Re: kern/41494

To: gnats-bugs%NetBSD.org@localhost
Subject: Re: kern/41494
From: Nicolas Joly <njoly%pasteur.fr@localhost>
Date: Wed, 27 May 2009 17:23:01 +0200

On Wed, May 27, 2009 at 02:15:04PM +0000, Antti Kantee wrote:
[...]
>  I don't really have a clue as to what is going wrong.  Any chance you
>  could provide a stack backtrace and/or run mount_sysctlfs with
>  "mount_sysctlfs -o dump flop /sys" and copypaste the output?
>  Also, what does "sysctl net.inet.ip.forwarding" show?

I can reproduce it on my -current amd64 machines ... with some other
nodes such as `kern.ostype':

njoly@lanfeust [~]> sudo mount_sysctlfs -o dump sysctlfs /mnt
        reqid: 0, opclass 2, optype: PUFFS_VN_LOOKUP, cookie: 0x7f7ffd601100,
                aux: 0x7f7ffd611038, auxlen: 1224, pid: 3990, lwpid: 1
                puffs_cn: "kern", len 4 op LOOKUP (flags 0x84054)
                since previous call: 1243435876.732998
                new node 0x7f7ffd601200, type 0x2,
                size 0x0, dev 0x0
        RV reqid: 0, result: 0 
        reqid: 1, opclass 2, optype: PUFFS_VN_LOOKUP, cookie: 0x7f7ffd601200,
                aux: 0x7f7ffd617038, auxlen: 1224, pid: 3990, lwpid: 1
                puffs_cn: "ostype", len 6 op LOOKUP (flags 0xc054)
                since previous call: 0.000256
                new node 0x7f7ffd601300, type 0x1,
                size 0x0, dev 0x0
        RV reqid: 1, result: 0 
        reqid: 2, opclass 2, optype: PUFFS_VN_READ, cookie: 0x7f7ffd601300,
                aux: 0x7f7ffd617038, auxlen: 4264, pid: 3990, lwpid: 1
                offset: 0, resid 4096, ioflag 0x0
                since previous call: 0.000311
                resid after op: 4089
        RV reqid: 2, result: 0 
        reqid: 3, opclass 2, optype: PUFFS_VN_READ, cookie: 0x7f7ffd601300,
                aux: 0x7f7ffd617038, auxlen: 4264, pid: 3990, lwpid: 1
                offset: 7, resid 4096, ioflag 0x0
                since previous call: 0.000211
                resid after op: 0
        RV reqid: 3, result: 0 
        reqid: 4, opclass 2, optype: PUFFS_VN_READ, cookie: 0x7f7ffd601300,
                aux: 0x7f7ffd617038, auxlen: 4264, pid: 3990, lwpid: 1
                offset: 4103, resid 4096, ioflag 0x0
                since previous call: 0.000497
                resid after op: 0
        RV reqid: 4, result: 0 
        reqid: 5, opclass 2, optype: PUFFS_VN_READ, cookie: 0x7f7ffd601300,
                aux: 0x7f7ffd617038, auxlen: 4264, pid: 3990, lwpid: 1
                offset: 8199, resid 4096, ioflag 0x0
                since previous call: 0.000478
zsh: segmentation fault (core dumped)  sudo  -o dump sysctlfs /mnt

For some reason the offset value in sysctlfs_node_read() exceed the
localbuf buffer size, leading to an out-of-bound access with
memcopy...

njoly@lanfeust [~]> gdb mount_sysctlfs mount_sysctlfs.core
GNU gdb 6.5
Copyright (C) 2006 Free Software Foundation, Inc.
[...]
Program terminated with signal 11, Segmentation fault.
#0  0x0000000000402eed in sysctlfs_node_read (pu=0x7f7ffd605800, 
    opc=0x7f7ffd601300, buf=0x7f7ffd6170a4 "", offset=8199, 
    resid=0x7f7ffd617098, pcr=0x7f7ffd617038, ioflag=0)
    at /local/src/NetBSD/src/usr.sbin/puffs/mount_sysctlfs/sysctlfs.c:635
635             memcpy(buf, localbuf + offset, xfer);
(gdb) p localbuf
$1 = "NetBSD", '\0' <repeats 8185 times>
(gdb) p offset
$2 = 8199
(gdb) p sizeof(localbuf)
$3 = 8192
(gdb) p xfer
$4 = 4096

-- 
Nicolas Joly

Biological Software and Databanks.
Institut Pasteur, Paris.

References:
- Re: kern/41494
  - From: Antti Kantee

Prev by Date: Re: kern/41494
Next by Date: Re: kern/41494
Previous by Thread: Re: kern/41494
Next by Thread: Re: kern/41494
Indexes:

Home | Main Index | Thread Index | Old Index