From owner-freebsd-bugs@FreeBSD.ORG Mon Aug 17 22:30:09 2009 Return-Path: Delivered-To: freebsd-bugs@hub.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 855D010656A6 for ; Mon, 17 Aug 2009 22:30:09 +0000 (UTC) (envelope-from gnats@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:4f8:fff6::28]) by mx1.freebsd.org (Postfix) with ESMTP id 639C58FC71 for ; Mon, 17 Aug 2009 22:30:09 +0000 (UTC) Received: from freefall.freebsd.org (gnats@localhost [127.0.0.1]) by freefall.freebsd.org (8.14.3/8.14.3) with ESMTP id n7HMU96X010770 for ; Mon, 17 Aug 2009 22:30:09 GMT (envelope-from gnats@freefall.freebsd.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.14.3/8.14.3/Submit) id n7HMU91E010766; Mon, 17 Aug 2009 22:30:09 GMT (envelope-from gnats) Resent-Date: Mon, 17 Aug 2009 22:30:09 GMT Resent-Message-Id: <200908172230.n7HMU91E010766@freefall.freebsd.org> Resent-From: FreeBSD-gnats-submit@FreeBSD.org (GNATS Filer) Resent-To: freebsd-bugs@FreeBSD.org Resent-Reply-To: FreeBSD-gnats-submit@FreeBSD.org, Bruce Cran Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 6B24A1065696 for ; Mon, 17 Aug 2009 22:29:45 +0000 (UTC) (envelope-from nobody@FreeBSD.org) Received: from www.freebsd.org (www.freebsd.org [IPv6:2001:4f8:fff6::21]) by mx1.freebsd.org (Postfix) with ESMTP id 5B4FE8FC55 for ; Mon, 17 Aug 2009 22:29:45 +0000 (UTC) Received: from www.freebsd.org (localhost [127.0.0.1]) by www.freebsd.org (8.14.3/8.14.3) with ESMTP id n7HMTjrZ028833 for ; Mon, 17 Aug 2009 22:29:45 GMT (envelope-from nobody@www.freebsd.org) Received: (from nobody@localhost) by www.freebsd.org (8.14.3/8.14.3/Submit) id n7HMTiow028832; Mon, 17 Aug 2009 22:29:44 GMT (envelope-from nobody) Message-Id: <200908172229.n7HMTiow028832@www.freebsd.org> Date: Mon, 17 Aug 2009 22:29:44 GMT From: Bruce Cran To: freebsd-gnats-submit@FreeBSD.org X-Send-Pr-Version: www-3.1 Cc: Subject: bin/137890: [libkvm] ps segfaults with -ax when inspecting core files X-BeenThere: freebsd-bugs@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Bug reports List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 17 Aug 2009 22:30:09 -0000 >Number: 137890 >Category: bin >Synopsis: [libkvm] ps segfaults with -ax when inspecting core files >Confidential: no >Severity: serious >Priority: medium >Responsible: freebsd-bugs >State: open >Quarter: >Keywords: >Date-Required: >Class: sw-bug >Submitter-Id: current-users >Arrival-Date: Mon Aug 17 22:30:09 UTC 2009 >Closed-Date: >Last-Modified: >Originator: Bruce Cran >Release: 8.0-BETA2 >Organization: >Environment: FreeBSD tau.draftnet 8.0-BETA2 FreeBSD 8.0-BETA2 #0: Sun Aug 16 19:32:23 BST 2009 brucec@tau.draftnet:/usr/obj/usr/src/sys/DELL amd64 >Description: When recovering from a crash, crashinfo(8) is run; it executes 'ps -ax -M corefile' which causes ps to segfault and attempt to write a 1GB core file to / The crash can be reproduced after the system has booted by running 'ps -ax -M /var/crash/vmcore.x'. The faulty code appears to be in lib/libkvm/kvm_proc.c around line 561, though the underlying cause is that the symbol table appears to be unreadable (inferred from the -1 return value of kvm_nlist). It seems it's stepping past the nlist array and calls vsnprintf with a bad argument. kvm_nlist returns -1 to report that the symbol table couldn't be read, but the code assumes it has returned a positive number to indicate that there's an invalid entry, so it starts searching for that entry where n_type is 0. tau# gdb ps GNU gdb 6.1.1 [FreeBSD] [...] (gdb) run -ax -M /var/crash/vmcore.3 Starting program: /bin/ps -ax -M /var/crash/vmcore.3 Program received signal SIGSEGV, Segmentation fault. 0x000000080096340b in strlen (str=Variable "str" is not available. ) at /usr/src/lib/libc/string/strlen.c:88 88 if (*p == '\0') (gdb) bt #0 0x000000080096340b in strlen (str=Variable "str" is not available. ) at /usr/src/lib/libc/string/strlen.c:88 #1 0x000000080095c082 in __vfprintf (fp=0x7fffffffd9a0, fmt0=0x800773915 "%s: no such symbol", ap=0x7fffffffdb10) at /usr/src/lib/libc/stdio/vfprintf.c:825 #2 0x00000008008cc696 in vsnprintf (str=Variable "str" is not available. ) at /usr/src/lib/libc/stdio/vsnprintf.c:70 #3 0x0000000800772e89 in _kvm_err (kd=Variable "kd" is not available. ) at /usr/src/lib/libkvm/kvm.c:104 #4 0x0000000800770907 in kvm_getprocs (kd=0x800b02300, op=8, arg=0, cnt=0x7fffffffdf1c) at /usr/src/lib/libkvm/kvm_proc.c:561 #5 0x0000000000405322 in main (argc=4, argv=0x7fffffffe9a8) at /usr/src/bin/ps/ps.c:511 (gdb) frame 4 #4 0x0000000800770907 in kvm_getprocs (kd=0x800b02300, op=8, arg=0, cnt=0x7fffffffdf1c) at /usr/src/lib/libkvm/kvm_proc.c:561 561 _kvm_err(kd, kd->program, (gdb) list 556 nl[5].n_name = 0; 557 558 if (kvm_nlist(kd, nl) != 0) { 559 for (p = nl; p->n_type != 0; ++p) 560 ; 561 _kvm_err(kd, kd->program, 562 "%s: no such symbol", p->n_name); 563 return (0); 564 } 565 if (KREAD(kd, nl[0].n_value, &nprocs)) { (gdb) print nl $1 = {{n_name = 0x8007738ef "_nprocs", n_type = 240 'ð', n_other = -1 'ÿ', n_desc = -1, n_value = 34365215744}, { n_name = 0x8007738f7 "_allproc", n_type = 160 ' ', n_other = -100 '\234', n_desc = 80, n_value = 0}, { n_name = 0x800773900 "_zombproc", n_type = 57 '9', n_other = 2 '\002', n_desc = 81, n_value = 34367538496}, { n_name = 0x80077390a "_ticks", n_type = 74 'J', n_other = 0 '\0', n_desc = 0, n_value = 34365215744}, { n_name = 0x800773911 "_hz", n_type = 168 '¨', n_other = -23 'é', n_desc = -1, n_value = 140737488349576}, {n_name = 0x0, n_type = 1 '\001', n_other = 0 '\0', n_desc = 0, n_value = 34365024109}} >How-To-Repeat: Run 'ps -ax -M /var/crash/vmcore.x' >Fix: >Release-Note: >Audit-Trail: >Unformatted: