From nobody@FreeBSD.org  Tue Nov 27 14:33:15 2007
Return-Path: <nobody@FreeBSD.org>
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id 8957316A419
	for <freebsd-gnats-submit@FreeBSD.org>; Tue, 27 Nov 2007 14:33:15 +0000 (UTC)
	(envelope-from nobody@FreeBSD.org)
Received: from www.freebsd.org (www.freebsd.org [IPv6:2001:4f8:fff6::21])
	by mx1.freebsd.org (Postfix) with ESMTP id 781E313C43E
	for <freebsd-gnats-submit@FreeBSD.org>; Tue, 27 Nov 2007 14:33:15 +0000 (UTC)
	(envelope-from nobody@FreeBSD.org)
Received: from www.freebsd.org (localhost [127.0.0.1])
	by www.freebsd.org (8.14.2/8.14.2) with ESMTP id lAREX9Wu003783
	for <freebsd-gnats-submit@FreeBSD.org>; Tue, 27 Nov 2007 14:33:09 GMT
	(envelope-from nobody@www.freebsd.org)
Received: (from nobody@localhost)
	by www.freebsd.org (8.14.2/8.14.1/Submit) id lAREX9bI003782;
	Tue, 27 Nov 2007 14:33:09 GMT
	(envelope-from nobody)
Message-Id: <200711271433.lAREX9bI003782@www.freebsd.org>
Date: Tue, 27 Nov 2007 14:33:09 GMT
From: Vasanth Rao Naik <vasanth.raonaik@gmail.com>
To: freebsd-gnats-submit@FreeBSD.org
Subject: Segmetation fault in reloc_non_plt.
X-Send-Pr-Version: www-3.1
X-GNATS-Notify:

>Number:         118285
>Category:       i386
>Synopsis:       [i386] Segmentation fault in reloc_non_plt.
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    freebsd-bugs
>State:          open
>Quarter:        
>Keywords:       
>Date-Required:  
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Tue Nov 27 14:40:00 UTC 2007
>Closed-Date:    
>Last-Modified:  Thu Jul 07 19:00:36 UTC 2011
>Originator:     Vasanth Rao Naik
>Release:        FreeBSD 4.11
>Organization:
Juniper Networks India Pvt Ltd
>Environment:
FreeBSD bng-build22.juniper.net 4.11-RELEASE-p13 FreeBSD 4.11-RELEASE-p13 #2: Thu Jul 12 19:06:47 IST 2007 root@bng-build22.juniper.net:/usr/src/sys/compile/bng-build22  i386
>Description:
In reloc_non_plt(), find_symdef() sometimes returns invalid value in def
and a null in defobjout. This causes any binary to recieve a segmentation
fault and cores. The kernel code where segmentation happens is in
reloc_non_plt

    189             case R_386_GLOB_DAT:
    190                 {
    191                     const Elf_Sym *def;
    192                     const Obj_Entry *defobj;
    193
    194                     def = find_symdef(ELF_R_SYM(rel->r_info), obj, &defobj,
    195                       false, cache);
    196                     if (def == NULL)
    197                         goto done;
    198
    199                     *where = (Elf_Addr) (defobj->relocbase + def->st_value);
[vasanth] this is the point where we access defobj (NULL) and causes segmentation fault.
    200                 }
    201                 break;
 


I have received a core for rcp because of this issue. This issue was also
been raised by someothers in the list.

http://lists.freebsd.org/pipermail/freebsd-current/2004-February/021698.html

The following kernel messages were thrown when problem happened

Nov 12 21:16:50  marx1 login: LOGIN_INFORMATION: User regress logged in from
host 192.168.64.68 on device ttyp0 Nov 12 21:16:50  marx1 su: regress to root on
/dev/ttyp0 Nov 12 21:16:51  marx1 /kernel: BAD_PAGE_FAULT: pid 3484 (df), uid 0:
pc 0x88100ea0 got a read fault at 0xc75aa65, x86 fault flags = 0x4 Nov 12
21:16:51  marx1 /kernel: Trapframe Register Dump:
Nov 12 21:16:51  marx1 /kernel: eax: 88143000	ecx: 0c75aa65	edx: 00000005	ebx:
8810f574
Nov 12 21:16:51  marx1 /kernel: esp: bfbfe930	ebp: bfbfe958	esi: 00000005	edi:
0c75aa55
Nov 12 21:16:51  marx1 /kernel: eip: 88100ea0	eflags: 00010206
Nov 12 21:16:51  marx1 /kernel: cs: 001f	ss: 002f	ds: 002f	es: 002f
Nov 12 21:16:51  marx1 /kernel: fs: 002f	trapno: 0000000c	err: 00000004
Nov 12 21:16:51  marx1 /kernel: Page table info for PC address 0x88100ea0: PDE =
0xbb94067, PTE = 28aad425 Nov 12 21:16:51  marx1 /kernel: Dumping 16 bytes
starting at PC address 0x88100ea0:
Nov 12 21:16:51  marx1 /kernel: 83 7f 10 00 75 08 83 c1 04 83 39 00 74 f8 ba 01 


>How-To-Repeat:
This problem is not always reproducible. 
>Fix:
Please provide the Fix for this issue.

>Release-Note:
>Audit-Trail:

From: "Remko Lodder" <remko@elvandar.org>
To: "Vasanth Rao Naik" <vasanth.raonaik@gmail.com>
Cc: freebsd-gnats-submit@freebsd.org
Subject: Re: i386/118285: Segmetation fault in reloc_non_plt.
Date: Tue, 27 Nov 2007 16:02:40 +0100 (CET)

 Hello Vasanth,
 
 You mention that this happends on 4.11, does this also happen on
 -supported- freebsd releases? If not, I'll need to close the ticket since
 we are no longer supporting the 4.x branch nor do we intend to (there are
 individuals who are looking into this, but that is outside the scope of
 the official FreeBSD team).
 
 Thanks,
 remko
 
 -- 
 /"\   Best regards,                      | remko@FreeBSD.org
 \ /   Remko Lodder                       | remko@EFnet
  X    http://www.evilcoder.org/          |
 / \   ASCII Ribbon Campaign              | Against HTML Mail and News
 
 

From: "vasanth raonaik" <vasanth.raonaik@gmail.com>
To: remko@elvandar.org
Cc: freebsd-gnats-submit@freebsd.org
Subject: Re: i386/118285: Segmetation fault in reloc_non_plt.
Date: Wed, 28 Nov 2007 10:54:25 +0530

 Hello Remko,
 
 This issue which i am talking has been actually seen in freeBSD 6.1
 release. There has been not much difference in find_symdef() code so i
 assumed it is happening from 4.11. Could you take a look at the issue.
 
 Thanks,
 Vasanth
 
Responsible-Changed-From-To: freebsd-i386->jhb 
Responsible-Changed-By: remko 
Responsible-Changed-When: Wed Jul 14 06:45:27 UTC 2010 
Responsible-Changed-Why:  
Hello John, would you like to have a look at this please? 

The submitter mentionst hat the following line causes a segfault when 
defobj is NULL. 

*where = (Elf_Addr) (defobj->relocbase + def->st_value); 

Could we add something liket the following to see whether we hit a NULL 
and stop processing the bits and get back to the previous loop? 

if(defobj->relocbase == NULL) 
break; 

http://www.freebsd.org/cgi/query-pr.cgi?pr=118285 

From: John Baldwin <jhb@freebsd.org>
To: bug-followup@freebsd.org,
 vasanth.raonaik@gmail.com
Cc: Alexander Kabaev <kan@freebsd.org>,
 Konstantin Belousov <kib@freebsd.org>
Subject: Re: i386/118285: [i386] Segmentation fault in reloc_non_plt.
Date: Mon, 11 Oct 2010 14:13:32 -0400

 I've cc'd kan@ and kib@ who are probably more familiar with the kernel linker 
 bits than I am.
 
 -- 
 John Baldwin

From: Kostik Belousov <kostikbel@gmail.com>
To: John Baldwin <jhb@freebsd.org>
Cc: bug-followup@freebsd.org, vasanth.raonaik@gmail.com,
        Alexander Kabaev <kan@freebsd.org>,
        Konstantin Belousov <kib@freebsd.org>
Subject: Re: i386/118285: [i386] Segmentation fault in reloc_non_plt.
Date: Mon, 11 Oct 2010 23:03:29 +0300

 I do not remember such issue, and do not remember a commit that could
 be related to it.
 
 If you can reproduce the problem at will, add assertions to rtld code,
 checking that defobj is not NULL when def is not NULL. After you find
 the suspect, look how it could happen, possibly inserting similar
 assertions to the function that was called immediately before assert,
 and so on.
Responsible-Changed-From-To: jhb->freebsd-bugs 
Responsible-Changed-By: jhb 
Responsible-Changed-When: Thu Jul 7 18:59:59 UTC 2011 
Responsible-Changed-Why:  
Toss this back into the public pool. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=118285 
>Unformatted:
