Date: Mon, 3 Sep 2018 13:40:16 -0400 From: Shawn Webb <shawn.webb@hardenedbsd.org> To: freebsd-current@freebsd.org Subject: redzone catching a buffer overflow in swapoff_one Message-ID: <20180903174016.5ofc4p27vilkf2yk@mutt-hbsd>
next in thread | raw e-mail | index | archive | help
--qjvjxznausameasf Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable I'm unsure whether this is a false positive or true positive, but it looks like there may be a buffer overflow in swapoff_one: Sep 3 13:13:13 hbsd-dev-laptop kernel: [619] REDZONE: Buffer overflow dete= cted. 16 bytes corrupted after 0xfffffe1fe0023248 (2237000 bytes allocated). Sep 3 13:13:13 hbsd-dev-laptop kernel: [619] Allocation backtrace: Sep 3 13:13:13 hbsd-dev-laptop kernel: [619] #0 0xffffffff80e188e1 at redz= one_setup+0xe1 Sep 3 13:13:13 hbsd-dev-laptop kernel: [619] #1 0xffffffff80ac8007 at mall= oc+0x1d7 Sep 3 13:13:13 hbsd-dev-laptop kernel: [619] #2 0xffffffff80b1f449 at blis= t_create+0x99 Sep 3 13:13:13 hbsd-dev-laptop kernel: [619] #3 0xffffffff80e1daa7 at swap= onsomething+0xe7 Sep 3 13:13:13 hbsd-dev-laptop kernel: [619] #4 0xffffffff80e1c233 at sys_= swapon+0x413 Sep 3 13:13:13 hbsd-dev-laptop kernel: [619] #5 0xffffffff80fc0e5e at amd6= 4_syscall+0x29e Sep 3 13:13:13 hbsd-dev-laptop kernel: [619] #6 0xffffffff80f9dc9d at fast= _syscall_common+0x101 Sep 3 13:13:13 hbsd-dev-laptop kernel: [619] Free backtrace: Sep 3 13:13:13 hbsd-dev-laptop kernel: [619] #0 0xffffffff80e18c28 at redz= one_check+0x2f8 Sep 3 13:13:13 hbsd-dev-laptop kernel: [619] #1 0xffffffff80ac85af at free= _dbg+0x5f Sep 3 13:13:13 hbsd-dev-laptop kernel: [619] #2 0xffffffff80ac84aa at free= +0x1a Sep 3 13:13:13 hbsd-dev-laptop kernel: [619] #3 0xffffffff80e1cae5 at swap= off_one+0x675 Sep 3 13:13:13 hbsd-dev-laptop kernel: [619] #4 0xffffffff80e1cc57 at swap= off_all+0xd7 Sep 3 13:13:13 hbsd-dev-laptop kernel: [619] #5 0xffffffff80b9991a at bufs= hutdown+0x2ca Sep 3 13:13:13 hbsd-dev-laptop kernel: [619] #6 0xffffffff80aec36e at kern= _reboot+0x21e Sep 3 13:13:13 hbsd-dev-laptop kernel: [619] #7 0xffffffff80aec0f9 at sys_= reboot+0x3a9 Sep 3 13:13:13 hbsd-dev-laptop kernel: [619] #8 0xffffffff80fc0e5e at amd6= 4_syscall+0x29e Sep 3 13:13:13 hbsd-dev-laptop kernel: [619] #9 0xffffffff80f9dc9d at fast= _syscall_common+0x101 Of course, I'm running HardenedBSD 12-CURRENT/amd64. I've synced with FreeBSD at this commit: https://github.com/freebsd/freebsd/commit/2f2449cc1cdfc19ae34b2317e792af489= 418a01a So my src tree is at this commit: https://github.com/HardenedBSD/hardenedBSD/commit/98f90fadab000b818a731be46= 50ac1a47144501c I've not yet studied the swap pager's code and plan to start learning it soon. Thanks, --=20 Shawn Webb Cofounder and Security Engineer HardenedBSD Tor-ified Signal: +1 443-546-8752 Tor+XMPP+OTR: lattera@is.a.hacker.sx GPG Key ID: 0x6A84658F52456EEE GPG Key Fingerprint: 2ABA B6BD EF6A F486 BE89 3D9E 6A84 658F 5245 6EEE --qjvjxznausameasf Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQIzBAEBCAAdFiEEKrq2ve9q9Ia+iT2eaoRlj1JFbu4FAluNcfkACgkQaoRlj1JF bu5VFQ//QvBobvIgtfcZAj0QIOBjdijDCkerzBbZTfaPd1DXSf9pKo1IjGcIsuUr Uj9c69PdM/aFHjpb1CSxurpGJfYsEWCDUg+3LkJhtYGB5YdeB7ClfA3R9QU2ZDOo ZjK8dpKDJJP0a4fv/xLxugzP31UOe8z0jpwtGQJX1Agkg4Rf2ncyIsqwEaprNphY XzfIVr62k4kmA4LyQL6quYqDgdmi4AGLK9Qf3FW5d91l9ivQKIA1tKg40g8l4+xo sgdK+sbzxpnhXZusH1P592nWzdvxPcyu/K74s39BNEAaBdqZqNq8cg2YrEgkayC6 D2tkLQYAEKsZa9V4qw7oq8LrHuFDxfqEQ6VYyx1OV1jJ1MA4aTayAxh6B7N7cDEg Gyj7mZG0bUzxa8IV7O/CgnGJLGQH9vVDSfvNCXVEgRXZLWkVmOQlAl0NAT2qnGRF /O2A6iDiXi+To5oqPlVYRDzfjZMi5YEaRPpzCoo7y2OND/xh9yfcD8ezJJHHSZEC zGAX8Z7mGqu1+ln4ef2oSJgvkiZnu57SOLJZRqUH9XZGRnzRdZjOESoCooTeYAve 7ruUaQIWIkeL96DHV+TJ2aZmCGrwOwAfU3SOADjD4eb323jUmeSonkO7qL4leCuX yxCZWCSEn68J57schs5KqhbjH2ohdHQ1jzNrBCNVYd1TxXCy/04= =oXx/ -----END PGP SIGNATURE----- --qjvjxznausameasf--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20180903174016.5ofc4p27vilkf2yk>