From owner-freebsd-current@freebsd.org  Mon Sep  3 18:51:39 2018
Return-Path: <owner-freebsd-current@freebsd.org>
Delivered-To: freebsd-current@mailman.ysv.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
 by mailman.ysv.freebsd.org (Postfix) with ESMTP id 7E3BBFF1E87
 for <freebsd-current@mailman.ysv.freebsd.org>;
 Mon,  3 Sep 2018 18:51:39 +0000 (UTC)
 (envelope-from markjdb@gmail.com)
Received: from mail-pg1-x52d.google.com (mail-pg1-x52d.google.com
 [IPv6:2607:f8b0:4864:20::52d])
 (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
 (Client CN "smtp.gmail.com",
 Issuer "Google Internet Authority G3" (verified OK))
 by mx1.freebsd.org (Postfix) with ESMTPS id 0834D7091E
 for <freebsd-current@freebsd.org>; Mon,  3 Sep 2018 18:51:39 +0000 (UTC)
 (envelope-from markjdb@gmail.com)
Received: by mail-pg1-x52d.google.com with SMTP id x26-v6so489877pge.12
 for <freebsd-current@freebsd.org>; Mon, 03 Sep 2018 11:51:38 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025;
 h=sender:date:from:to:cc:subject:message-id:references:mime-version
 :content-disposition:in-reply-to:user-agent;
 bh=K46mgCjFRZY0PRumHf/6VfpySNA+SoQY00i0DKRNifc=;
 b=DKNI4KwBCtXPg6SlyTUD2Z4FjT45y1kvTPUc4HRJ4r5GntihA2mON1+BzTPzOLH+8S
 wjyD634MvVR9snQFIro+SH+cBjlH6W2KJdApIZ0v8LAblVwJCvblqY/wvBmV4GQfUt+6
 SRAEvUjGLZKFvgeE1G5ruI27WRiEFDoc8KgrYfgOvf8YpJXG/zGK6rW/oYpZzhQ905U9
 Q/N29PRb5u/rZae1LiVSknRMYkojZkJoL19agfdy10jtNT04MK2z6D/W9rrQOrxdHYjP
 mtuA6n79vqYw4hbBXi0Fmddx1BybK/o3V10t2+ALk/ucrzDxUD/J8aqKPwkX4++zO8mX
 Utqw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=1e100.net; s=20161025;
 h=x-gm-message-state:sender:date:from:to:cc:subject:message-id
 :references:mime-version:content-disposition:in-reply-to:user-agent;
 bh=K46mgCjFRZY0PRumHf/6VfpySNA+SoQY00i0DKRNifc=;
 b=tbdRAuKt39OXk2y/kOpMktSw0ChRmyUPFgypWeWDZLOAApeZhMYjnlCMJK3DbBWRn5
 U23aWYaoptSP/6WO2VEOT0H2Heq7y1t+/ZiPslJelcJLpm2q9JoOGcm7CHJKdGBxHodU
 yj+OL7LkUFwGcqVMS5r8LOvLT3Gwz4IKERuJb+aq4YE+UHHUnPyaQHWqvHcdiDJV4Q6F
 6yx1zoXX+e28tjTgbKCe3fupR0WaLPtbZwZGHleNhPqnRfw9ycgOVxK0DmitcfHW1UcO
 ACmaKEIrxVcZroDEtdsEVyjIPcY9D8WLNVHIoGkb4+GIFMIX+0rFWkzSgIcCFjdko8M3
 zhzQ==
X-Gm-Message-State: APzg51D85E2pt96nDZElPaqUXcKF5TzJi0RDomWMp/zbFbD1h7O6MUkd
 Dni0oqBd3eUTq8wA13Fjho7WnMcw
X-Google-Smtp-Source: ANB0VdYrLdp/BEaR0o+V+eIM2740h2IpL4TViiUzl4QIuN6Y1vox+U8sj//YbT24aB23WIwdqLm0Bg==
X-Received: by 2002:a62:c0a:: with SMTP id
 u10-v6mr30974315pfi.43.1536000697764; 
 Mon, 03 Sep 2018 11:51:37 -0700 (PDT)
Received: from raichu (toroon0560w-lp130-09-70-52-224-239.dsl.bell.ca.
 [70.52.224.239])
 by smtp.gmail.com with ESMTPSA id g7-v6sm23646367pfi.175.2018.09.03.11.51.36
 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128);
 Mon, 03 Sep 2018 11:51:36 -0700 (PDT)
Sender: Mark Johnston <markjdb@gmail.com>
Date: Mon, 3 Sep 2018 14:51:34 -0400
From: Mark Johnston <markj@freebsd.org>
To: Shawn Webb <shawn.webb@hardenedbsd.org>
Cc: freebsd-current@freebsd.org
Subject: Re: redzone catching a buffer overflow in swapoff_one
Message-ID: <20180903185134.GD2751@raichu>
References: <20180903174016.5ofc4p27vilkf2yk@mutt-hbsd>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <20180903174016.5ofc4p27vilkf2yk@mutt-hbsd>
User-Agent: Mutt/1.10.1 (2018-07-13)
X-BeenThere: freebsd-current@freebsd.org
X-Mailman-Version: 2.1.27
Precedence: list
List-Id: Discussions about the use of FreeBSD-current
 <freebsd-current.freebsd.org>
List-Unsubscribe: <https://lists.freebsd.org/mailman/options/freebsd-current>, 
 <mailto:freebsd-current-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-current/>
List-Post: <mailto:freebsd-current@freebsd.org>
List-Help: <mailto:freebsd-current-request@freebsd.org?subject=help>
List-Subscribe: <https://lists.freebsd.org/mailman/listinfo/freebsd-current>, 
 <mailto:freebsd-current-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Mon, 03 Sep 2018 18:51:39 -0000

On Mon, Sep 03, 2018 at 01:40:16PM -0400, Shawn Webb wrote:
> I'm unsure whether this is a false positive or true positive, but it
> looks like there may be a buffer overflow in swapoff_one:
> 
> Sep  3 13:13:13 hbsd-dev-laptop kernel: [619] REDZONE: Buffer overflow detected. 16 bytes corrupted after 0xfffffe1fe0023248 (2237000 bytes allocated).
> Sep  3 13:13:13 hbsd-dev-laptop kernel: [619] Allocation backtrace:
> Sep  3 13:13:13 hbsd-dev-laptop kernel: [619] #0 0xffffffff80e188e1 at redzone_setup+0xe1
> Sep  3 13:13:13 hbsd-dev-laptop kernel: [619] #1 0xffffffff80ac8007 at malloc+0x1d7
> Sep  3 13:13:13 hbsd-dev-laptop kernel: [619] #2 0xffffffff80b1f449 at blist_create+0x99
> Sep  3 13:13:13 hbsd-dev-laptop kernel: [619] #3 0xffffffff80e1daa7 at swaponsomething+0xe7
> Sep  3 13:13:13 hbsd-dev-laptop kernel: [619] #4 0xffffffff80e1c233 at sys_swapon+0x413
> Sep  3 13:13:13 hbsd-dev-laptop kernel: [619] #5 0xffffffff80fc0e5e at amd64_syscall+0x29e
> Sep  3 13:13:13 hbsd-dev-laptop kernel: [619] #6 0xffffffff80f9dc9d at fast_syscall_common+0x101
> Sep  3 13:13:13 hbsd-dev-laptop kernel: [619] Free backtrace:
> Sep  3 13:13:13 hbsd-dev-laptop kernel: [619] #0 0xffffffff80e18c28 at redzone_check+0x2f8
> Sep  3 13:13:13 hbsd-dev-laptop kernel: [619] #1 0xffffffff80ac85af at free_dbg+0x5f
> Sep  3 13:13:13 hbsd-dev-laptop kernel: [619] #2 0xffffffff80ac84aa at free+0x1a
> Sep  3 13:13:13 hbsd-dev-laptop kernel: [619] #3 0xffffffff80e1cae5 at swapoff_one+0x675
> Sep  3 13:13:13 hbsd-dev-laptop kernel: [619] #4 0xffffffff80e1cc57 at swapoff_all+0xd7
> Sep  3 13:13:13 hbsd-dev-laptop kernel: [619] #5 0xffffffff80b9991a at bufshutdown+0x2ca
> Sep  3 13:13:13 hbsd-dev-laptop kernel: [619] #6 0xffffffff80aec36e at kern_reboot+0x21e
> Sep  3 13:13:13 hbsd-dev-laptop kernel: [619] #7 0xffffffff80aec0f9 at sys_reboot+0x3a9
> Sep  3 13:13:13 hbsd-dev-laptop kernel: [619] #8 0xffffffff80fc0e5e at amd64_syscall+0x29e
> Sep  3 13:13:13 hbsd-dev-laptop kernel: [619] #9 0xffffffff80f9dc9d at fast_syscall_common+0x101
> 
> Of course, I'm running HardenedBSD 12-CURRENT/amd64. I've synced with
> FreeBSD at this commit:
> https://github.com/freebsd/freebsd/commit/2f2449cc1cdfc19ae34b2317e792af489418a01a
> 
> So my src tree is at this commit:
> https://github.com/HardenedBSD/hardenedBSD/commit/98f90fadab000b818a731be4650ac1a47144501c
> 
> I've not yet studied the swap pager's code and plan to start learning
> it soon.

See PR 231116.