From owner-freebsd-stable@FreeBSD.ORG Sun Oct 21 22:32:48 2012 Return-Path: Delivered-To: stable@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 4891B19D for ; Sun, 21 Oct 2012 22:32:48 +0000 (UTC) (envelope-from david@catwhisker.org) Received: from albert.catwhisker.org (m209-73.dsl.rawbw.com [198.144.209.73]) by mx1.freebsd.org (Postfix) with ESMTP id F3D808FC0C for ; Sun, 21 Oct 2012 22:32:46 +0000 (UTC) Received: from albert.catwhisker.org (localhost [127.0.0.1]) by albert.catwhisker.org (8.14.5/8.14.5) with ESMTP id q9LMWkuL002967; Sun, 21 Oct 2012 15:32:46 -0700 (PDT) (envelope-from david@albert.catwhisker.org) Received: (from david@localhost) by albert.catwhisker.org (8.14.5/8.14.5/Submit) id q9LMWkv2002966; Sun, 21 Oct 2012 15:32:46 -0700 (PDT) (envelope-from david) Date: Sun, 21 Oct 2012 15:32:46 -0700 From: David Wolfskill To: Mateusz Guzik Subject: Re: stable/9 @r241776 panic: REDZONE: Buffer underflow detected... Message-ID: <20121021223246.GD1609@albert.catwhisker.org> References: <20121020141019.GW1817@albert.catwhisker.org> <20121021220908.GA20958@dft-labs.eu> MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="DqhR8hV3EnoxUkKN" Content-Disposition: inline In-Reply-To: <20121021220908.GA20958@dft-labs.eu> User-Agent: Mutt/1.5.21 (2010-09-15) Cc: stable@freebsd.org X-BeenThere: freebsd-stable@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: Production branch of FreeBSD source code List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 21 Oct 2012 22:32:48 -0000 --DqhR8hV3EnoxUkKN Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Mon, Oct 22, 2012 at 12:09:08AM +0200, Mateusz Guzik wrote: > ... > This looks a lot like issue you reported a couple of months earlier, > even affected buffer address matches. It's a tad scary that someone else notices that sort of thing before I do. :-} > At least part of REDZONE metadata placed directly before the buffer is > corrupted. So the idea is to set a watchpoint at a place that is known > to contain wrong data (in this case allocation size) and wait for some > code to try to modify it. >=20 > I hacked up the following (really ugly, but should do the job): > http://people.freebsd.org/~mjg/patches/watchpoint-hack.diff >=20 > Note: this assumes that address of affected buffer is always the same. >=20 > Assuming I didn't mess anything up, instructions are simple: > Just try to reproduce the issue, at some point you should be dropped to > the debugger. If that happens when dumpdevice is configured, please get a > core. Otherwise just a backtrace ("bt" command). Well, the problem was occurring (only, and reproducibly) during the transition from single-user mode to multi-user mode. Perhaps more frustrating: after building & installing the kernel with that patch, apparently locations of things were adjusted in such a way that the panic did not recur. > Note 2: this code does no clear the watchpoint, so if it fails to catch > the offending case, it may catch completely legitimate code later. Fun! :-) Thanks! Peace, david --=20 David H. Wolfskill david@catwhisker.org Taliban: Evil men with guns afraid of truth from a 14-year old girl. See http://www.catwhisker.org/~david/publickey.gpg for my public key. --DqhR8hV3EnoxUkKN Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.19 (FreeBSD) iEYEARECAAYFAlCEeA0ACgkQmprOCmdXAD1ZEgCeOo7C/DWaG/HnaNw/aKr/trgx MK0Anj5PEp0uPEgSWA2lxrXaZF42tS1e =xU/f -----END PGP SIGNATURE----- --DqhR8hV3EnoxUkKN--