From owner-svn-src-head@freebsd.org Tue May 5 08:52:35 2020 Return-Path: Delivered-To: svn-src-head@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id 7B7102DCE89 for ; Tue, 5 May 2020 08:52:35 +0000 (UTC) (envelope-from marklmi@yahoo.com) Received: from sonic313-21.consmr.mail.gq1.yahoo.com (sonic313-21.consmr.mail.gq1.yahoo.com [98.137.65.84]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 49GYQB3lKhz4YRD for ; Tue, 5 May 2020 08:52:34 +0000 (UTC) (envelope-from marklmi@yahoo.com) X-YMail-OSG: 45cOfUYVM1nnpRZ33.aMxVMjSiZ4AG_vYL0FwrHrpO7VaAFhdklIEfC9zGIRjyz GXZjb2NYXPub2F3iVpivu3EyANzT9in3EHE0EHurFD3bDJtif3FKJKKlbmwqDLN6v.YL9SMYk2oM CCCqlLImoAINRo79X1TyeVQ3WJsG313XI_QbmSC_WsPNLnlffP.hc1JFPJzdAkhDf9nQ9zqW3UTV zX_dNJyHukdSh54bOiv5oBk7pJUWUy7l9QXs4a1TO1hlah_gcaBcm3F7fSLoNfG6pV9L9d7k3H0J Pc30MGC5yTV5mvmf9lAQVXE1EZFxNXO_fZZEfOhdjDvCbNJouD1PiIra_5Lsr.eKk7O.5biMCueA jPB3KKLa3yrkQmbgQLvC8Z8.gKgLcMpk3B0UUjWQyzRpWSmm7inACIBlZ2d0tfz4u.4JFVY7R01m AyXrbIq0zmw6Yl7koe3FUTYclzbQsaEjnuPXfNyAqqohr3mGsgkgt1Va72ahPtUBe5UicT32yS8Q uabeMpmz2o73du._KFb0cTyPV9bifh_ZMizkiT13MPusvAidZyPC6kO3SnMiUjhXm.ok7m9Q2h3E oEMUd0cGUflqJao1fBguO1tGoh2PNGjurwlU_7tStIqwtdE0v398.NFSDe4jfBM5m3ajfQeTuujO WaXSI.Qx_oA_VhoTWn6CkeQnb4sB8JyzMloIUqLjT8NSdN8l6C6VEw5hBfECUC8188SBZVX27hXF IXwHfEg_AOeJ_Qo0hJm6ZgRuSNVDd3_cwdq.LeTQoHYJpue9uaAS6PCisVjRSBmDZpdKPaTEghUk Z1AN4EfdyyMBiomrcYxLdRWtJWUDXYWp1kdRUYlyX5g6bUZbch70F_ifnIvLkFnK2I4YkLZP384N FGFKCIzlt75XwafGGiQjYqoirgiPBo4ITrYUplwc_WYn3Zwvzmnhk0wXrO8pJJ4N2I4wI.w1TRBd m70VAweMW.t48tj_xYJgUaEfEFIc7urswFyJ5XvZK6fOD9EuhydE0_hk_Z_jKLA8XRZSE4x.QuH9 k1HgRKCapVZHMC5iNdYMfBYN3QShQ4pDA1kezt0TkJK46tdxCTeE037ZjGBTw_HZqMtIqI.4kEfv JatltgZybgNc4mpkd4hA3BA1LdEqZyYh_MiUUy_Cbymj_HvV228fx5Vfa0JCc_fYXmd0saRizQ5Z Rm4aP.ubUk6hpnEltHOqQnIAkcB4wxxR4v66kWo3sBW93k79n.FYD0oWQL6eJDi7oo2uHzsdAFn. Z_o.tSJPhZRhnq.TbpT2p5pjDCATsjKCzDJE0C0.ew2Dcd4YywaelGVJdsvEWCS3oGISsTdm4rH3 2Lv4ZRYlU1MgsRk3sw5nvy7.nc5lXy0PKI4AS6B8tKHaQQ4FUxWq1iYvyA1mF3B764Mw96Qox.5u H2JqwKyJqY_DUvZqQXoBRYYpAk2UWfNLdSibGbgvuOwR1Gw8lz1wwgRsHD20CF_8- Received: from sonic.gate.mail.ne1.yahoo.com by sonic313.consmr.mail.gq1.yahoo.com with HTTP; Tue, 5 May 2020 08:52:33 +0000 Received: by smtp434.mail.bf1.yahoo.com (VZM Hermes SMTP Server) with ESMTPA ID da1665613de72442d31e291f1d443e23; Tue, 05 May 2020 08:52:29 +0000 (UTC) Content-Type: text/plain; charset=us-ascii Mime-Version: 1.0 (Mac OS X Mail 13.4 \(3608.80.23.2.2\)) Subject: Re: svn commit: r360233 - in head: contrib/jemalloc . . . : This partially breaks a 2-socket 32-bit powerpc (old PowerMac G4) based on head -r360311 From: Mark Millard In-Reply-To: Date: Tue, 5 May 2020 01:52:27 -0700 Cc: Brandon Bergren Content-Transfer-Encoding: quoted-printable Message-Id: <121B9B09-141B-4DC3-918B-1E7CFB99E779@yahoo.com> References: <8479DD58-44F6-446A-9CA5-D01F0F7C1B38@yahoo.com> <17ACDA02-D7EF-4F26-874A-BB3E935CD072@yahoo.com> <695E6836-F860-4557-B7DE-CC1EDB347F18@yahoo.com> To: "vangyzen@freebsd.org" , svn-src-head@freebsd.org, FreeBSD Current , FreeBSD Hackers , FreeBSD PowerPC ML X-Mailer: Apple Mail (2.3608.80.23.2.2) X-Rspamd-Queue-Id: 49GYQB3lKhz4YRD X-Spamd-Bar: -- X-Spamd-Result: default: False [-2.49 / 15.00]; TO_DN_EQ_ADDR_SOME(0.00)[]; TO_DN_SOME(0.00)[]; R_SPF_ALLOW(-0.20)[+ptr:yahoo.com]; FREEMAIL_FROM(0.00)[yahoo.com]; MV_CASE(0.50)[]; RCPT_COUNT_FIVE(0.00)[6]; DKIM_TRACE(0.00)[yahoo.com:+]; DMARC_POLICY_ALLOW(-0.50)[yahoo.com,reject]; FROM_EQ_ENVFROM(0.00)[]; RCVD_TLS_LAST(0.00)[]; MIME_TRACE(0.00)[0:+]; FREEMAIL_ENVFROM(0.00)[yahoo.com]; ASN(0.00)[asn:36647, ipnet:98.137.64.0/21, country:US]; MID_RHS_MATCH_FROM(0.00)[]; DWL_DNSWL_NONE(0.00)[yahoo.com.dwl.dnswl.org : 127.0.5.0]; ARC_NA(0.00)[]; NEURAL_HAM_MEDIUM(-0.99)[-0.989,0]; R_DKIM_ALLOW(-0.20)[yahoo.com:s=s2048]; FROM_HAS_DN(0.00)[]; NEURAL_HAM_LONG(-1.00)[-0.999,0]; MIME_GOOD(-0.10)[text/plain]; IP_SCORE(0.00)[ip: (1.00), ipnet: 98.137.64.0/21(0.83), asn: 36647(0.66), country: US(-0.05)]; IP_SCORE_FREEMAIL(0.00)[]; TO_MATCH_ENVRCPT_SOME(0.00)[]; RCVD_IN_DNSWL_NONE(0.00)[84.65.137.98.list.dnswl.org : 127.0.5.0]; RWL_MAILSPIKE_POSSIBLE(0.00)[84.65.137.98.rep.mailspike.net : 127.0.0.17]; RCVD_COUNT_TWO(0.00)[2] X-BeenThere: svn-src-head@freebsd.org X-Mailman-Version: 2.1.30 Precedence: list List-Id: SVN commit messages for the src tree for head/-current List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 05 May 2020 08:52:35 -0000 [This report just shows an interesting rpcbind crash: a pointer was filled with part of a string instead, leading to a failed memory access attempt from the junk address produced.] Core was generated by `/usr/sbin/rpcbind'. Program terminated with signal SIGSEGV, Segmentation fault. #0 0x5024405c in rendezvous_request (xprt=3D, = msg=3D) at /usr/src/lib/libc/rpc/svc_vc.c:335 335 cd->recvsize =3D r->recvsize; (gdb) list 330 _setsockopt(sock, IPPROTO_TCP, TCP_NODELAY, = &len, sizeof (len)); 331 } 332=09 333 cd =3D (struct cf_conn *)newxprt->xp_p1; 334=09 335 cd->recvsize =3D r->recvsize; 336 cd->sendsize =3D r->sendsize; 337 cd->maxrec =3D r->maxrec; 338=09 339 if (cd->maxrec !=3D 0) { (gdb) print/c *cd Cannot access memory at address 0x2d202020 FYI: . . . 0x50244050 <+452>: bl 0x502e3404 = <00000000.plt_pic32._setsockopt> 0x50244054 <+456>: lwz r27,80(r29) 0x50244058 <+460>: lwz r3,4(r24) =3D> 0x5024405c <+464>: stw r3,436(r27) Note the 80(r29) use. (gdb) info reg r0 0x50244020 1344552992 r1 0xffffb400 4294947840 r2 0x500a1018 1342836760 r3 0x2328 9000 r4 0x32ef559c 854545820 r5 0x0 0 r6 0xffffb360 4294947680 r7 0xffffb364 4294947684 r8 0x5004733c 1342468924 r9 0x0 0 r10 0x20 32 r11 0x50252ea0 1344614048 r12 0x24200ca0 606080160 r13 0x0 0 r14 0x0 0 r15 0xffffbc28 4294949928 r16 0x10002848 268445768 r17 0x10040000 268697600 r18 0x2 2 r19 0x0 0 r20 0x1 1 r21 0x5004c044 1342488644 r22 0xffffb63c 4294948412 r23 0x80 128 r24 0x50048010 1342472208 r25 0x14 20 r26 0xffffb630 4294948400 r27 0x2d202020 757080096 r28 0xf 15 r29 0x50047308 1342468872 r30 0x5030112c 1345327404 r31 0x10040000 268697600 pc 0x5024405c 0x5024405c msr cr 0x842000a0 2216689824 lr 0x50244020 0x50244020 ctr 0x50252ea0 1344614048 xer 0x0 0 fpscr 0x0 0 vscr vrsave (gdb) x/s 0x50047308+72 0x50047350: " - - -\n" So it tried to use "- " as a pointer value. It appears that the r29 value was from: 0x50243f90 <+260>: mr r28,r3 0x50243f94 <+264>: lwz r4,0(r24) 0x50243f98 <+268>: lwz r5,4(r24) 0x50243f9c <+272>: mr r3,r28 0x50243fa0 <+276>: bl 0x5024308c 0x50243fa4 <+280>: lwz r27,36(r1) 0x50243fa8 <+284>: mr r29,r3 The makefd_xprt being used as part of: /* * make a new transporter (re-uses xprt) */ newxprt =3D makefd_xprt(sock, r->sendsize, r->recvsize); newxprt->xp_rtaddr.buf =3D mem_alloc(len); if (newxprt->xp_rtaddr.buf =3D=3D NULL) return (FALSE); memcpy(newxprt->xp_rtaddr.buf, &addr, len); newxprt->xp_rtaddr.len =3D len; #ifdef PORTMAP if (addr.ss_family =3D=3D AF_INET || addr.ss_family =3D=3D = AF_LOCAL) { newxprt->xp_raddr =3D *(struct sockaddr_in = *)newxprt->xp_rtaddr.buf; newxprt->xp_addrlen =3D sizeof (struct sockaddr_in); } #endif /* PORTMAP */ if (__rpc_fd2sockinfo(sock, &si) && si.si_proto =3D=3D = IPPROTO_TCP) { len =3D 1; /* XXX fvdl - is this useful? */ _setsockopt(sock, IPPROTO_TCP, TCP_NODELAY, &len, sizeof = (len)); } =20 cd =3D (struct cf_conn *)newxprt->xp_p1; =20 cd->recvsize =3D r->recvsize; cd->sendsize =3D r->sendsize; cd->maxrec =3D r->maxrec; FYI: (gdb) print *r $5 =3D {sendsize =3D 9000, recvsize =3D 9000, maxrec =3D 9000} There is more evidence of strings in pointers in *newxprt (xp_tp, oa_base, xp_p1, xp_p2, xp_p3): (gdb) print *newxprt $7 =3D {xp_fd =3D 15, xp_port =3D 0, xp_ops =3D 0x50329e1c, xp_addrlen =3D= 16, xp_raddr =3D {sin_len =3D 16 '\020', sin_family =3D 1 '\001', = sin_port =3D 0, sin_addr =3D {s_addr =3D 0},=20 sin_zero =3D "\000\000\000\000\000\000\000"}, xp_ops2 =3D = 0x756e6978, xp_tp =3D 0x2020 ,=20 xp_netid =3D 0x10010000 , xp_ltaddr =3D {maxlen =3D 0, len =3D 0, buf =3D 0x0}, = xp_rtaddr =3D {maxlen =3D 539828256, len =3D 16, buf =3D 0x50047330}, = xp_verf =3D { oa_flavor =3D 0, oa_base =3D 0x202d2020 , oa_length =3D 538976288}, xp_p1 =3D 0x2d202020, = xp_p2 =3D 0x20202020, xp_p3 =3D 0x2d0a0079, xp_type =3D 543780384} (gdb) print (char*)(&newxprt->xp_verf.oa_base) $24 =3D 0x50047350 " - - -\n" (gdb) print (char*)(&newxprt->xp_p3)+3 $13 =3D 0x50047363 "y in FreeBSD.\n" (gdb) print (char*)(&newxprt->xp_type) $25 =3D 0x50047364 " in FreeBSD.\n" =3D=3D=3D Mark Millard marklmi at yahoo.com ( dsl-only.net went away in early 2018-Mar)