kern/41819: kernel incorrectly records iovec data for ktrace

To: kern-bug-people%netbsd.org@localhost,gnats-admin%netbsd.org@localhost,netbsd-bugs%netbsd.org@localhost
Subject: kern/41819: kernel incorrectly records iovec data for ktrace
From: Taylor R Campbell <campbell%mumble.net@localhost>
Date: Tue, 4 Aug 2009 22:05:00 +0000 (UTC)

>Number:         41819
>Category:       kern
>Synopsis:       kernel incorrectly records iovec data for ktrace
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    kern-bug-people
>State:          open
>Class:          sw-bug
>Submitter-Id:   net
>Arrival-Date:   Tue Aug 04 22:05:00 +0000 2009
>Originator:     Taylor R Campbell <campbell%mumble.net@localhost>
>Release:        NetBSD 5.0_STABLE
>Organization:
>Environment:
System: NetBSD joule.t.continuation.org 5.0_STABLE NetBSD 5.0_STABLE (RIAGATE) 
#0: Sun Jun 14 17:49:06 EDT 2009 
riastradh%Oberon.local@localhost:/Users/riastradh/os/netbsd/5/obj/sys/arch/i386/compile/RIAGATE
 i386
Architecture: i386
Machine: i386
>Description:

        In sys/kern/kern_ktrace.c, ktr_io advances through the array
        of iovecs to copy their data into a contiguous buffer, but
        fails to update the pointer into the buffer.  Thus ktrace
        output for I/O with iovecs has later iovec buffers clobbering
        earlier ones, and garbage where later ones should go.

>How-To-Repeat:

        Ktracing the following program should show that it writes
        `one\ntwo\n', but instead it shows

                  4412      1 foo      GIO   fd 1 wrote 8 bytes
                       "two\n\M-4\M-T\M-?\M-?"

        Contents of foo.c:

#include <err.h>
#include <unistd.h>
#include <sys/uio.h>

int
main(int argc, char *argv[])
{
        struct iovec iov[2] =
                {
                        { .iov_base = "one\n", .iov_len = 4 },
                        { .iov_base = "two\n", .iov_len = 4 },
                };
        ssize_t written;

        written = writev(STDOUT_FILENO, iov, 2);
        if (written != 8)
        {
                if (written < 0)
                        err(1, "writev");
                else
                        errx(1, "writev wrote too few bytes: %zd", written);
        }

        return 0;
}

>Fix:

        Apply the following patch to sys/kern/kern_ktrace.c to fix the
        ktr_io function:

--- kern_ktrace.c       14 May 2009 01:58:26 +0000      1.147
+++ kern_ktrace.c       04 Aug 2009 21:54:33 +0000      
@@ -684,6 +684,7 @@
                if (copyin(iov->iov_base, cp, cnt) != 0)
                        goto out;
                kte->kte_kth.ktr_len += cnt;
+               cp += cnt;
                buflen -= cnt;
                resid -= cnt;
                iov->iov_len -= cnt;

        Please also pull up a similar change to netbsd-4 to fix the
        ktrgenio function:

--- kern_ktrace.c       11 Apr 2008 06:35:02 +0000      1.112.2.1
+++ kern_ktrace.c       04 Aug 2009 21:55:42 +0000      
@@ -545,6 +545,7 @@
                if (copyin(iov->iov_base, cp, cnt) != 0)
                        goto out;
                kth->ktr_len += cnt;
+               cp += cnt;
                buflen -= cnt;
                resid -= cnt;
                iov->iov_len -= cnt;

Prev by Date: Re: port-alpha/41809: Xserver.tgz AND Xfonts.tgz are CORRUPTED
Next by Date: Re: kern/39940 (agr locking error)
Previous by Thread: PR/41774 CVS commit: [netbsd-5] src/usr.bin/printenv
Next by Thread: bin/41820: pppd man page and ip-up and DNS
Indexes:

Home | Main Index | Thread Index | Old Index