Project

General

Profile

Actions

Bug #4598

closed

fmd(1m): redzone violation: write past end of buffer

Added by Marcel Telka over 7 years ago. Updated over 6 years ago.

Status:
Closed
Priority:
Normal
Assignee:
-
Category:
cmd - userland programs
Start date:
2014-02-14
Due date:
% Done:

100%

Estimated time:
Difficulty:
Medium
Tags:
needs-triage
Gerrit CR:

Description

I noticed this on a DEBUG build during the shutdown:

> ::status
debugging core file of fmd (32-bit) from telcontar
initial argv: /usr/lib/fm/fmd/fmd
threading model: native threads
status: process terminated by SIGABRT (Abort), pid=100643 uid=0 code=-1
> ::stack      
libc.so.1`_lwp_kill+0x15(1, 6, 8047c08, feae4087, feb12000, feaf0428)
libc.so.1`raise+0x2b(6, feaf0428, 8047c28, feb12000)
libumem.so.1`umem_do_abort+0x2b(feb12000, f, 8047c78, feae7fc9, feaf0428, 80faae8)
libumem.so.1`umem_err_recoverable+0x5a(feaf0428, 80faae8, 94ffd58, 80faae8, 80fab48, 9506000)
libumem.so.1`umem_error+0x492(1, 80faa90, 9500000, feaeb913)
libumem.so.1`umem_free+0xdf(9500000, 4c00, 0, fef5a000)
fmd_free+0x11(9500000, 4c00)
fmd_trace_destroy+0x19(94c9d28, 94691f8)
fmd_thread_destroy+0x7b(94691f8, 1, 8047d58, 807665e, 8112ac8, 8089d38)
fmd_module_unload+0xb6(94b29c0, 8047db8, 8047d88, 806092a, 8074eaa, 0)
fmd_destroy+0x91(809d8c0, 4, 8047e08, 8074e43, 805ad34, 0)
main+0x3b1(8047dfc, fef648a8, 8047e30, 805fd9b, 1, 8047e3c)
_start+0x83(1, 8047ee4, 0, 8047ef8, 8047f16, 8047f27)
> ::umem_status
Status:         ready and active
Concurrency:    8
Logs:           content=128k fail=128k (inactive)
Message buffer:
umem allocator: redzone violation: write past end of buffer
buffer=9500000  bufctl=94ffd58  cache: umem_alloc_24576
previous transaction on buffer 9500000:
thread=1  time=T-168142.593209121  slab=948f938  cache: umem_alloc_24576
libumem.so.1'umem_cache_alloc_debug+0x1fe
libumem.so.1'umem_cache_alloc+0x18f
libumem.so.1'umem_alloc+0x50
fmd'fmd_alloc+0x14
fmd'fmd_zalloc+0x14
fmd'fmd_trace_create+0x6f
fmd'fmd_thread_create_cmn+0x2e
fmd'fmd_thread_create+0x16
fmd'fmd_module_create+0x42e
fmd'fmd_modhash_load+0x103
fmd'fmd_modhash_loaddir+0xa7
fmd'fmd_modhash_loadall+0x2b
fmd'fmd_run+0x5b4
fmd'main+0x344
fmd'_start+0x83
umem: heap corruption detected
stack trace:
libumem.so.1'umem_err_recoverable+0x4a
libumem.so.1'umem_error+0x492
libumem.so.1'umem_free+0xdf
fmd'fmd_free+0x11
fmd'fmd_trace_destroy+0x19
fmd'fmd_thread_destroy+0x7b
fmd'fmd_module_unload+0xb6
fmd'fmd_destroy+0x91
fmd'main+0x3b1
fmd'_start+0x83

>

The core file is available at http://telka.sk/illumos/4598/core.fmd.0.1392134423.

Actions #1

Updated by Zhiwen Zheng about 7 years ago

/* * Callback for walkcontext(3C) to store the stack trace. We use tr_tag below * to store the maximum value of depth that is permitted so we can use it here.
/
/*ARGSUSED
/
static int
fmd_trace_frame(uintptr_t pc, int sig, fmd_tracerec_t *trp) {
trp->tr_stack[trp->tr_depth++] = pc; ######### trp->tr_depth not reset to 0 after use, the second round the last fmd_tracerect_t of fmd_tracebuf_t get used ######### this write may pass the end of buffer
return (trp->tr_depth >= trp->tr_tag);
}

The following change can fix this bug:

diff --git a/usr/src/cmd/fm/fmd/common/fmd_trace.c b/usr/src/cmd/fm/fmd/common/fmd_trace.c
index 2bb0187..c956bb7 100644
--- a/usr/src/cmd/fm/fmd/common/fmd_trace.c
+++ b/usr/src/cmd/fm/fmd/common/fmd_trace.c
@ -154,6 +154,7 @ fmd_trace_full(fmd_tracebuf_t *tbp, uint_t tag, const char *format, va_list ap)
}

(void) getcontext(&uc);
+ trp->tr_depth = 0;
trp->tr_tag = tbp->tb_frames; /* for use by fmd_trace_frame() /
(void) walkcontext(&uc, (int (
)())fmd_trace_frame, trp);
Actions #2

Updated by Electric Monk over 6 years ago

  • Status changed from New to Closed
  • % Done changed from 0 to 100

git commit ce926fbb3eac0337e32c8855d5843ab73a07c345

commit  ce926fbb3eac0337e32c8855d5843ab73a07c345
Author: Zhiwen Zheng <zhiwen.zh@gmail.com>
Date:   2015-02-26T02:23:10.000Z

    4598 fmd(1m): redzone violation: write past end of buffer
    Reviewed by: Richard Lowe <richlowe@richlowe.net>
    Reviewed by: Marcel Telka <marcel@telka.sk>
    Approved by: Robert Mustacchi <rm@joyent.com>

Actions

Also available in: Atom PDF