NetBSD-Bugs archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
Re: kern/41494
The following reply was made to PR bin/41494; it has been noted by GNATS.
From: Nicolas Joly <njoly%pasteur.fr@localhost>
To: gnats-bugs%NetBSD.org@localhost
Cc: gnats-admin%netbsd.org@localhost, netbsd-bugs%netbsd.org@localhost,
a%zhtw.org.ru@localhost
Subject: Re: kern/41494
Date: Wed, 27 May 2009 17:23:01 +0200
On Wed, May 27, 2009 at 02:15:04PM +0000, Antti Kantee wrote:
[...]
> I don't really have a clue as to what is going wrong. Any chance you
> could provide a stack backtrace and/or run mount_sysctlfs with
> "mount_sysctlfs -o dump flop /sys" and copypaste the output?
> Also, what does "sysctl net.inet.ip.forwarding" show?
I can reproduce it on my -current amd64 machines ... with some other
nodes such as `kern.ostype':
njoly@lanfeust [~]> sudo mount_sysctlfs -o dump sysctlfs /mnt
reqid: 0, opclass 2, optype: PUFFS_VN_LOOKUP, cookie: 0x7f7ffd601100,
aux: 0x7f7ffd611038, auxlen: 1224, pid: 3990, lwpid: 1
puffs_cn: "kern", len 4 op LOOKUP (flags 0x84054)
since previous call: 1243435876.732998
new node 0x7f7ffd601200, type 0x2,
size 0x0, dev 0x0
RV reqid: 0, result: 0
reqid: 1, opclass 2, optype: PUFFS_VN_LOOKUP, cookie: 0x7f7ffd601200,
aux: 0x7f7ffd617038, auxlen: 1224, pid: 3990, lwpid: 1
puffs_cn: "ostype", len 6 op LOOKUP (flags 0xc054)
since previous call: 0.000256
new node 0x7f7ffd601300, type 0x1,
size 0x0, dev 0x0
RV reqid: 1, result: 0
reqid: 2, opclass 2, optype: PUFFS_VN_READ, cookie: 0x7f7ffd601300,
aux: 0x7f7ffd617038, auxlen: 4264, pid: 3990, lwpid: 1
offset: 0, resid 4096, ioflag 0x0
since previous call: 0.000311
resid after op: 4089
RV reqid: 2, result: 0
reqid: 3, opclass 2, optype: PUFFS_VN_READ, cookie: 0x7f7ffd601300,
aux: 0x7f7ffd617038, auxlen: 4264, pid: 3990, lwpid: 1
offset: 7, resid 4096, ioflag 0x0
since previous call: 0.000211
resid after op: 0
RV reqid: 3, result: 0
reqid: 4, opclass 2, optype: PUFFS_VN_READ, cookie: 0x7f7ffd601300,
aux: 0x7f7ffd617038, auxlen: 4264, pid: 3990, lwpid: 1
offset: 4103, resid 4096, ioflag 0x0
since previous call: 0.000497
resid after op: 0
RV reqid: 4, result: 0
reqid: 5, opclass 2, optype: PUFFS_VN_READ, cookie: 0x7f7ffd601300,
aux: 0x7f7ffd617038, auxlen: 4264, pid: 3990, lwpid: 1
offset: 8199, resid 4096, ioflag 0x0
since previous call: 0.000478
zsh: segmentation fault (core dumped) sudo -o dump sysctlfs /mnt
For some reason the offset value in sysctlfs_node_read() exceed the
localbuf buffer size, leading to an out-of-bound access with
memcopy...
njoly@lanfeust [~]> gdb mount_sysctlfs mount_sysctlfs.core
GNU gdb 6.5
Copyright (C) 2006 Free Software Foundation, Inc.
[...]
Program terminated with signal 11, Segmentation fault.
#0 0x0000000000402eed in sysctlfs_node_read (pu=0x7f7ffd605800,
opc=0x7f7ffd601300, buf=0x7f7ffd6170a4 "", offset=8199,
resid=0x7f7ffd617098, pcr=0x7f7ffd617038, ioflag=0)
at /local/src/NetBSD/src/usr.sbin/puffs/mount_sysctlfs/sysctlfs.c:635
635 memcpy(buf, localbuf + offset, xfer);
(gdb) p localbuf
$1 = "NetBSD", '\0' <repeats 8185 times>
(gdb) p offset
$2 = 8199
(gdb) p sizeof(localbuf)
$3 = 8192
(gdb) p xfer
$4 = 4096
--
Nicolas Joly
Biological Software and Databanks.
Institut Pasteur, Paris.
Home |
Main Index |
Thread Index |
Old Index