andy Fiddaman about 1 year ago
Also that the right number of entries ends up in driver aliases
# grep -c imcstub /etc/driver_aliases 158
Updated by Andy Fiddaman about 1 year ago
Review posted at https://code.illumos.org/c/illumos-gate/+/603
Updated by Andy Fiddaman about 1 year ago
ptribble pointed out on IRC that the e1000g driver has even more aliases.
I tested uninstalling and re-installing it and it exhibited the same problem.
This has not been seen before, however, since e1000g is part of the base system for both OmniOS and OpenIndiana and is installed initially in an alternate root, without add_drv being called (thanks toasterson for the hint there).
Updated by Dan McDonald about 1 year ago
- Related to Bug #12625: modload tools should be smatch and gcc warning clean added
Updated by Electric Monk about 1 year ago
- Status changed from In Progress to Closed
- % Done changed from 0 to 100
git commit e4a991eb9ba3d449515f2fe5f9f2a9e1c33ca0fd
commit e4a991eb9ba3d449515f2fe5f9f2a9e1c33ca0fd
Author: Andy Fiddaman <omnios@citrus-it.co.uk>
Date: 2020-04-29T16:10:01.000Z
12624 add_drv crashes when given many aliases
12625 modload tools should be smatch and gcc warning clean
Reviewed by: John Levon <john.levon@joyent.com>
Reviewed by: Dominik Hassler <hadfl@omniosce.org>
Approved by: Dan McDonald <danmcd@joyent.com>
Actions