From owner-freebsd-current@freebsd.org  Mon Sep  3 17:41:16 2018
Return-Path: <owner-freebsd-current@freebsd.org>
Delivered-To: freebsd-current@mailman.ysv.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
 by mailman.ysv.freebsd.org (Postfix) with ESMTP id A2A02FEF80B
 for <freebsd-current@mailman.ysv.freebsd.org>;
 Mon,  3 Sep 2018 17:41:16 +0000 (UTC)
 (envelope-from shawn.webb@hardenedbsd.org)
Received: from mail-ed1-x541.google.com (mail-ed1-x541.google.com
 [IPv6:2a00:1450:4864:20::541])
 (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
 (Client CN "smtp.gmail.com",
 Issuer "Google Internet Authority G3" (verified OK))
 by mx1.freebsd.org (Postfix) with ESMTPS id 1FD618D7CB
 for <freebsd-current@freebsd.org>; Mon,  3 Sep 2018 17:41:15 +0000 (UTC)
 (envelope-from shawn.webb@hardenedbsd.org)
Received: by mail-ed1-x541.google.com with SMTP id h33-v6so1323397edb.5
 for <freebsd-current@freebsd.org>; Mon, 03 Sep 2018 10:41:15 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=hardenedbsd.org; s=google;
 h=date:from:to:subject:message-id:mime-version:content-disposition
 :user-agent; bh=pI2+9rLOuaHvfRzakpqnBZQ9fpRNCym8TpDsWJ8f6fQ=;
 b=SIRAFKXP9k3YRirkac8F9Mw0rH6rAeyl8AIbP2adVj7gko8TwvrHgE/uSR0WlO1YWc
 DsU78oxy+keMh+MHjwdRTi9tUGo4Grr8p9nmvacAasMsIw7KfdjP0idIT+r7umU0uE12
 tIX+jNYGpc3wSfIPttgLowuYY7wDygtd7QTAF8vIkvKYoT97qu5E5MLPxGnIv4D/2Z1u
 EWjzM8i4IlPGNkhXHoE22cZmUb7RGxhg+uD3YjaUm0UMZCknIaNLlB5TXM0+0HNLo2+V
 qzjlhMXzTYbIuXlGN7tKLtRLN4xPlAV2Q1O2Z0n2HqpxzRyjcR6zVja4WsNPbD36oeeh
 MnMw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=1e100.net; s=20161025;
 h=x-gm-message-state:date:from:to:subject:message-id:mime-version
 :content-disposition:user-agent;
 bh=pI2+9rLOuaHvfRzakpqnBZQ9fpRNCym8TpDsWJ8f6fQ=;
 b=phiXg8bO4Z2iCvO5qsk/lgrI3vEO0qFLQ3gAb4nCPPMs/lQa+IvwgQN3lUua5TFhzb
 pdUEZIYfUxfqIY2oWSD3au+4GLwShi+V9ckrnR+1VR6yoMpOIZ0EEPxg5uDFiNANjqo/
 OcBnzPf8n7Isg0ggfMYZ+yq653DIzTCQfGQVsr44gRvxbWE++2LpISWhSqvarS/PuDgI
 C6ZTM85ZsZKV0b7y5x7mcwsUnNHb65SMerHmKQFIM+Ufp0qBJUhteYyr5U76NuzrXK6J
 BUHWbnsyGDYuL898rBTX8ZolgNPUVjOmVQ2mwaDWte5lDA/vn+DQASlKWvzFOSOYcTAX
 Y5Ow==
X-Gm-Message-State: APzg51D6vL+l9HQjFghdCG+Jt9b/BssB9p1U+V7IDvt/79iPaH0IFWzq
 wQkgSxmgR0MB88yfn1zO3SOfVdVmW8TbXNbxhrW1GECWS5aWfSc0mUBUwPW2bYhbGMI/vR0FvV0
 YZXVuUHgDWBwBBWJ6huqlzyqYRym//A6ug3Ub6xFPZ62GCM5x6iQRIWbDxafXutEE0uXewAcwBD
 fi49upTnQI/w==
X-Google-Smtp-Source: ANB0VdYhCrg5qo/uyXq2cA+PEyNgZnGNmJ44jV1vE37kePdu3KycAEH3mZuxC9hY40BBfG99CDll7A==
X-Received: by 2002:a50:91da:: with SMTP id
 h26-v6mr31975939eda.87.1535996474501; 
 Mon, 03 Sep 2018 10:41:14 -0700 (PDT)
Received: from mutt-hbsd (tollana.enn.lu. [85.248.227.164])
 by smtp.gmail.com with ESMTPSA id e38-v6sm9276243eda.74.2018.09.03.10.41.12
 for <freebsd-current@freebsd.org>
 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128);
 Mon, 03 Sep 2018 10:41:13 -0700 (PDT)
Date: Mon, 3 Sep 2018 13:40:16 -0400
From: Shawn Webb <shawn.webb@hardenedbsd.org>
To: freebsd-current@freebsd.org
Subject: redzone catching a buffer overflow in swapoff_one
Message-ID: <20180903174016.5ofc4p27vilkf2yk@mutt-hbsd>
MIME-Version: 1.0
Content-Type: multipart/signed; micalg=pgp-sha256;
 protocol="application/pgp-signature"; boundary="qjvjxznausameasf"
Content-Disposition: inline
X-Operating-System: FreeBSD mutt-hbsd 12.0-ALPHA4 FreeBSD 12.0-ALPHA4 
X-PGP-Key: http://pgp.mit.edu/pks/lookup?op=vindex&search=0x6A84658F52456EEE
User-Agent: NeoMutt/20180622
X-BeenThere: freebsd-current@freebsd.org
X-Mailman-Version: 2.1.27
Precedence: list
List-Id: Discussions about the use of FreeBSD-current
 <freebsd-current.freebsd.org>
List-Unsubscribe: <https://lists.freebsd.org/mailman/options/freebsd-current>, 
 <mailto:freebsd-current-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-current/>
List-Post: <mailto:freebsd-current@freebsd.org>
List-Help: <mailto:freebsd-current-request@freebsd.org?subject=help>
List-Subscribe: <https://lists.freebsd.org/mailman/listinfo/freebsd-current>, 
 <mailto:freebsd-current-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Mon, 03 Sep 2018 17:41:17 -0000


--qjvjxznausameasf
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

I'm unsure whether this is a false positive or true positive, but it
looks like there may be a buffer overflow in swapoff_one:

Sep  3 13:13:13 hbsd-dev-laptop kernel: [619] REDZONE: Buffer overflow dete=
cted. 16 bytes corrupted after 0xfffffe1fe0023248 (2237000 bytes allocated).
Sep  3 13:13:13 hbsd-dev-laptop kernel: [619] Allocation backtrace:
Sep  3 13:13:13 hbsd-dev-laptop kernel: [619] #0 0xffffffff80e188e1 at redz=
one_setup+0xe1
Sep  3 13:13:13 hbsd-dev-laptop kernel: [619] #1 0xffffffff80ac8007 at mall=
oc+0x1d7
Sep  3 13:13:13 hbsd-dev-laptop kernel: [619] #2 0xffffffff80b1f449 at blis=
t_create+0x99
Sep  3 13:13:13 hbsd-dev-laptop kernel: [619] #3 0xffffffff80e1daa7 at swap=
onsomething+0xe7
Sep  3 13:13:13 hbsd-dev-laptop kernel: [619] #4 0xffffffff80e1c233 at sys_=
swapon+0x413
Sep  3 13:13:13 hbsd-dev-laptop kernel: [619] #5 0xffffffff80fc0e5e at amd6=
4_syscall+0x29e
Sep  3 13:13:13 hbsd-dev-laptop kernel: [619] #6 0xffffffff80f9dc9d at fast=
_syscall_common+0x101
Sep  3 13:13:13 hbsd-dev-laptop kernel: [619] Free backtrace:
Sep  3 13:13:13 hbsd-dev-laptop kernel: [619] #0 0xffffffff80e18c28 at redz=
one_check+0x2f8
Sep  3 13:13:13 hbsd-dev-laptop kernel: [619] #1 0xffffffff80ac85af at free=
_dbg+0x5f
Sep  3 13:13:13 hbsd-dev-laptop kernel: [619] #2 0xffffffff80ac84aa at free=
+0x1a
Sep  3 13:13:13 hbsd-dev-laptop kernel: [619] #3 0xffffffff80e1cae5 at swap=
off_one+0x675
Sep  3 13:13:13 hbsd-dev-laptop kernel: [619] #4 0xffffffff80e1cc57 at swap=
off_all+0xd7
Sep  3 13:13:13 hbsd-dev-laptop kernel: [619] #5 0xffffffff80b9991a at bufs=
hutdown+0x2ca
Sep  3 13:13:13 hbsd-dev-laptop kernel: [619] #6 0xffffffff80aec36e at kern=
_reboot+0x21e
Sep  3 13:13:13 hbsd-dev-laptop kernel: [619] #7 0xffffffff80aec0f9 at sys_=
reboot+0x3a9
Sep  3 13:13:13 hbsd-dev-laptop kernel: [619] #8 0xffffffff80fc0e5e at amd6=
4_syscall+0x29e
Sep  3 13:13:13 hbsd-dev-laptop kernel: [619] #9 0xffffffff80f9dc9d at fast=
_syscall_common+0x101

Of course, I'm running HardenedBSD 12-CURRENT/amd64. I've synced with
FreeBSD at this commit:
https://github.com/freebsd/freebsd/commit/2f2449cc1cdfc19ae34b2317e792af489=
418a01a

So my src tree is at this commit:
https://github.com/HardenedBSD/hardenedBSD/commit/98f90fadab000b818a731be46=
50ac1a47144501c

I've not yet studied the swap pager's code and plan to start learning
it soon.

Thanks,

--=20
Shawn Webb
Cofounder and Security Engineer
HardenedBSD

Tor-ified Signal:    +1 443-546-8752
Tor+XMPP+OTR:        lattera@is.a.hacker.sx
GPG Key ID:          0x6A84658F52456EEE
GPG Key Fingerprint: 2ABA B6BD EF6A F486 BE89  3D9E 6A84 658F 5245 6EEE

--qjvjxznausameasf
Content-Type: application/pgp-signature; name="signature.asc"

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEEKrq2ve9q9Ia+iT2eaoRlj1JFbu4FAluNcfkACgkQaoRlj1JF
bu5VFQ//QvBobvIgtfcZAj0QIOBjdijDCkerzBbZTfaPd1DXSf9pKo1IjGcIsuUr
Uj9c69PdM/aFHjpb1CSxurpGJfYsEWCDUg+3LkJhtYGB5YdeB7ClfA3R9QU2ZDOo
ZjK8dpKDJJP0a4fv/xLxugzP31UOe8z0jpwtGQJX1Agkg4Rf2ncyIsqwEaprNphY
XzfIVr62k4kmA4LyQL6quYqDgdmi4AGLK9Qf3FW5d91l9ivQKIA1tKg40g8l4+xo
sgdK+sbzxpnhXZusH1P592nWzdvxPcyu/K74s39BNEAaBdqZqNq8cg2YrEgkayC6
D2tkLQYAEKsZa9V4qw7oq8LrHuFDxfqEQ6VYyx1OV1jJ1MA4aTayAxh6B7N7cDEg
Gyj7mZG0bUzxa8IV7O/CgnGJLGQH9vVDSfvNCXVEgRXZLWkVmOQlAl0NAT2qnGRF
/O2A6iDiXi+To5oqPlVYRDzfjZMi5YEaRPpzCoo7y2OND/xh9yfcD8ezJJHHSZEC
zGAX8Z7mGqu1+ln4ef2oSJgvkiZnu57SOLJZRqUH9XZGRnzRdZjOESoCooTeYAve
7ruUaQIWIkeL96DHV+TJ2aZmCGrwOwAfU3SOADjD4eb323jUmeSonkO7qL4leCuX
yxCZWCSEn68J57schs5KqhbjH2ohdHQ1jzNrBCNVYd1TxXCy/04=
=oXx/
-----END PGP SIGNATURE-----

--qjvjxznausameasf--