Bug #4598
closed
fmd(1m): redzone violation: write past end of buffer
100%
Description
I noticed this on a DEBUG build during the shutdown:
> ::status debugging core file of fmd (32-bit) from telcontar initial argv: /usr/lib/fm/fmd/fmd threading model: native threads status: process terminated by SIGABRT (Abort), pid=100643 uid=0 code=-1 > ::stack libc.so.1`_lwp_kill+0x15(1, 6, 8047c08, feae4087, feb12000, feaf0428) libc.so.1`raise+0x2b(6, feaf0428, 8047c28, feb12000) libumem.so.1`umem_do_abort+0x2b(feb12000, f, 8047c78, feae7fc9, feaf0428, 80faae8) libumem.so.1`umem_err_recoverable+0x5a(feaf0428, 80faae8, 94ffd58, 80faae8, 80fab48, 9506000) libumem.so.1`umem_error+0x492(1, 80faa90, 9500000, feaeb913) libumem.so.1`umem_free+0xdf(9500000, 4c00, 0, fef5a000) fmd_free+0x11(9500000, 4c00) fmd_trace_destroy+0x19(94c9d28, 94691f8) fmd_thread_destroy+0x7b(94691f8, 1, 8047d58, 807665e, 8112ac8, 8089d38) fmd_module_unload+0xb6(94b29c0, 8047db8, 8047d88, 806092a, 8074eaa, 0) fmd_destroy+0x91(809d8c0, 4, 8047e08, 8074e43, 805ad34, 0) main+0x3b1(8047dfc, fef648a8, 8047e30, 805fd9b, 1, 8047e3c) _start+0x83(1, 8047ee4, 0, 8047ef8, 8047f16, 8047f27) > ::umem_status Status: ready and active Concurrency: 8 Logs: content=128k fail=128k (inactive) Message buffer: umem allocator: redzone violation: write past end of buffer buffer=9500000 bufctl=94ffd58 cache: umem_alloc_24576 previous transaction on buffer 9500000: thread=1 time=T-168142.593209121 slab=948f938 cache: umem_alloc_24576 libumem.so.1'umem_cache_alloc_debug+0x1fe libumem.so.1'umem_cache_alloc+0x18f libumem.so.1'umem_alloc+0x50 fmd'fmd_alloc+0x14 fmd'fmd_zalloc+0x14 fmd'fmd_trace_create+0x6f fmd'fmd_thread_create_cmn+0x2e fmd'fmd_thread_create+0x16 fmd'fmd_module_create+0x42e fmd'fmd_modhash_load+0x103 fmd'fmd_modhash_loaddir+0xa7 fmd'fmd_modhash_loadall+0x2b fmd'fmd_run+0x5b4 fmd'main+0x344 fmd'_start+0x83 umem: heap corruption detected stack trace: libumem.so.1'umem_err_recoverable+0x4a libumem.so.1'umem_error+0x492 libumem.so.1'umem_free+0xdf fmd'fmd_free+0x11 fmd'fmd_trace_destroy+0x19 fmd'fmd_thread_destroy+0x7b fmd'fmd_module_unload+0xb6 fmd'fmd_destroy+0x91 fmd'main+0x3b1 fmd'_start+0x83 >
The core file is available at http://telka.sk/illumos/4598/core.fmd.0.1392134423.
Updated by Zhiwen Zheng almost 9 years ago
/*
* Callback for walkcontext(3C) to store the stack trace. We use tr_tag below
* to store the maximum value of depth that is permitted so we can use it here.
/
/*ARGSUSED/
static int
fmd_trace_frame(uintptr_t pc, int sig, fmd_tracerec_t *trp)
{
trp->tr_stack[trp->tr_depth++] = pc; ######### trp->tr_depth not reset to 0 after use, the second round the last fmd_tracerect_t of fmd_tracebuf_t get used
######### this write may pass the end of buffer
return (trp->tr_depth >= trp->tr_tag);
}
The following change can fix this bug:
diff --git a/usr/src/cmd/fm/fmd/common/fmd_trace.c b/usr/src/cmd/fm/fmd/common/fmd_trace.c
index 2bb0187..c956bb7 100644
--- a/usr/src/cmd/fm/fmd/common/fmd_trace.c
+++ b/usr/src/cmd/fm/fmd/common/fmd_trace.c@ -154,6 +154,7 @ fmd_trace_full(fmd_tracebuf_t *tbp, uint_t tag, const char *format, va_list ap)
}
(void) getcontext(&uc);
+ trp->tr_depth = 0;
trp->tr_tag = tbp->tb_frames; /* for use by fmd_trace_frame() /
(void) walkcontext(&uc, (int ()())fmd_trace_frame, trp);
Updated by Electric Monk over 8 years ago
- Status changed from New to Closed
- % Done changed from 0 to 100
git commit ce926fbb3eac0337e32c8855d5843ab73a07c345
commit ce926fbb3eac0337e32c8855d5843ab73a07c345
Author: Zhiwen Zheng <zhiwen.zh@gmail.com>
Date: 2015-02-26T02:23:10.000Z
4598 fmd(1m): redzone violation: write past end of buffer
Reviewed by: Richard Lowe <richlowe@richlowe.net>
Reviewed by: Marcel Telka <marcel@telka.sk>
Approved by: Robert Mustacchi <rm@joyent.com>