Project

General

Profile

Bug #3706

mdb segfault when random address is passed to "list" walker

Added by Marcel Telka over 7 years ago. Updated over 7 years ago.

Status:
Resolved
Priority:
Normal
Assignee:
Marcel Telka
Category:
mdb - modular debugger
Start date:
2013-04-09
Due date:
% Done:

0%

Estimated time:
Difficulty:
Medium
Tags:
needs-triage
Gerrit CR:

Description

I passed random address to the "list" walker and mdb segfaulted:

> ::status
debugging core file of mdb (64-bit) from telcontar
file: /usr/bin/amd64/mdb
initial argv: mdb -w 9
threading model: native threads
status: process terminated by SIGSEGV (Segmentation Fault), addr=ffffff01c2e24000
> ::stack
genunix.so`list_walk_step+0xac()
walk_step+0x5e()
walk_common+0x71()
mdb_pwalk+0x3f()
cmd_walk+0x138()
dcmd_invoke+0x64()
mdb_call_idcmd+0xff()
mdb_call+0x390()
yyparse+0x50d()
mdb_run+0x2cd()
main+0x136d()
0x42769c()
>

I reproduced it using this command:

> 0xffffffa6649d6000::walk list

when I debugged crash dump file from Bug #3629.

The core file from mdb is available at http://telka.sk/illumos/3706/core.

#1

Updated by Marcel Telka over 7 years ago

  • Assignee set to Marcel Telka
#2

Updated by Marcel Telka over 7 years ago

Similar segfault could be caused by an uninitialized list:

> dev_list::print -t
list_t {
    size_t list_size = 0
    size_t list_offset = 0
    struct list_node list_head = {
        struct list_node *list_next = 0
        struct list_node *list_prev = 0
    }
}
> dev_list::walk list
0
Segmentation Fault (core dumped)
#3

Updated by Marcel Telka over 7 years ago

  • Status changed from New to In Progress
#4

Updated by Marcel Telka over 7 years ago

Root Cause

The problem is that there is no check in the list walker for valid and consistent list_size and list_offset values.

We should add similar check as it is in the list_create() function:

74    ASSERT(size >= offset + sizeof (list_node_t));
#5

Updated by Marcel Telka over 7 years ago

  • Status changed from In Progress to Pending RTI
#6

Updated by Gordon Ross over 7 years ago

  • Status changed from Pending RTI to Resolved
commit 9889d1c6ca2bae13060bd0690ee771c8bb53303d
Author: Marcel Telka <marcel.telka@nexenta.com>
Date:   Sat Jul 27 00:11:06 2013 +0200

    3706 mdb segfault when random address is passed to "list" walker
    Reviewed by: Adam Leventhal <ahl@delphix.com>
    Reviewed by: Garrett D'Amore <garrett.damore@gmail.com>
    Reviewed by: Wendy Lin <wendlin1974@gmail.com>
    Approved by: Gordon Ross <gwr@nexenta.com>

:100644 100644 58e21eb... 1a04d83... M    usr/src/cmd/mdb/common/modules/genunix/list.c

Also available in: Atom PDF