From owner-freebsd-current@freebsd.org Mon Sep 3 20:09:45 2018 Return-Path: Delivered-To: freebsd-current@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 54F16FF4BBD for ; Mon, 3 Sep 2018 20:09:45 +0000 (UTC) (envelope-from marklmi@yahoo.com) Received: from sonic303-4.consmr.mail.bf2.yahoo.com (sonic303-4.consmr.mail.bf2.yahoo.com [74.6.131.43]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id E09CD749CE for ; Mon, 3 Sep 2018 20:09:44 +0000 (UTC) (envelope-from marklmi@yahoo.com) X-YMail-OSG: MN7FMNQVM1kSys9JEBc1Djb_MTP.KIIBf2qv8S915XQKi.ztU.0g.SIQxvOySuT lRT_Im1iN522WZmh96GKijjxkMdQPWSVXn14duF1H5BHUcrFq.dAcKLuhltGDOnO5y4TLdO5kfVs Vrmj_ZHlHuJBq4.bDy3ZtgK25wGKRm59.1tJq0EYGTHAUhUQRjBj4DOr9XRJxgfVKEKSMFrMvJ1x OvyZtTcgxA7Rqzne_2PJ6VnkCh0X1QgCaYdjqI35PnoAJvm_jTS__a6ONIjWDu0FbjKDwKrT5XG3 77ZZAmOLH0s1cvbNkvsgBdOIpogbOWNOo9_wfOq48zz6l47H.GhVZxN70EconaUnMecKyS7vvU3E tqcCs8e8Sar7dtAqFDD1mnjECvK4CnBfRz2SmmpSGK3KKv5KFd30iiwJzBjmGf.vprpKzjVEqPBD wS_O.LRMUZM15visu4alQqSPJ_U7K.9DiNcYaT9GVWmct3Tyfg9B86zY6ma5cty9UHg08vxQeNvC WTB5dRPfiEkzQxWpST.LSusmlUfTaDL5AYLMs2hmTY2HMWlDwOkpIspQJtEYhULOFDeiWh6ybgET yM6Mg1XbThD6yCs3hBmt.vBfr0NguZa.esvX2sne17H7Zi1LlGXBBP0skEY5RIwYrgzCqUZfRRu6 D3v8qnMdJ6.CLQEOjQPVuTT32nz9tNsqHkaEBuiz0RcsGhjLcn8jxnpcsJIqhWRXHBZx9tHOeQ50 HboaBRb5tp1U3SMz1NgRFuIcwvMN5v9H4lhsTwEs8Ek0zqSM5NwG8kpxR0wCtd1kWCa576TU5St6 _dcblbCx4ki5ZIdHlUAFGEf5Q5H_WPzb5L4dNzazUc8DADK_SApDOpB2j83L5kuEtKhYj4RA2PsZ 96krJb_Nhbln6wyUnlTmPSu_NK7d0CTnr5_jqKXK0JYI.uNFPd6R.LEqDp8L1QnaOwWBmo4txHzv _3KkxPDzjF9pM6KqKQ.p.fRUzGxfpCBHQtuIjnGrxjuuFDHUdZhLEZ8EGSl7gkH_Gz34JYHlefRv 2pxeKEt9NlYS3KZY4Zl1MR2XESIFdMPTNxtif Received: from sonic.gate.mail.ne1.yahoo.com by sonic303.consmr.mail.bf2.yahoo.com with HTTP; Mon, 3 Sep 2018 20:09:44 +0000 Received: from ip70-189-131-151.lv.lv.cox.net (EHLO [192.168.0.105]) ([70.189.131.151]) by smtp426.mail.bf1.yahoo.com (Oath Hermes SMTP Server) with ESMTPA ID cca6ca55a93d0a3e9c66c37ced0f1d1b; Mon, 03 Sep 2018 20:09:42 +0000 (UTC) From: Mark Millard Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: quoted-printable Mime-Version: 1.0 (Mac OS X Mail 11.5 \(3445.9.1\)) Subject: Re: redzone catching a buffer overflow in swapoff_one Message-Id: <74FA848C-A569-463A-810D-E19567A9616F@yahoo.com> Date: Mon, 3 Sep 2018 13:09:39 -0700 To: shawn.webb@ardenedbsd.org, FreeBSD Current X-Mailer: Apple Mail (2.3445.9.1) X-BeenThere: freebsd-current@freebsd.org X-Mailman-Version: 2.1.27 Precedence: list List-Id: Discussions about the use of FreeBSD-current List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 03 Sep 2018 20:09:45 -0000 Shawn Webb shawn.webb at hardenedbsd.org wrote on Mon Sep 3 17:41:17 UTC 2018 : > I'm unsure whether this is a false positive or true positive, but it > looks like there may be a buffer overflow in swapoff_one: >=20 > Sep 3 13:13:13 hbsd-dev-laptop kernel: [619] REDZONE: Buffer overflow = detected. 16 bytes corrupted after 0xfffffe1fe0023248 (2237000 bytes = allocated). > Sep 3 13:13:13 hbsd-dev-laptop kernel: [619] Allocation backtrace: > Sep 3 13:13:13 hbsd-dev-laptop kernel: [619] #0 0xffffffff80e188e1 at = redzone_setup+0xe1 > Sep 3 13:13:13 hbsd-dev-laptop kernel: [619] #1 0xffffffff80ac8007 at = malloc+0x1d7 > Sep 3 13:13:13 hbsd-dev-laptop kernel: [619] #2 0xffffffff80b1f449 at = blist_create+0x99 > Sep 3 13:13:13 hbsd-dev-laptop kernel: [619] #3 0xffffffff80e1daa7 at = swaponsomething+0xe7 > Sep 3 13:13:13 hbsd-dev-laptop kernel: [619] #4 0xffffffff80e1c233 at = sys_swapon+0x413 > Sep 3 13:13:13 hbsd-dev-laptop kernel: [619] #5 0xffffffff80fc0e5e at = amd64_syscall+0x29e > Sep 3 13:13:13 hbsd-dev-laptop kernel: [619] #6 0xffffffff80f9dc9d at = fast_syscall_common+0x101 > Sep 3 13:13:13 hbsd-dev-laptop kernel: [619] Free backtrace: > Sep 3 13:13:13 hbsd-dev-laptop kernel: [619] #0 0xffffffff80e18c28 at = redzone_check+0x2f8 > Sep 3 13:13:13 hbsd-dev-laptop kernel: [619] #1 0xffffffff80ac85af at = free_dbg+0x5f > Sep 3 13:13:13 hbsd-dev-laptop kernel: [619] #2 0xffffffff80ac84aa at = free+0x1a > Sep 3 13:13:13 hbsd-dev-laptop kernel: [619] #3 0xffffffff80e1cae5 at = swapoff_one+0x675 > Sep 3 13:13:13 hbsd-dev-laptop kernel: [619] #4 0xffffffff80e1cc57 at = swapoff_all+0xd7 > Sep 3 13:13:13 hbsd-dev-laptop kernel: [619] #5 0xffffffff80b9991a at = bufshutdown+0x2ca > Sep 3 13:13:13 hbsd-dev-laptop kernel: [619] #6 0xffffffff80aec36e at = kern_reboot+0x21e > Sep 3 13:13:13 hbsd-dev-laptop kernel: [619] #7 0xffffffff80aec0f9 at = sys_reboot+0x3a9 > Sep 3 13:13:13 hbsd-dev-laptop kernel: [619] #8 0xffffffff80fc0e5e at = amd64_syscall+0x29e > Sep 3 13:13:13 hbsd-dev-laptop kernel: [619] #9 0xffffffff80f9dc9d at = fast_syscall_common+0x101 See: https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D231116 for "Out of bounds memory access in blist_create()" with a Mark Johnston patch in Comment #2. =3D=3D=3D Mark Millard marklmi at yahoo.com ( dsl-only.net went away in early 2018-Mar)