Date: Tue, 26 Nov 2002 14:14:38 +0100 From: Daniel Lang <dl@leo.org> To: freebsd-hackers@freebsd.org Cc: chopin@sgh.waw.pl Subject: strange coredump in malloc_bytes()/libc in 4.7p2 Message-ID: <20021126131438.GC60278@atrbg11.informatik.tu-muenchen.de>
next in thread | raw e-mail | index | archive | help
Hi folks,
before I send a PR, I though I'll ask about the opinion
of the people here.
Background:
We run an IRCnet ircd on a FreeBSD box here. This combination
lived very happy for a very long time. Recently I've updated
the box to 4.7-RELEASE-p2. After the update, the "ircd"
won't start any longer.
Recompile of ircd did not help at all.
ow, after many hours trying to debug the problem, I built
a world with CFLAGS=-g to get a libc with debugging symbols
and a useful backtrace:
(gdb) bt
#0 0x2819244b in malloc_bytes (size=476)
at /usr/src/lib/libc/../libc/stdlib/malloc.c:673
#1 0x28192581 in imalloc (size=476)
at /usr/src/lib/libc/../libc/stdlib/malloc.c:715
#2 0x28192a44 in malloc (size=476)
at /usr/src/lib/libc/../libc/stdlib/malloc.c:1076
#3 0x281885b5 in calloc (num=1, size=476)
at /usr/src/lib/libc/../libc/stdlib/calloc.c:49
#4 0x2817dd77 in __hash_open (file=0x28198232 "/etc/pwd.db", flags=0, mode=0,
info=0x0, dflags=0) at /usr/src/lib/libc/../libc/db/hash/hash.c:113
#5 0x2817dc5e in dbopen (fname=0x28198232 "/etc/pwd.db", flags=0, mode=0,
type=DB_HASH, openinfo=0x0) at /usr/src/lib/libc/../libc/db/db/db.c:66
#6 0x281421c3 in __initdb () at /usr/src/lib/libc/../libc/gen/getpwent.c:276
#7 0x28141f5d in getpwuid (uid=25091)
at /usr/src/lib/libc/../libc/gen/getpwent.c:194
#8 0x8058823 in setup_me (mp=0x8116440) at ../ircd/ircd.c:545
#9 0x805919e in main (argc=0, argv=0xbfbffcb0) at ../ircd/ircd.c:915
#10 0x8049a79 in _start ()
If inspect the crashing frame I get:
672 /* Find first word of bitmap which isn't empty */
673 for (lp = bp->bits; !*lp; lp++)
674 ;
(gdb) p lp
$19 = (u_int *) 0x8f949b0
(gdb) p *lp
Cannot access memory at address 0x8f949b0.
gdb) p bp
$20 = (struct pginfo *) 0x8f949a0
(gdb) p *bp
Cannot access memory at address 0x8f949a0.
(gdb) p j
$23 = 9
(gdb) p page_dir[j]
$24 = (struct pginfo *) 0x8f949a0
Unfortunately, I have no clue about reasonable contents of
a struct pginfo and valid pointers or not in such an array.
My impression is, that this symptom is caused by a buffer
overflow somewhere else in the code, possibly ircd's code,
which thrashes the content of struct pginfo.
If anyone agrees, or has any other ideas, what could be
the cause, please give instructions, how to debug further.
Thanks and best regards,
Daniel
--
IRCnet: Mr-Spock - Der Schatten von Hasenfuss ist ziemlich dunkel -
*Daniel Lang * dl@leo.org * +49 89 289 18532 * http://www.leo.org/~dl/*
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-hackers" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20021126131438.GC60278>