Bug #1988
sa_to_str can pass junk to mdb_nhconvert
Start date:
2012-01-16
Due date:
% Done:
100%
Estimated time:
Difficulty:
Bite-size
Tags:
Description
I was poking at a crashdump, and then all of the sudden, mdb died.
> ::iscsi_conn -v
IDM Conn de5b5000
*** mdb: received signal SEGV at:
[1] mdb`mdb_nhconvert+0x91()
[2] idm.so`sa_to_str+0x98()
[3] idm.so`iscsi_print_idm_conn_data+0x2f()
[4] idm.so`iscsi_print_iscsit_conn_data+0x23()
[5] idm.so`iscsi_conn_impl+0x338()
[6] idm.so`iscsi_conn_walk_cb+0x11()
[7] genunix.so`list_walk_step+0x99()
[8] mdb`walk_step+0x59()
[9] mdb`walk_common+0x80()
[10] mdb`mdb_pwalk+0x32()
[11] idm.so`iscsi_walk_all_conn+0x6e()
[12] idm.so`iscsi_conn+0x157()
[13] mdb`dcmd_invoke+0x4e()
[14] mdb`mdb_call_idcmd+0x134()
[15] mdb`mdb_call+0x39b()
[16] mdb`yyparse+0x473()
[17] mdb`mdb_run+0x2eb()
[18] mdb`main+0x13e3()
[19] mdb`_start+0x7d()
mdb: (c)ore dump, (q)uit, (r)ecover, or (s)top for debugger [cqrs]?
mdb: attempting to dump core ...
Memory fault(coredump)
History
Updated by Josef Sipek about 8 years ago
Updated by Sorry, I tried to attach the core but it was way too big.
Updated by Rich Lowe about 8 years ago
Updated by The second argument to mdb_nhconvert is trash (obviously not a pointer), because we're passing &sin->sin_port, rather than &sin6->sin6_port at http://src.illumos.org/source/xref/illumos-gate/usr/src/cmd/mdb/common/modules/idm/idm.c#2844
Updated by Rich Lowe about 8 years ago
- Category set to cmd - userland programs
- Difficulty changed from Medium to Bite-size
- Tags deleted (
needs-triage)
Updated by Rich Lowe about 8 years ago
- Subject changed from mdb: received signal SEGV to sa_to_str can pass junk to mdb_nhconvert
Updated by Rich Lowe about 8 years ago
- Status changed from New to Resolved
- Assignee set to Rich Lowe
- % Done changed from 0 to 100
Resolved in r13563:fdbd5ad458de