From nobody@FreeBSD.org  Mon Oct  8 08:26:40 2007
Return-Path: <nobody@FreeBSD.org>
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id D14CC16A417
	for <freebsd-gnats-submit@FreeBSD.org>; Mon,  8 Oct 2007 08:26:40 +0000 (UTC)
	(envelope-from nobody@FreeBSD.org)
Received: from www.freebsd.org (www.freebsd.org [IPv6:2001:4f8:fff6::21])
	by mx1.freebsd.org (Postfix) with ESMTP id B7C5813C480
	for <freebsd-gnats-submit@FreeBSD.org>; Mon,  8 Oct 2007 08:26:40 +0000 (UTC)
	(envelope-from nobody@FreeBSD.org)
Received: from www.freebsd.org (localhost [127.0.0.1])
	by www.freebsd.org (8.14.1/8.14.1) with ESMTP id l988Qeuf046387
	for <freebsd-gnats-submit@FreeBSD.org>; Mon, 8 Oct 2007 08:26:40 GMT
	(envelope-from nobody@www.freebsd.org)
Received: (from nobody@localhost)
	by www.freebsd.org (8.14.1/8.14.1/Submit) id l988QeJg046386;
	Mon, 8 Oct 2007 08:26:40 GMT
	(envelope-from nobody)
Message-Id: <200710080826.l988QeJg046386@www.freebsd.org>
Date: Mon, 8 Oct 2007 08:26:40 GMT
From: Vladimir Ermakov <samflanker@gmail.com>
To: freebsd-gnats-submit@FreeBSD.org
Subject: [linuxolator] linux_getdents() get something like buffer overflow or else
X-Send-Pr-Version: www-3.1
X-GNATS-Notify:

>Number:         117010
>Category:       kern
>Synopsis:       [linux] linux_getdents() get something like buffer overflow or else
>Confidential:   no
>Severity:       serious
>Priority:       low
>Responsible:    freebsd-emulation
>State:          closed
>Quarter:        
>Keywords:       
>Date-Required:  
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Mon Oct 08 08:30:01 GMT 2007
>Closed-Date:    Tue Sep 09 16:10:31 UTC 2008
>Last-Modified:  Mon Sep 22 20:30:01 UTC 2008
>Originator:     Vladimir Ermakov
>Release:        7.0-CURRENT
>Organization:
_
>Environment:
uname -a
FreeBSD damask 7.0-CURRENT FreeBSD 7.0-CURRENT #0: Wed Sep 12 17:04:55 
SAMST 2007     root at localhost:/usr/obj/usr/src/sys/CS2  i386
>Description:

# su hlds -c "ktrace -i ./hlds_run -game cstrike +ip 0.0.0.0 +port 27015 
+map de_dust -debug"
Auto detecting CPU
Using Pentium II Optimised binary.
Enabling debug mode
Auto-restarting the server on crash

Console initialized.
scandir failed:/usr/home/hlds/1.6/./platform/SAVE
Protocol version 47
Exe version 1.1.2.5/Stdio (cstrike)
Exe build: 20:02:49 Oct 24 2006 (3651)
STEAM Auth Server
couldn't exec language.cfg
Server IP address 0.0.0.0:27015
scandir failed:/usr/home/hlds/1.6/./platform/SAVE
*** glibc detected *** ./hlds_i686: double free or corruption (!prev): 
0x08da3738 ***
======= Backtrace: =========
/lib/libc.so.6[0x2811ac88]
/lib/libc.so.6(cfree+0x90)[0x2811e230]
/lib/libc.so.6(closedir+0x28)[0x2813ecf8]
/lib/libc.so.6(scandir+0x14b)[0x2813f21b]
/usr/home/hlds/1.6/filesystem_stdio_i386.so(findFileInDirCaseInsensitive__FPCc+0xe4)[0x28af41d8] 

/usr/home/hlds/1.6/filesystem_stdio_i386.so(FS_stat__17CFileSystem_StdioPCcP4stat+0x40)[0x28af861c] 

/usr/home/hlds/1.6/filesystem_stdio_i386.so(FastFindFileSize__15CBaseFileSystemPCQ215CBaseFileSystem11CSearchPathPCc+0x17e)[0x28af572a] 

/usr/home/hlds/1.6/filesystem_stdio_i386.so(Size__15CBaseFileSystemPCc+0x5b)[0x28af557b] 

/usr/home/hlds/1.6/engine_i686.so(FS_FileSize+0x2a)[0x2828679e]
======= Memory map: ========
08048000-08054000 r-xp 0003a000 00:00 1931338     
/usr/home/hlds/1.6/hlds_i686
08054000-0805b000 rw-p 0003a000 00:00 1931338     
/usr/home/hlds/1.6/hlds_i686
0805b000-0805e000 rw-p 00d60000 00:00 0
0805e000-08dbb000 rwxp 00d60000 00:00 0
28054000-2806d000 r-xp 0001e000 00:00 1719480     
/usr/compat/linux/lib/ld-2.5.so
2806d000-2806e000 r-xp 0001e000 00:00 1719480     
/usr/compat/linux/lib/ld-2.5.so
2806e000-2806f000 rw-p 00002000 00:00 0
2806f000-28070000 rwxp 00002000 00:00 0
28071000-28073000 r-xp 00004000 00:00 1719493     
/usr/compat/linux/lib/libdl-2.5.so
28073000-28074000 r-xp 00004000 00:00 1719493     
/usr/compat/linux/lib/libdl-2.5.so
28074000-28075000 rwxp 00004000 00:00 1719493     
/usr/compat/linux/lib/libdl-2.5.so
28075000-28076000 rwxp 00001000 00:00 0
28076000-28088000 r-xp 0001e000 00:00 1719511     
/usr/compat/linux/lib/libpthread-2.5.so
28088000-28089000 r-xp 0001e000 00:00 1719511     
/usr/compat/linux/lib/libpthread-2.5.so
28089000-2808a000 rwxp 0001e000 00:00 1719511     /usr/compat/linuxAbort 
trap (core dumped)
debug.cmds:1: Error in sourced command file:
Previous frame inner to this frame (corrupt stack?)
email debug.log to linux at valvesoftware.com
Wed Sep 12 20:27:04 SAMST 2007: Server restart in 10 seconds
Wed Sep 12 20:27:06 SAMST 2007: Server Quit
#
===================================================

# uname -a
FreeBSD damask 7.0-CURRENT FreeBSD 7.0-CURRENT #0: Wed Sep 12 17:04:55 
SAMST 2007     root at localhost:/usr/obj/usr/src/sys/CS2  i386

# sysctl compat
compat.linux.oss_version: 198144
compat.linux.osrelease: 2.6.16
compat.linux.osname: Linux

# kldstat
Id Refs Address    Size     Name
1   14 0xc0400000 3e6ee0   kernel
2    1 0xc07e7000 69514    acpi.ko
3    1 0xc3ddd000 7000     linprocfs.ko
4    2 0xc3de4000 21000    linux.ko
5    1 0xc3e0e000 3000     linsysfs.ko

# mount|grep linux
linprocfs on /usr/compat/linux/proc (linprocfs, local)
linsysfs on /usr/compat/linux/sys (linsysfs, local)

# pkg_info | grep linux
linux_base-fc6-6_3  Base set of packages needed in Linux mode (for 
i386/amd64)

[private links to debug.log & ktrace.out]

please send me message after downloaded this files (for removing)


for full description see this topic
http://lists.freebsd.org/pipermail/freebsd-emulation/2007-August/003918.html
http://lists.freebsd.org/pipermail/freebsd-emulation/2007-September/003960.html
http://lists.freebsd.org/pipermail/freebsd-emulation/2007-September/004024.html

===========================================================================
On Thu, 13 Sep 2007 16:39:49 +0400 Boris Samorodov wrote:

> Just to note once more, that is for CURRENT and
> linux_base-fc6/2.6.16:

> > Here is the relevant kdump:
> > ftp://ftp.ipt.ru/pub/linux/hldc.kdump.txt

> And the corresponding dump for linux_base-fc4/2.6.16 (which works
> fine):
> ftp://ftp.ipt.ru/pub/linux/fc4.dump.txt

> You may easily notice the difference if open those urls at two tabs
> within your brouser. ;-)

Some more info. If cstrike/sound/weapons is moved (ex. renamed) the
server loads fine.

I've done an RTFS and seen that linux_getdents and linux_getdents64
use different data structures. Linux_base-fc4 uses linux_getdents64
here and succeeds while linux_base-fc6 quite the opposite.

The directory cstrike/sound/weapons is the largest (165 files), other
directories are way smaller. Seems that linux_getdents() get something
like buffer overflow or else.

BTW, why does linux_base-fc6 uses linux_getdents everywhere while
linux_base-fc4 uses linux_getdents64?


WBR
-- 
Boris Samorodov (bsam)
Research Engineer, http://www.ipt.ru Telephone & Internet SP
FreeBSD committer, http://www.FreeBSD.org The Power To Serve

http://lists.freebsd.org/pipermail/freebsd-emulation/2007-September/003965.html

>How-To-Repeat:
install Counter-Strike 1.6 server on FreeBSD
instruction http://weec.ovl.ru/csdivision/index.php?topic=552.0

# su games -c "./hlds_run -game cstrike +ip 0.0.0.0 +port 27015 +map de_dust"
>Fix:
_

>Release-Note:
>Audit-Trail:
Responsible-Changed-From-To: freebsd-bugs->rdivacky 
Responsible-Changed-By: remko 
Responsible-Changed-When: Mon Oct 8 08:32:39 UTC 2007 
Responsible-Changed-Why:  
Over to maintainer 

http://www.freebsd.org/cgi/query-pr.cgi?pr=117010 
Responsible-Changed-From-To: rdivacky->freebsd-emulation 
Responsible-Changed-By: remko 
Responsible-Changed-When: Mon Oct 8 08:57:40 UTC 2007 
Responsible-Changed-Why:  
Pav told me this could better go to emulation, make it happen 

http://www.freebsd.org/cgi/query-pr.cgi?pr=117010 

From: sam <samflanker@gmail.com>
To: bug-followup@FreeBSD.org,  samflanker@gmail.com
Cc:  
Subject: Re: kern/117010: [linuxolator] linux_getdents() get something like
 buffer overflow or else
Date: Fri, 26 Oct 2007 15:53:17 +0400

 installing Counter-Strike 1.6 (HLDS)
 http://www.cstrike-planet.com/tutorial/1-Linux-Install-CS-16/6
 

From: sam <samflanker@gmail.com>
To: bug-followup@FreeBSD.org,  samflanker@gmail.com
Cc:  
Subject: Re: kern/117010: truble in syscall linux_getdents()
Date: Wed, 02 Jan 2008 15:34:55 +0300

 program-test (experimental) for testing syscall linux_getdents()
 http://cs.udmvt.ru/files/temp/linux_dbg.tar.bz2
 includes:
 * temp/ - test_dir with files (special for crash situation)
 * linux_getdents.c - source of program-test
 * linux_getdents_static - binary exec file, staticaly compiled on Linux 
 Debian 4.0 Etch
 * linux_getdents_dynamic - binary exec file, dynamicaly compiled on 
 Linux Debian 4.0 Etch
 
 - test failed on systems: FreeBSD 6.3-PRERELEASE with port 
 linux_base-fc4, FreeBSD 8.0-CURRENT with port linux_base-fc4;
 - test passed on Linux Debian 4.0 Etch
 
 
 

From: John Baldwin <jhb@freebsd.org>
To: bug-followup@freebsd.org, samflanker@gmail.com
Cc:  
Subject: Re: kern/117010: [linuxolator] linux_getdents() get something like buffer overflow or else
Date: Mon, 7 Jan 2008 13:54:30 -0500

 I've looked at this and the Linux compat in FreeBSD uses the same structures 
 for the two getdents() calls that the Linux kernel uses.  It might be helpful 
 to modify the test program to save a copy of the directory and emit some 
 debug info when it changes (i.e. check it after each readdir() call and emit 
 hexdumps of the saved copy and changed one when it chokes along with hexdump 
 of the dirent perhaps).
 
 -- 
 John Baldwin

From: sam <samflanker@gmail.com>
To: bug-followup@FreeBSD.org
Cc:  
Subject: Re: kern/117010: [linuxolator] linux_getdents() get something like
 buffer overflow or else
Date: Wed, 19 Mar 2008 14:09:52 +0300

 kdump of starting HLDS on system FreeBSD 7.0-STABLE with development 
 version linux_base-f8 (include glibc-2.7-2)
 NOTE: HLDS is started without problem
 linux_base-f8 be absent in ports tree now
 
 --------------------------------------------------------------------------
  99717 hlds_i686 NAMI  
 "/compat/linux/usr/home/games/hlds/./cstrike/sound/weapons/reload1.wav"
  99717 hlds_i686 NAMI  
 "/usr/home/games/hlds/./cstrike/sound/weapons/reload1.wav"
  99717 hlds_i686 RET   linux_stat64 JUSTRETURN
  99717 hlds_i686 CALL  linux_open(-1078014336,624640,-1078014440)
  99717 hlds_i686 NAMI  
 "/compat/linux/usr/home/games/hlds/./cstrike/sound/weapons"
  99717 hlds_i686 NAMI  "/usr/home/games/hlds/./cstrike/sound/weapons"
  99717 hlds_i686 RET   linux_open 9
  99717 hlds_i686 CALL  linux_fstat64(9,-1078014548,1210134516)
  99717 hlds_i686 RET   linux_fstat64 0
  99717 hlds_i686 CALL  linux_fcntl64(9,2,1)
  99717 hlds_i686 RET   linux_fcntl64 0
  99717 hlds_i686 CALL  linux_getdents(9,148523424,4096)
  99717 hlds_i686 RET   linux_getdents 4096/0x1000
  99717 hlds_i686 CALL  linux_getdents(9,148523424,4096)
  99717 hlds_i686 RET   linux_getdents 444/0x1bc
  99717 hlds_i686 CALL  linux_getdents(9,148523424,4096)
  99717 hlds_i686 RET   linux_getdents 0
  99717 hlds_i686 CALL  close(9)
  99717 hlds_i686 RET   close 0
  99717 hlds_i686 CALL  linux_stat64(-1078014148,-1078014404,1210134516)
  99717 hlds_i686 NAMI  
 "/compat/linux/usr/home/games/hlds/./valve/sound/weapons/reload1.wav"
  99717 hlds_i686 NAMI  
 "/usr/home/games/hlds/./valve/sound/weapons/reload1.wav"
  99717 hlds_i686 RET   linux_stat64 JUSTRETURN
  99717 hlds_i686 CALL  linux_open(-1078014336,624640,-1078014440)
  99717 hlds_i686 NAMI  
 "/compat/linux/usr/home/games/hlds/./valve/sound/weapons"
  99717 hlds_i686 NAMI  "/usr/home/games/hlds/./valve/sound/weapons"
  99717 hlds_i686 RET   linux_open 9
  99717 hlds_i686 CALL  linux_fstat64(9,-1078014548,1210134516)
  99717 hlds_i686 RET   linux_fstat64 0
  99717 hlds_i686 CALL  linux_fcntl64(9,2,1)
  99717 hlds_i686 RET   linux_fcntl64 0
  99717 hlds_i686 CALL  linux_getdents(9,148523424,4096)
  99717 hlds_i686 RET   linux_getdents 28/0x1c
  99717 hlds_i686 CALL  linux_getdents(9,148523424,4096)
  99717 hlds_i686 RET   linux_getdents 0
  99717 hlds_i686 CALL  close(9)
  99717 hlds_i686 RET   close 0
  99717 hlds_i686 CALL  linux_stat64(-1078014148,-1078014404,1210134516)
  99717 hlds_i686 NAMI  
 "/compat/linux/usr/home/games/hlds/./platform/sound/weapons/reload1.wav"
  99717 hlds_i686 NAMI  
 "/usr/home/games/hlds/./platform/sound/weapons/reload1.wav"
  99717 hlds_i686 RET   linux_stat64 JUSTRETURN
 --------------------------------------------------------------------------
 
 On Thu, 13 Sep 2007 16:39:49 +0400 Boris Samorodov wrote:
 
 >/ Just to note once more, that is for CURRENT and
 />/ linux_base-fc6/2.6.16:
 /
 >/ > Here is the relevant kdump:
 />/ > ftp://ftp.ipt.ru/pub/linux/hldc.kdump.txt
 /
 
 HLDS is crashed on start
 NOTE: linux_base-fc6 include  glibc-2.5-18
 
 /Vladimir Ermakov

From: Chagin Dmitry <chagin.dmitry@gmail.com>
To: bug-followup@freebsd.org, samflanker@gmail.com
Cc:  
Subject: Re: kern/117010: [linux] linux_getdents() get somethinng like buffer
 overflow
Date: Fri, 25 Jul 2008 10:22:46 +0400 (MSD)

 Please, try a patch below:
 
 diff --git a/src/sys/compat/linux/linux_file.c b/src/sys/compat/linux/linux_file
 index 303bc3f..d88f95f 100644
 --- a/src/sys/compat/linux/linux_file.c
 +++ b/src/sys/compat/linux/linux_file.c
 @@ -303,8 +303,8 @@ struct l_dirent64 {
  	char            d_name[LINUX_NAME_MAX + 1];
   };
 
 -#define LINUX_RECLEN(de,namlen) \
 -    ALIGN((((char *)&(de)->d_name - (char *)de) + (namlen) + 1))
 +#define LINUX_RECLEN(de,namlen,trail) \
 +    ALIGN((((char *)&(de)->d_name - (char *)de) + (namlen) + trail))
 
   #define        LINUX_DIRBLKSIZ         512
 
 @@ -436,8 +436,8 @@ again:
  		}
 
  		linuxreclen = (is64bit)
 -                   ? LINUX_RECLEN(&linux_dirent64, bdp->d_namlen)
 -                   : LINUX_RECLEN(&linux_dirent, bdp->d_namlen);
 +                   ? LINUX_RECLEN(&linux_dirent64, bdp->d_namlen, 1)
 +                   : LINUX_RECLEN(&linux_dirent, bdp->d_namlen, 2);
 
  		if (reclen > len || resid < linuxreclen) {
  			outp++;
 
 it solves getdents() problem (at least at x86_64 emulation with 
 linux_base-f8)
 
 ps, be not bared, linux really has such features...
 thnx!
 
 -- 
 Have fun!
 chd

From: MITA Yoshio <mita@ee.t.u-tokyo.ac.jp>
To: bug-followup@FreeBSD.org,samflanker@gmail.com,
    Chagin Dmitry <chagin.dmitry@gmail.com>,
    beech@FreeBSD.org
Cc:  
Subject: Re: kern/117010: [linux] linux_getdents() get something like buffer overflow or else
Date: Sun, 07 Sep 2008 21:42:15 +0200

 Hello, 
 
 I've tested a patch from Mr. Dmitry concerning Mr. Ermakov's PR:
 
 http://www.freebsd.org/cgi/query-pr.cgi?pr=117010
 
 Patch:
 >From:	Chagin Dmitry <chagin.dmitry@gmail.com>
 >Date:	Fri, 25 Jul 2008 10:22:46 +0400 (MSD)
 
 This worked!!! to make skype2 work.  
 Otherwise skype2 dumped core as Mr.  reported. 
 
 Regards,
 -----
 Tested Environment: 
 FreeBSD 7.0-RELEASE
 linux_base-fc6-6_5
 linux-glib2-2.6.6
 skype-2.0.0.68,1 
 
 /etc/sysctl.conf:
 compat.linux.osrelease=2.6.16
 
 /etc/make.conf:
 OVERRIDE_LINUX_BASE_PORT=fc6 
 -----
 MITA Yoshio
State-Changed-From-To: open->closed 
State-Changed-By: rdivacky 
State-Changed-When: Tue Sep 9 16:07:44 UTC 2008 
State-Changed-Why:  
Fix commited in r182892. 


http://www.freebsd.org/cgi/query-pr.cgi?pr=117010 

From: dfilter@FreeBSD.ORG (dfilter service)
To: bug-followup@FreeBSD.org
Cc:  
Subject: Re: kern/117010: commit references a PR
Date: Tue,  9 Sep 2008 16:00:49 +0000 (UTC)

 rdivacky    2008-09-09 16:00:17 UTC
 
   FreeBSD src repository
 
   Modified files:
     sys/compat/linux     linux_file.c 
   Log:
   SVN rev 182892 on 2008-09-09 16:00:17Z by rdivacky
   
   Getdents requires padding with 2 bytes instead of 1 byte
   as with getdents64. The last byte is used for storing
   the d_type, add this to plain getdents case where it was
   missing before. Also change the code to use strlcpy instead
   of plain strcpy. This changes fix the getdents crash we
   had reports about (hl2 server etc.)
   
   PR:             kern/117010
   MFC after:      1 week
   Submitted by:   Dmitry Chagin (dchagin@)
   Tested by:      MITA Yoshio <mita ee.t.u-tokyo.ac jp>
   Approved by:    kib (mentor)
   
   Revision  Changes    Path
   1.115     +54 -33    src/sys/compat/linux/linux_file.c
 _______________________________________________
 cvs-all@freebsd.org mailing list
 http://lists.freebsd.org/mailman/listinfo/cvs-all
 To unsubscribe, send any mail to "cvs-all-unsubscribe@freebsd.org"
 

From: dfilter@FreeBSD.ORG (dfilter service)
To: bug-followup@FreeBSD.org
Cc:  
Subject: Re: kern/117010: commit references a PR
Date: Mon, 22 Sep 2008 20:20:10 +0000 (UTC)

 rdivacky    2008-09-22 20:19:54 UTC
 
   FreeBSD src repository
 
   Modified files:        (Branch: RELENG_7)
     sys/compat/linux     linux_file.c 
   Log:
   SVN rev 183278 on 2008-09-22 20:19:54Z by rdivacky
   
   Merge r182892 from head to stable/7, I had to manually
   change the code to include "thread" argument to the vn_lock()
   which got removed in HEAD:
   
           Getdents requires padding with 2 bytes instead of 1 byte
           as with getdents64. The last byte is used for storing
           the d_type, add this to plain getdents case where it was
           missing before. Also change the code to use strlcpy instead
           of plain strcpy. This changes fix the getdents crash we
           had reports about (hl2 server etc.)
   
           PR:             kern/117010
           MFC after:      1 week
           Submitted by:   Dmitry Chagin (dchagin@)
           Tested by:      MITA Yoshio <mita ee.t.u-tokyo.ac jp>
           Approved by:    kib (mentor)
           Approved by:    re (kensmith)
   
   Revision   Changes    Path
   1.105.2.3  +54 -33    src/sys/compat/linux/linux_file.c
 _______________________________________________
 cvs-all@freebsd.org mailing list
 http://lists.freebsd.org/mailman/listinfo/cvs-all
 To unsubscribe, send any mail to "cvs-all-unsubscribe@freebsd.org"
 
>Unformatted:
