From nobody@FreeBSD.org  Tue Dec 17 22:37:38 2013
Return-Path: <nobody@FreeBSD.org>
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1])
	(using TLSv1 with cipher ADH-AES256-SHA (256/256 bits))
	(No client certificate requested)
	by hub.freebsd.org (Postfix) with ESMTPS id 40147177
	for <freebsd-gnats-submit@FreeBSD.org>; Tue, 17 Dec 2013 22:37:38 +0000 (UTC)
Received: from oldred.freebsd.org (oldred.freebsd.org [IPv6:2001:1900:2254:206a::50:4])
	(using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits))
	(No client certificate requested)
	by mx1.freebsd.org (Postfix) with ESMTPS id 13A3A145A
	for <freebsd-gnats-submit@FreeBSD.org>; Tue, 17 Dec 2013 22:37:38 +0000 (UTC)
Received: from oldred.freebsd.org ([127.0.1.6])
	by oldred.freebsd.org (8.14.5/8.14.7) with ESMTP id rBHMbZE0020616
	for <freebsd-gnats-submit@FreeBSD.org>; Tue, 17 Dec 2013 22:37:35 GMT
	(envelope-from nobody@oldred.freebsd.org)
Received: (from nobody@localhost)
	by oldred.freebsd.org (8.14.5/8.14.5/Submit) id rBHMbZtM020615;
	Tue, 17 Dec 2013 22:37:35 GMT
	(envelope-from nobody)
Message-Id: <201312172237.rBHMbZtM020615@oldred.freebsd.org>
Date: Tue, 17 Dec 2013 22:37:35 GMT
From: RK <hsn@sendmail.cz>
To: freebsd-gnats-submit@FreeBSD.org
Subject: swapon aborts on gdbe device
X-Send-Pr-Version: www-3.1
X-GNATS-Notify:

>Number:         184950
>Category:       bin
>Synopsis:       swapon aborts on gdbe device
>Confidential:   no
>Severity:       non-critical
>Priority:       low
>Responsible:    jilles
>State:          closed
>Quarter:        
>Keywords:       
>Date-Required:  
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Tue Dec 17 22:40:00 UTC 2013
>Closed-Date:    Sun Apr 20 19:23:18 UTC 2014
>Last-Modified:  Sun Apr 20 19:23:18 UTC 2014
>Originator:     RK
>Release:        10.0rc2 i386
>Organization:
>Environment:
>Description:
i have system configured for encrypted swap gdbe_swap_enabled=YES

in fstab
/dev/ada0s1b.bde none swap sw 0 0

in backtrace:

function swap_on_off() fails at 0x0804a756 which triggers stack checking routines from libc __stack_chk_fail() printing stack underflow 
>How-To-Repeat:

>Fix:


>Release-Note:
>Audit-Trail:

From: Radim Kolar <hsn@sendmail.cz>
To: "bug-followup@freebsd.org" <bug-followup@freebsd.org>
Cc:  
Subject: RE: bin/184950: swapon aborts on gdbe device
Date: Thu, 19 Dec 2013 21:29:17 +0000

  	<201312172237.rBHMbZtM020615@oldred.freebsd.org>,<201312172240.rBHMe0ER025897@freefall.freebsd.org>
 MIME-Version: 1.0
 
 --_df5e985d-d703-4564-9361-471c10a1eb63_
 Content-Type: text/plain; charset="iso-8859-2"
 Content-Transfer-Encoding: quoted-printable
 
 it looks like bug in clang compiler. If i compile with standard options and=
  DEBUG_FLAGS=3D-g then it crashes:
 
 bt
 
 0: kill() from libc
 1: __stack_chk_fail() from libc.so.7
 2: __stack_chk_fail() from libc.so.7
 3: swap_on_off() swapon.c:249
 4: main swapon.c:186
 
 If i compile it with -O0 -g then  it do not crashes.
  		 	   		  =
 
 --_df5e985d-d703-4564-9361-471c10a1eb63_
 Content-Type: text/html; charset="iso-8859-2"
 Content-Transfer-Encoding: quoted-printable
 
 <html>
 <head>
 <style><!--
 .hmmessage P
 {
 margin:0px=3B
 padding:0px
 }
 body.hmmessage
 {
 font-size: 12pt=3B
 font-family:Calibri
 }
 --></style></head>
 <body class=3D'hmmessage'><div dir=3D'ltr'>it looks like bug in clang compi=
 ler. If i compile with standard options and DEBUG_FLAGS=3D-g then it crashe=
 s:<br><br>bt<br><br>0: kill() from libc<br>1: __stack_chk_fail() from libc.=
 so.7<br>2: __stack_chk_fail() from libc.so.7<br>3: swap_on_off() swapon.c:2=
 49<br>4: main swapon.c:186<br><br>If i compile it with -O0 -g then&nbsp=3B =
 it do not crashes.<br> 		 	   		  </div></body>
 </html>=
 
 --_df5e985d-d703-4564-9361-471c10a1eb63_--

From: Jilles Tjoelker <jilles@stack.nl>
To: bug-followup@FreeBSD.org, hsn@sendmail.cz
Cc:  
Subject: Re: bin/184950: swapon aborts on gdbe device
Date: Sat, 21 Dec 2013 00:11:18 +0100

 In PR bin/184950, you wrote:
 > i have system configured for encrypted swap gdbe_swap_enabled=YES
 
 > in fstab
 > /dev/ada0s1b.bde none swap sw 0 0
 
 > in backtrace:
 
 > function swap_on_off() fails at 0x0804a756 which triggers stack
 > checking routines from libc __stack_chk_fail() printing stack
 > underflow
 
 This bug is probably not that conspicuous because most people use geli
 instead of gbde for disk encryption.
 
 I looked at the code anyway, and I think the compiler and the buffer
 overflow detector are perfectly right. On platforms where char is signed
 (i.e. most, with the notable exception of arm), the sprintf() call in
 swap_on_off_gbde() may write 9 instead of the expected 3 bytes. There is
 a probability of 12.5% that the last 3 chars are all non-negative and
 therefore no buffer overflow occurs.
 
 The below patch should fix it. I have only tested that it compiles.
 
 Index: sbin/swapon/swapon.c
 ===================================================================
 --- sbin/swapon/swapon.c	(revision 259508)
 +++ sbin/swapon/swapon.c	(working copy)
 @@ -266,7 +266,8 @@ static const char *
  swap_on_off_gbde(const char *name, int doingall)
  {
  	const char *ret;
 -	char pass[64 * 2 + 1], bpass[64];
 +	char pass[64 * 2 + 1];
 +	unsigned char bpass[64];
  	char *dname;
  	int i, error;
  
 
 -- 
 Jilles Tjoelker

From: Radim Kolar <hsn@sendmail.cz>
To: Jilles Tjoelker <jilles@stack.nl>, "bug-followup@freebsd.org"
	<bug-followup@freebsd.org>
Cc:  
Subject: RE: bin/184950: swapon aborts on gdbe device
Date: Sat, 21 Dec 2013 09:13:25 +0000

 --_43ff2e3d-67c3-4236-8f2b-c09291716bb5_
 Content-Type: text/plain; charset="iso-8859-2"
 Content-Transfer-Encoding: quoted-printable
 
 you are right. patch fixed problem. MFC it to 10.0 please
  		 	   		  =
 
 --_43ff2e3d-67c3-4236-8f2b-c09291716bb5_
 Content-Type: text/html; charset="iso-8859-2"
 Content-Transfer-Encoding: quoted-printable
 
 <html>
 <head>
 <style><!--
 .hmmessage P
 {
 margin:0px=3B
 padding:0px
 }
 body.hmmessage
 {
 font-size: 12pt=3B
 font-family:Calibri
 }
 --></style></head>
 <body class=3D'hmmessage'><div dir=3D'ltr'>you are right. patch fixed probl=
 em. MFC it to 10.0 please<br> 		 	   		  </div></body>
 </html>=
 
 --_43ff2e3d-67c3-4236-8f2b-c09291716bb5_--
State-Changed-From-To: open->patched 
State-Changed-By: jilles 
State-Changed-When: Sat Dec 21 12:02:22 UTC 2013 
State-Changed-Why:  
Fixed in 11-current, MFC pending. 

It may be too late for 10.0 though. 


Responsible-Changed-From-To: freebsd-bugs->jilles 
Responsible-Changed-By: jilles 
Responsible-Changed-When: Sat Dec 21 12:02:22 UTC 2013 
Responsible-Changed-Why:  
I did the commit. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=184950 

From: dfilter@FreeBSD.ORG (dfilter service)
To: bug-followup@FreeBSD.org
Cc:  
Subject: Re: bin/184950: commit references a PR
Date: Sat, 21 Dec 2013 12:00:06 +0000 (UTC)

 Author: jilles
 Date: Sat Dec 21 11:59:58 2013
 New Revision: 259677
 URL: http://svnweb.freebsd.org/changeset/base/259677
 
 Log:
   swapon: Fix buffer overflow when configuring encrypted swap on GBDE.
   
   PR:		bin/184950
   Tested by:	Radim Kolar
   MFC after:	3 days
 
 Modified:
   head/sbin/swapon/swapon.c
 
 Modified: head/sbin/swapon/swapon.c
 ==============================================================================
 --- head/sbin/swapon/swapon.c	Sat Dec 21 04:31:54 2013	(r259676)
 +++ head/sbin/swapon/swapon.c	Sat Dec 21 11:59:58 2013	(r259677)
 @@ -266,7 +266,8 @@ static const char *
  swap_on_off_gbde(const char *name, int doingall)
  {
  	const char *ret;
 -	char pass[64 * 2 + 1], bpass[64];
 +	char pass[64 * 2 + 1];
 +	unsigned char bpass[64];
  	char *dname;
  	int i, error;
  
 _______________________________________________
 svn-src-all@freebsd.org mailing list
 http://lists.freebsd.org/mailman/listinfo/svn-src-all
 To unsubscribe, send any mail to "svn-src-all-unsubscribe@freebsd.org"
 

From: dfilter@FreeBSD.ORG (dfilter service)
To: bug-followup@FreeBSD.org
Cc:  
Subject: Re: bin/184950: commit references a PR
Date: Tue, 24 Dec 2013 13:47:06 +0000 (UTC)

 Author: jilles
 Date: Tue Dec 24 13:46:54 2013
 New Revision: 259820
 URL: http://svnweb.freebsd.org/changeset/base/259820
 
 Log:
   MFC r259677: swapon: Fix buffer overflow when configuring swap on GBDE.
   
   PR:		bin/184950
 
 Modified:
   stable/10/sbin/swapon/swapon.c
 Directory Properties:
   stable/10/   (props changed)
 
 Modified: stable/10/sbin/swapon/swapon.c
 ==============================================================================
 --- stable/10/sbin/swapon/swapon.c	Tue Dec 24 09:19:49 2013	(r259819)
 +++ stable/10/sbin/swapon/swapon.c	Tue Dec 24 13:46:54 2013	(r259820)
 @@ -266,7 +266,8 @@ static const char *
  swap_on_off_gbde(const char *name, int doingall)
  {
  	const char *ret;
 -	char pass[64 * 2 + 1], bpass[64];
 +	char pass[64 * 2 + 1];
 +	unsigned char bpass[64];
  	char *dname;
  	int i, error;
  
 _______________________________________________
 svn-src-all@freebsd.org mailing list
 http://lists.freebsd.org/mailman/listinfo/svn-src-all
 To unsubscribe, send any mail to "svn-src-all-unsubscribe@freebsd.org"
 
State-Changed-From-To: patched->closed 
State-Changed-By: jilles 
State-Changed-When: Sun Apr 20 19:22:18 UTC 2014 
State-Changed-Why:  
This is fixed in 11-current and 10-stable. The problem does not exist in 
older branches. 

Sorry that this will not be fixed in 10.0. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=184950 
>Unformatted:
