From owner-freebsd-stable@FreeBSD.ORG  Mon Aug 27 18:40:44 2012
Return-Path: <owner-freebsd-stable@FreeBSD.ORG>
Delivered-To: freebsd-stable@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52])
	by hub.freebsd.org (Postfix) with ESMTP id 271B4106567A
	for <freebsd-stable@freebsd.org>; Mon, 27 Aug 2012 18:40:44 +0000 (UTC)
	(envelope-from jhb@freebsd.org)
Received: from bigwig.baldwin.cx (bigknife-pt.tunnel.tserv9.chi1.ipv6.he.net
	[IPv6:2001:470:1f10:75::2])
	by mx1.freebsd.org (Postfix) with ESMTP id F184E8FC27
	for <freebsd-stable@freebsd.org>; Mon, 27 Aug 2012 18:40:43 +0000 (UTC)
Received: from jhbbsd.localnet (unknown [209.249.190.124])
	by bigwig.baldwin.cx (Postfix) with ESMTPSA id 56BF2B9B3;
	Mon, 27 Aug 2012 14:40:43 -0400 (EDT)
From: John Baldwin <jhb@freebsd.org>
To: freebsd-stable@freebsd.org
Date: Mon, 27 Aug 2012 14:07:58 -0400
User-Agent: KMail/1.13.5 (FreeBSD/8.2-CBSD-20110714-p17; KDE/4.5.5; amd64; ; )
References: <20120827131311.GE1442@albert.catwhisker.org>
In-Reply-To: <20120827131311.GE1442@albert.catwhisker.org>
MIME-Version: 1.0
Content-Type: Text/Plain;
  charset="iso-8859-15"
Content-Transfer-Encoding: 7bit
Message-Id: <201208271407.58146.jhb@freebsd.org>
X-Greylist: Sender succeeded SMTP AUTH, not delayed by milter-greylist-4.2.7
	(bigwig.baldwin.cx); Mon, 27 Aug 2012 14:40:43 -0400 (EDT)
Cc: 
Subject: Re: FreeBSD/i386 stable/9 @239722: REDZONE: Buffer underflow
	detected
X-BeenThere: freebsd-stable@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: Production branch of FreeBSD source code <freebsd-stable.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-stable>, 
	<mailto:freebsd-stable-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-stable>
List-Post: <mailto:freebsd-stable@freebsd.org>
List-Help: <mailto:freebsd-stable-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-stable>,
	<mailto:freebsd-stable-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Mon, 27 Aug 2012 18:40:44 -0000

On Monday, August 27, 2012 9:13:11 am David Wolfskill wrote:
> Starting devd.
> REDZONE: Buffer underflow detected. 1 byte corrupted before 0xced40080 
(4294966796 bytes allocated).

This size seems wait outlandish.  The only malloc in devctl_queue_data_f() is:

	struct dev_event_info *n1 = NULL, *n2 = NULL;

	...
	n1 = malloc(sizeof(*n1), M_BUS, flags);

On amd64 that structure's size is 24 bytes.  On i386 it is probably similar.
Certainly not 4GB.  I cannot see any overflow bugs with
'struct dev_event_info' objects.  In this case I think the redzone metadata 
that specified the object's size was corrupted, but I've no idea how that 
could occur.

-- 
John Baldwin