From owner-freebsd-hackers Tue Nov 26 5:14:43 2002 Delivered-To: freebsd-hackers@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 7F7B037B401 for ; Tue, 26 Nov 2002 05:14:41 -0800 (PST) Received: from mailout.informatik.tu-muenchen.de (mailout.informatik.tu-muenchen.de [131.159.0.5]) by mx1.FreeBSD.org (Postfix) with ESMTP id 869B243EC2 for ; Tue, 26 Nov 2002 05:14:40 -0800 (PST) (envelope-from langd@informatik.tu-muenchen.de) Received: from mailrelay1.informatik.tu-muenchen.de (mailrelay1.informatik.tu-muenchen.de [131.159.254.5]) by mailout.informatik.tu-muenchen.de (Postfix) with ESMTP id 4515B6264; Tue, 26 Nov 2002 14:14:39 +0100 (MET) Received: from atrbg11.informatik.tu-muenchen.de (atrbg11.informatik.tu-muenchen.de [131.159.42.129]) by mailrelay1.informatik.tu-muenchen.de (Postfix) with ESMTP id 306A47942; Tue, 26 Nov 2002 14:14:39 +0100 (MET) Received: by atrbg11.informatik.tu-muenchen.de (Postfix, from userid 20455) id 9C067136FA; Tue, 26 Nov 2002 14:14:38 +0100 (CET) Date: Tue, 26 Nov 2002 14:14:38 +0100 From: Daniel Lang To: freebsd-hackers@freebsd.org Cc: chopin@sgh.waw.pl Subject: strange coredump in malloc_bytes()/libc in 4.7p2 Message-ID: <20021126131438.GC60278@atrbg11.informatik.tu-muenchen.de> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline X-Geek: GCS/CC d-- s: a- C++$ UBS++++$ P+++$ L- E-(---) W+++(--) N++ o K w--- O? M? V? PS+(++) PE--(+) Y+ PGP+ t++ 5+++ X R+(-) tv+ b+ DI++ D++ G++ e+++ h---(-) r++>+++ y+ User-Agent: Mutt/1.5.1i Sender: owner-freebsd-hackers@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG Hi folks, before I send a PR, I though I'll ask about the opinion of the people here. Background: We run an IRCnet ircd on a FreeBSD box here. This combination lived very happy for a very long time. Recently I've updated the box to 4.7-RELEASE-p2. After the update, the "ircd" won't start any longer. Recompile of ircd did not help at all. ow, after many hours trying to debug the problem, I built a world with CFLAGS=-g to get a libc with debugging symbols and a useful backtrace: (gdb) bt #0 0x2819244b in malloc_bytes (size=476) at /usr/src/lib/libc/../libc/stdlib/malloc.c:673 #1 0x28192581 in imalloc (size=476) at /usr/src/lib/libc/../libc/stdlib/malloc.c:715 #2 0x28192a44 in malloc (size=476) at /usr/src/lib/libc/../libc/stdlib/malloc.c:1076 #3 0x281885b5 in calloc (num=1, size=476) at /usr/src/lib/libc/../libc/stdlib/calloc.c:49 #4 0x2817dd77 in __hash_open (file=0x28198232 "/etc/pwd.db", flags=0, mode=0, info=0x0, dflags=0) at /usr/src/lib/libc/../libc/db/hash/hash.c:113 #5 0x2817dc5e in dbopen (fname=0x28198232 "/etc/pwd.db", flags=0, mode=0, type=DB_HASH, openinfo=0x0) at /usr/src/lib/libc/../libc/db/db/db.c:66 #6 0x281421c3 in __initdb () at /usr/src/lib/libc/../libc/gen/getpwent.c:276 #7 0x28141f5d in getpwuid (uid=25091) at /usr/src/lib/libc/../libc/gen/getpwent.c:194 #8 0x8058823 in setup_me (mp=0x8116440) at ../ircd/ircd.c:545 #9 0x805919e in main (argc=0, argv=0xbfbffcb0) at ../ircd/ircd.c:915 #10 0x8049a79 in _start () If inspect the crashing frame I get: 672 /* Find first word of bitmap which isn't empty */ 673 for (lp = bp->bits; !*lp; lp++) 674 ; (gdb) p lp $19 = (u_int *) 0x8f949b0 (gdb) p *lp Cannot access memory at address 0x8f949b0. gdb) p bp $20 = (struct pginfo *) 0x8f949a0 (gdb) p *bp Cannot access memory at address 0x8f949a0. (gdb) p j $23 = 9 (gdb) p page_dir[j] $24 = (struct pginfo *) 0x8f949a0 Unfortunately, I have no clue about reasonable contents of a struct pginfo and valid pointers or not in such an array. My impression is, that this symptom is caused by a buffer overflow somewhere else in the code, possibly ircd's code, which thrashes the content of struct pginfo. If anyone agrees, or has any other ideas, what could be the cause, please give instructions, how to debug further. Thanks and best regards, Daniel -- IRCnet: Mr-Spock - Der Schatten von Hasenfuss ist ziemlich dunkel - *Daniel Lang * dl@leo.org * +49 89 289 18532 * http://www.leo.org/~dl/* To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-hackers" in the body of the message