From nobody@FreeBSD.org  Sun Jan 27 18:43:19 2008
Return-Path: <nobody@FreeBSD.org>
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id 5E16616A41B
	for <freebsd-gnats-submit@FreeBSD.org>; Sun, 27 Jan 2008 18:43:19 +0000 (UTC)
	(envelope-from nobody@FreeBSD.org)
Received: from www.freebsd.org (www.freebsd.org [IPv6:2001:4f8:fff6::21])
	by mx1.freebsd.org (Postfix) with ESMTP id 4CCEE13C45B
	for <freebsd-gnats-submit@FreeBSD.org>; Sun, 27 Jan 2008 18:43:19 +0000 (UTC)
	(envelope-from nobody@FreeBSD.org)
Received: from www.freebsd.org (localhost [127.0.0.1])
	by www.freebsd.org (8.14.2/8.14.2) with ESMTP id m0RIfaie065210
	for <freebsd-gnats-submit@FreeBSD.org>; Sun, 27 Jan 2008 18:41:36 GMT
	(envelope-from nobody@www.freebsd.org)
Received: (from nobody@localhost)
	by www.freebsd.org (8.14.2/8.14.1/Submit) id m0RIfaO2065209;
	Sun, 27 Jan 2008 18:41:36 GMT
	(envelope-from nobody)
Message-Id: <200801271841.m0RIfaO2065209@www.freebsd.org>
Date: Sun, 27 Jan 2008 18:41:36 GMT
From: Patrick Lamaiziere <patpr@davenulle.org>
To: freebsd-gnats-submit@FreeBSD.org
Subject: kdump segfaults on freebsd6_mmap syscall
X-Send-Pr-Version: www-3.1
X-GNATS-Notify:

>Number:         120055
>Category:       bin
>Synopsis:       [linux] kdump(1) segfaults on freebsd6_mmap syscall
>Confidential:   no
>Severity:       non-critical
>Priority:       low
>Responsible:    attilio
>State:          closed
>Quarter:        
>Keywords:       
>Date-Required:  
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Sun Jan 27 18:50:00 UTC 2008
>Closed-Date:    Sat Nov 13 10:03:24 UTC 2010
>Last-Modified:  Sat Nov 13 10:03:24 UTC 2010
>Originator:     Patrick Lamaiziere
>Release:        RELENG_7_0
>Organization:
>Environment:
FreeBSD roxette.lamaiziere.net 7.0-RC1 FreeBSD 7.0-RC1 #0: Fri Jan 25 18:06:03 CET 2008     patrick@roxette.lamaiziere.net:/usr/obj/usr/src/sys/ROXETTE  i386

>Description:
kdump crashs with a segfault when dumping the content of the syscall
freebsd6_mmap :

$ kdump
 69472 bash     CALL freebsd6_mmap(0x3,0xbfbfdeb8,<invalid>672202704,MAP_SHARED|[CUT],0,0,...
<SEGFAULT>

I've inserted some printf() in /usr/src/usr.bin/kdump/kdump.c and the
problem is that ktr->narg is equal to 3 when ktrsyscall() is called for
this syscall.

Line 305,/usr/src/usr.bin/kdump/kdump.c
void
ktrsyscall(struct ktr_syscall *ktr)
{
   int narg = ktr->ktr_narg;
   register_t *ip;
[CUT]
#ifdef SYS_freebsd6_mmap
   } else if (ktr->ktr_code == SYS_freebsd6_mmap) {
             print_number(ip,narg,c);
             print_number(ip,narg,c);
             (void)putchar(',');
             mmapprotname ((int)*ip);
             (void)putchar(',');
             ip++;
             narg--;
             mmapflagsname ((int)*ip);
             ip++;
             narg--;

Here narg = -1 because the macro print_number() decrements narg.
So a after, it loops until it segfaults:
[CUT]
  while (narg) {
                 print_number(ip,narg,c);
               }
 (void)putchar(')');

For a fix, a "while (narg>0)" will be safer but i don't know if this is
a bug on the call, a bug on ktrace or only a bug in kdump.

Regards.
>How-To-Repeat:
The krace.out (gziped) can be found here :

http://user.lamaiziere.net/patrick/ktrace.out.gz
>Fix:


>Release-Note:
>Audit-Trail:

From: Patrick Lamaiziere <patpr@davenulle.org>
To: bug-followup@FreeBSD.org
Cc:  
Subject: Re: misc/120055: kdump segfaults on freebsd6_mmap syscall
Date: Sun, 27 Jan 2008 21:44:02 +0100

 My apologies, i forgot to say that it was a kdump on a linux program
 (acroread8)
 
 Shall kdump work in this case ?

From: Jaakko Heinonen <jh@saunalahti.fi>
To: bug-followup@FreeBSD.org, patpr@davenulle.org
Cc:  
Subject: Re: bin/120055: [linux] kdump(1) segfaults on freebsd6_mmap syscall
Date: Thu, 31 Jan 2008 14:57:19 +0200

 --6TrnltStXW4iwmi0
 Content-Type: text/plain; charset=us-ascii
 Content-Disposition: inline
 
 This is a duplicate of kern/119564. (You should use devel/linux_kdump
 port for Linux binaries.) However I think that it might be reasonable to
 commit the attached patch to avoid kdump segfaulting on "corrupted"
 dumps.
 
 --6TrnltStXW4iwmi0
 Content-Type: text/x-diff; charset=us-ascii
 Content-Disposition: attachment; filename="kdump_segfault.diff"
 
 Index: kdump.c
 ===================================================================
 RCS file: /home/ncvs/src/usr.bin/kdump/kdump.c,v
 retrieving revision 1.39
 diff -u -r1.39 kdump.c
 --- kdump.c	7 Jan 2008 18:50:25 -0000	1.39
 +++ kdump.c	31 Jan 2008 12:46:35 -0000
 @@ -770,7 +770,7 @@
  				narg--;
  			}
  		}
 -		while (narg) {
 +		while (narg > 0) {
  			print_number(ip,narg,c);
  		}
  		(void)putchar(')');
 
 --6TrnltStXW4iwmi0--
Responsible-Changed-From-To: freebsd-bugs->dchagin 
Responsible-Changed-By: dchagin 
Responsible-Changed-When: Wed Mar 18 21:32:51 UTC 2009 
Responsible-Changed-Why:  
grab PR, I have solution 

http://www.freebsd.org/cgi/query-pr.cgi?pr=120055 

From: Alexander Best <alexbestms@math.uni-muenster.de>
To: <bug-followup@FreeBSD.org>
Cc:  
Subject: Re: bin/120055: [linux] kdump(1) segfaults on freebsd6_mmap syscall
Date: Wed, 24 Jun 2009 01:52:23 +0200 (CEST)

 this patch isn't in HEAD yet. would be nice to have it there.

From: dfilter@FreeBSD.ORG (dfilter service)
To: bug-followup@FreeBSD.org
Cc:  
Subject: Re: bin/120055: commit references a PR
Date: Sat,  7 Nov 2009 21:46:43 +0000 (UTC)

 Author: attilio
 Date: Sat Nov  7 21:46:34 2009
 New Revision: 199024
 URL: http://svn.freebsd.org/changeset/base/199024
 
 Log:
   Use a safety belt for cases where corrupted narg can be passed to the
   ktrsyscall(). print_number() does decrement the number of arguments,
   leading to infinite loops for negative values.
   
   Reported by:	Patrick Lamaiziere <patpr at davenulle dot org>,
   		Jonathan Pascal <jkpyvxmzsa at mailinator dot com>
   Submitted by:	jh
   PR:		bin/120055, kern/119564
   MFC:		1 week
 
 Modified:
   head/usr.bin/kdump/kdump.c
 
 Modified: head/usr.bin/kdump/kdump.c
 ==============================================================================
 --- head/usr.bin/kdump/kdump.c	Sat Nov  7 21:28:21 2009	(r199023)
 +++ head/usr.bin/kdump/kdump.c	Sat Nov  7 21:46:34 2009	(r199024)
 @@ -799,7 +799,7 @@ ktrsyscall(struct ktr_syscall *ktr)
  				narg--;
  			}
  		}
 -		while (narg) {
 +		while (narg > 0) {
  			print_number(ip,narg,c);
  		}
  		(void)putchar(')');
 _______________________________________________
 svn-src-all@freebsd.org mailing list
 http://lists.freebsd.org/mailman/listinfo/svn-src-all
 To unsubscribe, send any mail to "svn-src-all-unsubscribe@freebsd.org"
 

From: Alexander Best <alexbestms@math.uni-muenster.de>
To: <bug-followup@FreeBSD.org>
Cc:  
Subject: Re: bin/120055: [linux] kdump(1) segfaults on freebsd6_mmap syscall
Date: Sat, 07 Nov 2009 22:58:00 +0100 (CET)

 committed to HEAD (r199024) by attilio@.
 
 please set pr into patched state.
 
 thanks.
 alex
State-Changed-From-To: open->patched 
State-Changed-By: linimon 
State-Changed-When: Tue Nov 10 08:18:16 UTC 2009 
State-Changed-Why:  
A patch has been committed. 


Responsible-Changed-From-To: dchagin->attilio 
Responsible-Changed-By: linimon 
Responsible-Changed-When: Tue Nov 10 08:18:16 UTC 2009 
Responsible-Changed-Why:  
Over to the committer of the patch. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=120055 

From: Alexander Best <alexbestms@wwu.de>
To: <bug-followup@FreeBSD.org>
Cc:  
Subject: Re: bin/120055: [linux] kdump(1) segfaults on freebsd6_mmap syscall
Date: Sat, 13 Feb 2010 02:15:13 +0100 (CET)

 patch is in all branches except 6.
 
 cheers.
 alex
State-Changed-From-To: patched->closed 
State-Changed-By: arundel 
State-Changed-When: Sat Nov 13 10:02:04 UTC 2010 
State-Changed-Why:  
Fixed in RELENG_7, RELENG_8 and HEAD. RELENG_6 went EoL. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=120055 
>Unformatted:
