NetBSD-Bugs archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

kern/39394: ld(4) can crash in some situations



>Number:         39394
>Category:       kern
>Synopsis:       ld(4) can crash in some situations
>Confidential:   no
>Severity:       critical
>Priority:       high
>Responsible:    kern-bug-people
>State:          open
>Class:          sw-bug
>Submitter-Id:   net
>Arrival-Date:   Sat Aug 23 11:30:00 +0000 2008
>Originator:     Juan RP
>Release:        Latest and greatest
>Organization:
Not NetBSD
>Environment:
NetBSD sasha 4.99.72 NetBSD 4.99.72 (MASTER) #0: Thu Aug 21 15:52:46 CEST 2008  
juan@sasha:/home/juan/build/amd64/obj/sys/arch/amd64/compile/MASTER amd64
>Description:
While working on new ataraid(4) metadata formats, I've encountered something 
interesting between the ld(4) frontends.

Let's take a look at the ataraid code in ld_ataraid.c:

struct ld_ataraid_softc {
        struct ld_softc sc_ld;

        struct ataraid_array_info *sc_aai;
        struct vnode *sc_vnodes[ATA_RAID_MAX_DISKS];

        void    (*sc_iodone)(struct buf *);
};

Here a ''struct ld_softc'' is provided with ataraid's softc... fine. Let's 
continue.

ld_ataraid_attach(device_t parent, device_t self, void *aux)
{
        struct ld_ataraid_softc *sc = device_private(self);
        struct ld_softc *ld = &sc->sc_ld;
        ...

Ok, we use a pointer for ld_softc that is using the struct that was specified 
in ataraid's softc. But a few lines later:

        if (ld->sc_start == NULL) {
                aprint_error_dev(&ld->sc_dv, "unsupported array type\n");
                return;
        }

So where is the this struct device (ld->sc_dv) filled in? nowhere.

Well, this part isn't noticed because the path isn't triggered in normal 
conditions. The part I noticed is the following:

ld_ataraid_attach() finishes calling ldattach() with the ld_softc specified in 
ataraid's softc, let's look what happens now at ldattach():


        /* Initialise and attach the disk structure. */
        disk_init(&sc->sc_dk, device_xname(&sc->sc_dv), &lddkdriver);
        disk_attach(&sc->sc_dk);

as sc->sc_dv hasn't been specified, the name will be NULL... later at 
ld_config_interrupts(), dkwedge_discover() is called looking at the dk_name 
member of the disk struct, and that ends with a NULL pointer deref causing a 
panic.

I hope my analysis has been clear enough.

>How-To-Repeat:

>Fix:
To confirm my analysis the patch I created fixes this issue, but only covers 
the ataraid(4) frontend (the one I'm interested on).

To fix completely the issue all ld(4) frontends should be fixed as well.

Anyway here's my patch:

begin 644 ld_device_fix.diff
M26YD97@Z(&QD+F,*/3T]/3T]/3T]/3T]/3T]/3T]/3T]/3T]/3T]/3T]/3T]
M/3T]/3T]/3T]/3T]/3T]/3T]/3T]/3T]/3T]/3T]/3T]/0I20U,@9FEL93H@
M+V-V<W)O;W0O<W)C+W-Y<R]D978O;&0N8RQV"G)E=')I979I;F<@<F5V:7-I
M;VX@,2XV,@ID:69F("UB("UU("UR,2XV,B!L9"YC"BTM+2!L9"YC"3$Q($%U
M9R`R,#`X(#`V.C0S.C,W("TP,#`P"3$N-C(**RLK(&QD+F,),C,@075G(#(P
M,#@@,3`Z-3<Z,3$@+3`P,#`*0$`@+3$P,BPQ,B`K,3`R+#$R($!`"B`);75T
M97A?:6YI="@F<V,M/G-C7VUU=&5X+"!-551%6%]$149!54Q4+"!)4$Q?5DTI
M.PH@"B`):68@*"AS8RT^<V-?9FQA9W,@)B!,1$9?14Y!0DQ%1"D@/3T@,"D@
M>PHM"0EA<')I;G1?;F]R;6%L7V1E=B@F<V,M/G-C7V1V+"`B9&ES86)L961<
M;B(I.PHK"0EA<')I;G1?;F]R;6%L7V1E=BAS8RT^<V-?9'8L(")D:7-A8FQE
M9%QN(BD["B`)"7)E='5R;CL*(`E]"B`*(`DO*B!);FET:6%L:7-E(&%N9"!A
M='1A8V@@=&AE(&1I<VL@<W1R=6-T=7)E+B`J+PHM"61I<VM?:6YI="@F<V,M
M/G-C7V1K+"!D979I8V5?>&YA;64H)G-C+3YS8U]D=BDL("9L9&1K9')I=F5R
M*3L**PED:7-K7VEN:70H)G-C+3YS8U]D:RP@9&5V:6-E7WAN86UE*'-C+3YS
M8U]D=BDL("9L9&1K9')I=F5R*3L*(`ED:7-K7V%T=&%C:"@F<V,M/G-C7V1K
M*3L*(`H@"6EF("AS8RT^<V-?;6%X>&9E<B`^($U!6%!(65,I"D!`("TQ,SDL
M-R`K,3,Y+#@@0$`*(`H@"69O<FUA=%]B>71E<RAT8G5F+"!S:7IE;V8H=&)U
M9BDL('-C+3YS8U]S96-P97)U;FET("H*(`D@("`@<V,M/G-C7W-E8W-I>F4I
M.PHM"6%P<FEN=%]N;W)M86Q?9&5V*"9S8RT^<V-?9'8L("(E<RP@)60@8WEL
M+"`E9"!H96%D+"`E9"!S96,L("5D(&)Y=&5S+W-E8W0@>"`E(E!2274V-"(@
M<V5C=&]R<UQN(BP**PEA<')I;G1?;F]R;6%L7V1E=BAS8RT^<V-?9'8L"BL)
M("`@("(E<RP@)60@8WEL+"`E9"!H96%D+"`E9"!S96,L("5D(&)Y=&5S+W-E
M8W0@>"`E(E!2274V-"(@<V5C=&]R<UQN(BP*(`D@("`@=&)U9BP@<V,M/G-C
M7VYC>6QI;F1E<G,L('-C+3YS8U]N:&5A9',L"B`)("`@('-C+3YS8U]N<V5C
M=&]R<RP@<V,M/G-C7W-E8W-I>F4L('-C+3YS8U]S96-P97)U;FET*3L*(`I`
M0"`M,30W+#$Y("LQ-#@L,3D@0$`*(`H@(VEF($Y23D0@/B`P"B`)+RH@071T
M86-H('1H92!D979I8V4@:6YT;R!T:&4@<FYD('-O=7)C92!L:7-T+B`J+PHM
M"7)N9%]A='1A8VA?<V]U<F-E*"9S8RT^<V-?<FYD7W-O=7)C92P@9&5V:6-E
M7WAN86UE*"9S8RT^<V-?9'8I+`HK"7)N9%]A='1A8VA?<V]U<F-E*"9S8RT^
M<V-?<FYD7W-O=7)C92P@9&5V:6-E7WAN86UE*'-C+3YS8U]D=BDL"B`)("`@
M(%).1%]465!%7T1)4TLL(#`I.PH@(V5N9&EF"B`*(`DO*B!296=I<W1E<B!W
M:71H(%!-1B`J+PHM"6EF("@A<&UF7V1E=FEC95]R96=I<W1E<C$H)G-C+3YS
M8U]D=BP@3E5,3"P@3E5,3"P@;&1?<VAU=&1O=VXI*0HM"0EA<')I;G1?97)R
M;W)?9&5V*"9S8RT^<V-?9'8L"BL):68@*"%P;69?9&5V:6-E7W)E9VES=&5R
M,2AS8RT^<V-?9'8L($Y53$PL($Y53$PL(&QD7W-H=71D;W=N*2D**PD)87!R
M:6YT7V5R<F]R7V1E=BAS8RT^<V-?9'8L"B`)"2`@("`B8V]U;&1N)W0@97-T
M86)L:7-H('!O=V5R(&AA;F1L97)<;B(I.PH@"B`)8G5F<5]A;&QO8R@F<V,M
M/G-C7V)U9G$L($)51E%?1$E32U]$149!54Q47U-44D%4+"!"54917U-/4E1?
M4D%70DQ/0TLI.PH@"B`)+RH@1&ES8V]V97(@=V5D9V5S(&]N('1H:7,@9&ES
M:RX@*B\*+0EC;VYF:6=?:6YT97)R=7!T<R@F<V,M/G-C7V1V+"!L9%]C;VYF
M:6=?:6YT97)R=7!T<RD["BL)8V]N9FEG7VEN=&5R<G5P=',H<V,M/G-C7V1V
M+"!L9%]C;VYF:6=?:6YT97)R=7!T<RD["B!]"B`*(&EN=`I`0"`M,C$P+#<@
M*S(Q,2PW($!`"B`)+RH@5V%I="!F;W(@8V]M;6%N9',@<75E=65D('=I=&@@
M=&AE(&AA<F1W87)E('1O(&-O;7!L971E+B`J+PH@"6EF("AS8RT^<V-?<75E
M=65C;G0@(3T@,"D*(`D):68@*'1S;&5E<"@F<V,M/G-C7W%U975E8VYT+"!0
M4DE"24\L(")L9&1T8V@B+"`S,"`J(&AZ*2D*+0D)"7!R:6YT9B@B)7,Z(&YO
M="!D<F%I;F5D7&XB+"!D979I8V5?>&YA;64H)G-C+3YS8U]D=BDI.PHK"0D)
M<')I;G1F*"(E<SH@;F]T(&1R86EN961<;B(L(&1E=FEC95]X;F%M92AS8RT^
M<V-?9'8I*3L*(`H@"2\J($QO8V%T92!T:&4@;6%J;W(@;G5M8F5R<RX@*B\*
M(`EB;6%J(#T@8F1E=G-W7VQO;VMU<%]M86IO<B@F;&1?8F1E=G-W*3L*0$`@
M+3(R-2PW("LR,C8L-R!`0`H@"B`)+RH@3G5K92!T:&4@=FYO9&5S(&9O<B!A
M;GD@;W!E;B!I;G-T86YC97,N("HO"B`)9F]R("AI(#T@,#L@:2`\($U!6%!!
M4E1)5$E/3E,[(&DK*RD@>PHM"0EM;B`]($1)4TM-24Y/4BAD979I8V5?=6YI
M="@F<V,M/G-C7V1V*2P@:2D["BL)"6UN(#T@1$E32TU)3D]2*&1E=FEC95]U
M;FET*'-C+3YS8U]D=BDL(&DI.PH@"0EV9&5V9V]N92AB;6%J+"!M;BP@;6XL
M(%9"3$LI.PH@"0EV9&5V9V]N92AC;6%J+"!M;BP@;6XL(%9#2%(I.PH@"7T*
M0$`@+3(T,RPW("LR-#0L-R!`0`H@(V5N9&EF"B`*(`DO*B!$97)E9VES=&5R
M('=I=&@@4$U&("HO"BT)<&UF7V1E=FEC95]D97)E9VES=&5R*"9S8RT^<V-?
M9'8I.PHK"7!M9E]D979I8V5?9&5R96=I<W1E<BAS8RT^<V-?9'8I.PH@"B`)
M+RH*(`D@*B!86%@@5V4@8V%N)W0@<F5A;&QY(&9L=7-H('1H92!C86-H92!H
M97)E+"!B96-E875S92!T:&4*0$`@+3(U-"PW("LR-34L-R!`0`H@"2\J($9L
M=7-H('1H92!D979I8V4G<R!C86-H92X@*B\*(`EI9B`H<V,M/G-C7V9L=7-H
M("$]($Y53$PI"B`)"6EF("@H*G-C+3YS8U]F;'5S:"DH<V,L(#`I("$](#`I
M"BT)"0EA<')I;G1?97)R;W)?9&5V*"9S8RT^<V-?9'8L(")U;F%B;&4@=&\@
M9FQU<V@@8V%C:&5<;B(I.PHK"0D)87!R:6YT7V5R<F]R7V1E=BAS8RT^<V-?
M9'8L(")U;F%B;&4@=&\@9FQU<V@@8V%C:&5<;B(I.PH@(V5N9&EF"B`);75T
M97A?9&5S=')O>2@F<V,M/G-C7VUU=&5X*3L*('T*0$`@+3,T-BPW("LS-#<L
M-R!`0`H@"B`):68@*'-C+3YS8U]D:RYD:U]O<&5N;6%S:R`]/2`P*2!["B`)
M"6EF("AS8RT^<V-?9FQU<V@@(3T@3E5,3"`F)B`H*G-C+3YS8U]F;'5S:"DH
M<V,L(#`I("$](#`I"BT)"0EA<')I;G1?97)R;W)?9&5V*"9S8RT^<V-?9'8L
M(")U;F%B;&4@=&\@9FQU<V@@8V%C:&5<;B(I.PHK"0D)87!R:6YT7V5R<F]R
M7V1E=BAS8RT^<V-?9'8L(")U;F%B;&4@=&\@9FQU<V@@8V%C:&5<;B(I.PH@
M"0EI9B`H*'-C+3YS8U]F;&%G<R`F($Q$1E]+3$%"14PI(#T](#`I"B`)"0ES
M8RT^<V-?9FQA9W,@)CT@?DQ$1E]63$%"14P["B`)?0I`0"`M-3`P+#<@*S4P
M,2PW($!`"B`)"0ER971U<FX@*$5"041&*3L*(`H@"0DO*B!)9B!T:&4@:6]C
M=&P@:&%P<&5N<R!H97)E+"!T:&4@<&%R96YT(&ES('5S+B`J+PHM"0ES=')L
M8W!Y*&1K=RT^9&MW7W!A<F5N="P@9&5V:6-E7WAN86UE*"9S8RT^<V-?9'8I
M+`HK"0ES=')L8W!Y*&1K=RT^9&MW7W!A<F5N="P@9&5V:6-E7WAN86UE*'-C
M+3YS8U]D=BDL"B`)"0ES:7IE;V8H9&MW+3YD:W=?<&%R96YT*2D["B`)"7)E
M='5R;B`H9&MW961G95]A9&0H9&MW*2D["B`)("`@('T*0$`@+34Q,RPW("LU
M,30L-R!`0`H@"0D)<F5T=7)N("A%0D%$1BD["B`*(`D)+RH@268@=&AE(&EO
M8W1L(&AA<'!E;G,@:&5R92P@=&AE('!A<F5N="!I<R!U<RX@*B\*+0D)<W1R
M;&-P>2AD:W<M/F1K=U]P87)E;G0L(&1E=FEC95]X;F%M92@F<V,M/G-C7V1V
M*2P**PD)<W1R;&-P>2AD:W<M/F1K=U]P87)E;G0L(&1E=FEC95]X;F%M92AS
M8RT^<V-?9'8I+`H@"0D)<VEZ96]F*&1K=RT^9&MW7W!A<F5N="DI.PH@"0ER
M971U<FX@*&1K=V5D9V5?9&5L*&1K=RDI.PH@"2`@("!]"D!`("TW-34L,3`@
M*S<U-BPQ,"!`0`H@"6QD9V5T9&5F875L=&QA8F5L*'-C+"!S8RT^<V-?9&LN
M9&M?;&%B96PI.PH@"B`)+RH@0V%L;"!T:&4@9V5N97)I8R!D:7-K;&%B96P@
M97AT<F%C=&EO;B!R;W5T:6YE+B`J+PHM"65R<G-T<FEN9R`](')E861D:7-K
M;&%B96PH34%+141)4TM$158H,"P@9&5V:6-E7W5N:70H)G-C+3YS8U]D=BDL
M"BL)97)R<W1R:6YG(#T@<F5A9&1I<VML86)E;"A-04M%1$E32T1%5B@P+"!D
M979I8V5?=6YI="AS8RT^<V-?9'8I+`H@"2`@("!205=?4$%25"DL(&QD<W1R
M871E9WDL('-C+3YS8U]D:RYD:U]L86)E;"P@<V,M/G-C7V1K+F1K7V-P=6QA
M8F5L*3L*(`EI9B`H97)R<W1R:6YG("$]($Y53$PI"BT)"7!R:6YT9B@B)7,Z
M("5S7&XB+"!D979I8V5?>&YA;64H)G-C+3YS8U]D=BDL(&5R<G-T<FEN9RD[
M"BL)"7!R:6YT9B@B)7,Z("5S7&XB+"!D979I8V5?>&YA;64H<V,M/G-C7V1V
M*2P@97)R<W1R:6YG*3L*(`H@"2\J($EN+6-O<F4@;&%B96P@;F]W('9A;&ED
M+B`J+PH@"7-C+3YS8U]F;&%G<R!\/2!,1$9?5DQ!0D5,.PI`0"`M.#DY+#<@
M*SDP,"PW($!`"B`)<')O<%]D:6-T:6]N87)Y7W-E="AD:7-K7VEN9F\L(")G
M96]M971R>2(L(&=E;VTI.PH@"7!R;W!?;V)J96-T7W)E;&5A<V4H9V5O;2D[
M"B`*+0EP<F]P7V1I8W1I;VYA<GE?<V5T*&1E=FEC95]P<F]P97)T:65S*"9L
M9"T^<V-?9'8I+`HK"7!R;W!?9&EC=&EO;F%R>5]S970H9&5V:6-E7W!R;W!E
M<G1I97,H;&0M/G-C7V1V*2P*(`D@("`@(F1I<VLM:6YF;R(L(&1I<VM?:6YF
M;RD["B`*(`DO*@I);F1E>#H@;&1V87(N:`H]/3T]/3T]/3T]/3T]/3T]/3T]
M/3T]/3T]/3T]/3T]/3T]/3T]/3T]/3T]/3T]/3T]/3T]/3T]/3T]/3T]/3T]
M/3T]"E)#4R!F:6QE.B`O8W9S<F]O="]S<F,O<WES+V1E=B]L9'9A<BYH+'8*
M<F5T<FEE=FEN9R!R979I<VEO;B`Q+C$T"F1I9F8@+6(@+74@+7(Q+C$T(&QD
M=F%R+F@*+2TM(&QD=F%R+F@),3$@075G(#(P,#@@,#8Z-#,Z,S<@+3`P,#`)
M,2XQ-`HK*RL@;&1V87(N:`DR,R!!=6<@,C`P."`Q,#HU-SHQ,2`M,#`P,`I`
M0"`M,S4L-R`K,S4L-R!`0`H@(VEN8VQU9&4@/'-Y<R]M=71E>"YH/@H@"B!S
M=')U8W0@;&1?<V]F=&,@>PHM"7-T<G5C=`ED979I8V4@<V-?9'8["BL)<W1R
M=6-T"61E=FEC92`J<V-?9'8["B`)<W1R=6-T"61I<VL@<V-?9&L["B`)<W1R
M=6-T"6)U9G%?<W1A=&4@*G-C7V)U9G$["B`):VUU=&5X7W0@<V-?;75T97@[
M"DEN9&5X.B!A=&$O;&1?871A<F%I9"YC"CT]/3T]/3T]/3T]/3T]/3T]/3T]
M/3T]/3T]/3T]/3T]/3T]/3T]/3T]/3T]/3T]/3T]/3T]/3T]/3T]/3T]/3T]
M/3T*4D-3(&9I;&4Z("]C=G-R;V]T+W-R8R]S>7,O9&5V+V%T82]L9%]A=&%R
M86ED+F,L=@IR971R:65V:6YG(')E=FES:6]N(#$N,C<*9&EF9B`M8B`M=2`M
M<C$N,C<@;&1?871A<F%I9"YC"BTM+2!A=&$O;&1?871A<F%I9"YC"30@36%Y
M(#(P,#@@,3,Z-3DZ-#$@+3`P,#`),2XR-PHK*RL@871A+VQD7V%T87)A:60N
M8PDR,R!!=6<@,C`P."`Q,#HU-SHQ,B`M,#`P,`I`0"`M,3,P+#8@*S$S,"PX
M($!`"B`)8VAA<B!U;FML979;,S)=.PH@"75?:6YT(&D["B`**PEL9"T^<V-?
M9'8@/2!S96QF.PHK"B`):68@*&QD7V%T87)A:61?:6YI=&EA;&EZ960@/3T@
M,"D@>PH@"0EL9%]A=&%R86ED7VEN:71I86QI>F5D(#T@,3L*(`D)<&]O;%]I
M;FET*"9L9%]A=&%R86ED7V-B=69P;"P@<VEZ96]F*'-T<G5C="!C8G5F*2P@
M,"P*0$`@+3$X,"PW("LQ.#(L-R!`0`H@"2`@("!A=&%?<F%I9%]T>7!E7VYA
M;64H86%I+3YA86E?='EP92DL(&QE=F5L*3L*(`H@"6EF("AL9"T^<V-?<W1A
M<G0@/3T@3E5,3"D@>PHM"0EA<')I;G1?97)R;W)?9&5V*"9L9"T^<V-?9'8L
M(")U;G-U<'!O<G1E9"!A<G)A>2!T>7!E7&XB*3L**PD)87!R:6YT7V5R<F]R
M7V1E=BAL9"T^<V-?9'8L(")U;G-U<'!O<G1E9"!A<G)A>2!T>7!E7&XB*3L*
M(`D)<F5T=7)N.PH@"7T*(`I`0"`M-#<R+#<@*S0W-"PW($!`"B`)"6%D:2T^
M861I7W-T871U<R`F/2!^041)7U-?3TY,24Y%.PH@"B`)"7!R:6YT9B@B)7,Z
M(&5R<F]R("5D(&]N(&-O;7!O;F5N="`E9"`H)7,I7&XB+`HM"0D@("`@9&5V
M:6-E7WAN86UE*"9S8RT^<V-?;&0N<V-?9'8I+"!B<"T^8E]E<G)O<BP@8V)P
M+3YC8E]C;VUP+`HK"0D@("`@9&5V:6-E7WAN86UE*'-C+3YS8U]L9"YS8U]D
M=BDL(&)P+3YB7V5R<F]R+"!C8G`M/F-B7V-O;7`L"B`)"2`@("!D979I8V5?
>>&YA;64H861I+3YA9&E?9&5V*2D["B`*(`D)+RH*
`
end



Home | Main Index | Thread Index | Old Index