Skip site navigation (1)Skip section navigation (2) 
Date:      Tue, 31 Jan 2006 14:38:16 -0800
From:      Steve Kargl <sgk@troutmask.apl.washington.edu>
To:        Kris Kennaway <kris@obsecurity.org>
Cc:        freebsd-current@freebsd.org
Subject:   Re: panic: Memory modified after free
Message-ID:  <20060131223816.GA587@troutmask.apl.washington.edu>
In-Reply-To: <20060131213332.GA15250@xor.obsecurity.org>
References:  <20060131212209.GA870@troutmask.apl.washington.edu> <20060131213332.GA15250@xor.obsecurity.org>
next in thread | previous in thread | raw e-mail | index | archive | help 
On Tue, Jan 31, 2006 at 04:33:32PM -0500, Kris Kennaway wrote:
> On Tue, Jan 31, 2006 at 01:22:09PM -0800, Steve Kargl wrote:
> > The system is a dual proc Tyan K8S Pro with 12 GB of memory.
> > The kernel is UP.  This was recorded by hand. I have the crash dump.
> > 
> > Memory modified after free 0xffffff02505e0c00(504) val=deadc0dd @
> > 0xffffff02505e0cd0
> > 
> > panic: Most recently used by DEVFS1
> 
> Set up memguard to watch this malloc type in order to obtain useful
> debugging.
> 

memguard has made the situation even worse.  The kernel never
makes to single user mode.  I get

MEMGUARD DEBUGGING ALLOCATOR INITIALIZED
MEMGUARD map base: 0xffffffff8f1b2000
         map limit: 0xffffffff919b3000
         map size: 41947136 (Bytes)

Memory modified after free 0xffffff000005bd00(248) val=5 @ 0xffffff000005bdd0
kernel trap 9 wiith interrupts disabled

Fatal trap 9: general protection fault while in kernel mode
instruction pointer    = 0x8:0xffffffff80306487
stack pointer          = 0x10:0xffffffff807a1a20
frame pointer          = 0x10:0xffffffff807a1a30
code segment           = base 0x0, limit 0xfffff, type 0x1b
                       = DPL 0, pres 1, long 1, def32 0, gran 1
processor eflags       = resume, IOPL = 0
current process:       = 0 ()

[thread pid 0 tid 0]
Stopped at strlen+0x7:  cmpb $0,0(%rdi)

db> bt
Tracing pid 0 tid 0 td 0xffffffff8060ac40
strlen() at strlen+0x7
kvprintf() at kvprintf+0x987
vsnprintf() at vsnprintf+0x2e
panic() at panic+0xfa
mtrash_ctor() at mtrash_ctor+0x70
uma_zalloc_arg() at uma_zalloc_arg+0x170
malloc() at malloc+0x11e
init_dynamic_kenv() at init_dynamic_kenv+0x68
mi_startup() at mi_startup+0xb6
btext() at btext+0x2c





-- 
Steve

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20060131223816.GA587>