Re: kern/41494

[Nicolas Joly <njoly%pasteur.fr@localhost>]

The following reply was made to PR bin/41494; it has been noted by GNATS.

From: Nicolas Joly <njoly%pasteur.fr@localhost>
To: gnats-bugs%NetBSD.org@localhost
Cc: gnats-admin%netbsd.org@localhost, netbsd-bugs%netbsd.org@localhost, 
a%zhtw.org.ru@localhost
Subject: Re: kern/41494
Date: Wed, 27 May 2009 17:23:01 +0200

 On Wed, May 27, 2009 at 02:15:04PM +0000, Antti Kantee wrote:
 [...]
 >  I don't really have a clue as to what is going wrong.  Any chance you
 >  could provide a stack backtrace and/or run mount_sysctlfs with
 >  "mount_sysctlfs -o dump flop /sys" and copypaste the output?
 >  Also, what does "sysctl net.inet.ip.forwarding" show?
 
 I can reproduce it on my -current amd64 machines ... with some other
 nodes such as `kern.ostype':
 
 njoly@lanfeust [~]> sudo mount_sysctlfs -o dump sysctlfs /mnt
         reqid: 0, opclass 2, optype: PUFFS_VN_LOOKUP, cookie: 0x7f7ffd601100,
                 aux: 0x7f7ffd611038, auxlen: 1224, pid: 3990, lwpid: 1
                 puffs_cn: "kern", len 4 op LOOKUP (flags 0x84054)
                 since previous call: 1243435876.732998
                 new node 0x7f7ffd601200, type 0x2,
                 size 0x0, dev 0x0
         RV reqid: 0, result: 0 
         reqid: 1, opclass 2, optype: PUFFS_VN_LOOKUP, cookie: 0x7f7ffd601200,
                 aux: 0x7f7ffd617038, auxlen: 1224, pid: 3990, lwpid: 1
                 puffs_cn: "ostype", len 6 op LOOKUP (flags 0xc054)
                 since previous call: 0.000256
                 new node 0x7f7ffd601300, type 0x1,
                 size 0x0, dev 0x0
         RV reqid: 1, result: 0 
         reqid: 2, opclass 2, optype: PUFFS_VN_READ, cookie: 0x7f7ffd601300,
                 aux: 0x7f7ffd617038, auxlen: 4264, pid: 3990, lwpid: 1
                 offset: 0, resid 4096, ioflag 0x0
                 since previous call: 0.000311
                 resid after op: 4089
         RV reqid: 2, result: 0 
         reqid: 3, opclass 2, optype: PUFFS_VN_READ, cookie: 0x7f7ffd601300,
                 aux: 0x7f7ffd617038, auxlen: 4264, pid: 3990, lwpid: 1
                 offset: 7, resid 4096, ioflag 0x0
                 since previous call: 0.000211
                 resid after op: 0
         RV reqid: 3, result: 0 
         reqid: 4, opclass 2, optype: PUFFS_VN_READ, cookie: 0x7f7ffd601300,
                 aux: 0x7f7ffd617038, auxlen: 4264, pid: 3990, lwpid: 1
                 offset: 4103, resid 4096, ioflag 0x0
                 since previous call: 0.000497
                 resid after op: 0
         RV reqid: 4, result: 0 
         reqid: 5, opclass 2, optype: PUFFS_VN_READ, cookie: 0x7f7ffd601300,
                 aux: 0x7f7ffd617038, auxlen: 4264, pid: 3990, lwpid: 1
                 offset: 8199, resid 4096, ioflag 0x0
                 since previous call: 0.000478
 zsh: segmentation fault (core dumped)  sudo  -o dump sysctlfs /mnt
 
 For some reason the offset value in sysctlfs_node_read() exceed the
 localbuf buffer size, leading to an out-of-bound access with
 memcopy...
 
 njoly@lanfeust [~]> gdb mount_sysctlfs mount_sysctlfs.core
 GNU gdb 6.5
 Copyright (C) 2006 Free Software Foundation, Inc.
 [...]
 Program terminated with signal 11, Segmentation fault.
 #0  0x0000000000402eed in sysctlfs_node_read (pu=0x7f7ffd605800, 
     opc=0x7f7ffd601300, buf=0x7f7ffd6170a4 "", offset=8199, 
     resid=0x7f7ffd617098, pcr=0x7f7ffd617038, ioflag=0)
     at /local/src/NetBSD/src/usr.sbin/puffs/mount_sysctlfs/sysctlfs.c:635
 635             memcpy(buf, localbuf + offset, xfer);
 (gdb) p localbuf
 $1 = "NetBSD", '\0' <repeats 8185 times>
 (gdb) p offset
 $2 = 8199
 (gdb) p sizeof(localbuf)
 $3 = 8192
 (gdb) p xfer
 $4 = 4096
 
 -- 
 Nicolas Joly
 
 Biological Software and Databanks.
 Institut Pasteur, Paris.