From owner-freebsd-bugs@FreeBSD.ORG Mon Oct 8 08:30:02 2007 Return-Path: Delivered-To: freebsd-bugs@hub.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id C87A616A41A for ; Mon, 8 Oct 2007 08:30:02 +0000 (UTC) (envelope-from gnats@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:4f8:fff6::28]) by mx1.freebsd.org (Postfix) with ESMTP id 9B92713C467 for ; Mon, 8 Oct 2007 08:30:02 +0000 (UTC) (envelope-from gnats@FreeBSD.org) Received: from freefall.freebsd.org (gnats@localhost [127.0.0.1]) by freefall.freebsd.org (8.14.1/8.14.1) with ESMTP id l988U2o8074103 for ; Mon, 8 Oct 2007 08:30:02 GMT (envelope-from gnats@freefall.freebsd.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.14.1/8.14.1/Submit) id l988U2lJ074102; Mon, 8 Oct 2007 08:30:02 GMT (envelope-from gnats) Resent-Date: Mon, 8 Oct 2007 08:30:02 GMT Resent-Message-Id: <200710080830.l988U2lJ074102@freefall.freebsd.org> Resent-From: FreeBSD-gnats-submit@FreeBSD.org (GNATS Filer) Resent-To: freebsd-bugs@FreeBSD.org Resent-Reply-To: FreeBSD-gnats-submit@FreeBSD.org, Vladimir Ermakov Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id D14CC16A417 for ; Mon, 8 Oct 2007 08:26:40 +0000 (UTC) (envelope-from nobody@FreeBSD.org) Received: from www.freebsd.org (www.freebsd.org [IPv6:2001:4f8:fff6::21]) by mx1.freebsd.org (Postfix) with ESMTP id B7C5813C480 for ; Mon, 8 Oct 2007 08:26:40 +0000 (UTC) (envelope-from nobody@FreeBSD.org) Received: from www.freebsd.org (localhost [127.0.0.1]) by www.freebsd.org (8.14.1/8.14.1) with ESMTP id l988Qeuf046387 for ; Mon, 8 Oct 2007 08:26:40 GMT (envelope-from nobody@www.freebsd.org) Received: (from nobody@localhost) by www.freebsd.org (8.14.1/8.14.1/Submit) id l988QeJg046386; Mon, 8 Oct 2007 08:26:40 GMT (envelope-from nobody) Message-Id: <200710080826.l988QeJg046386@www.freebsd.org> Date: Mon, 8 Oct 2007 08:26:40 GMT From: Vladimir Ermakov To: freebsd-gnats-submit@FreeBSD.org X-Send-Pr-Version: www-3.1 Cc: Subject: kern/117010: [linuxolator] linux_getdents() get something like buffer overflow or else X-BeenThere: freebsd-bugs@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Bug reports List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 08 Oct 2007 08:30:02 -0000 >Number: 117010 >Category: kern >Synopsis: [linuxolator] linux_getdents() get something like buffer overflow or else >Confidential: no >Severity: critical >Priority: low >Responsible: freebsd-bugs >State: open >Quarter: >Keywords: >Date-Required: >Class: sw-bug >Submitter-Id: current-users >Arrival-Date: Mon Oct 08 08:30:01 GMT 2007 >Closed-Date: >Last-Modified: >Originator: Vladimir Ermakov >Release: 7.0-CURRENT >Organization: _ >Environment: uname -a FreeBSD damask 7.0-CURRENT FreeBSD 7.0-CURRENT #0: Wed Sep 12 17:04:55 SAMST 2007 root at localhost:/usr/obj/usr/src/sys/CS2 i386 >Description: # su hlds -c "ktrace -i ./hlds_run -game cstrike +ip 0.0.0.0 +port 27015 +map de_dust -debug" Auto detecting CPU Using Pentium II Optimised binary. Enabling debug mode Auto-restarting the server on crash Console initialized. scandir failed:/usr/home/hlds/1.6/./platform/SAVE Protocol version 47 Exe version 1.1.2.5/Stdio (cstrike) Exe build: 20:02:49 Oct 24 2006 (3651) STEAM Auth Server couldn't exec language.cfg Server IP address 0.0.0.0:27015 scandir failed:/usr/home/hlds/1.6/./platform/SAVE *** glibc detected *** ./hlds_i686: double free or corruption (!prev): 0x08da3738 *** ======= Backtrace: ========= /lib/libc.so.6[0x2811ac88] /lib/libc.so.6(cfree+0x90)[0x2811e230] /lib/libc.so.6(closedir+0x28)[0x2813ecf8] /lib/libc.so.6(scandir+0x14b)[0x2813f21b] /usr/home/hlds/1.6/filesystem_stdio_i386.so(findFileInDirCaseInsensitive__FPCc+0xe4)[0x28af41d8] /usr/home/hlds/1.6/filesystem_stdio_i386.so(FS_stat__17CFileSystem_StdioPCcP4stat+0x40)[0x28af861c] /usr/home/hlds/1.6/filesystem_stdio_i386.so(FastFindFileSize__15CBaseFileSystemPCQ215CBaseFileSystem11CSearchPathPCc+0x17e)[0x28af572a] /usr/home/hlds/1.6/filesystem_stdio_i386.so(Size__15CBaseFileSystemPCc+0x5b)[0x28af557b] /usr/home/hlds/1.6/engine_i686.so(FS_FileSize+0x2a)[0x2828679e] ======= Memory map: ======== 08048000-08054000 r-xp 0003a000 00:00 1931338 /usr/home/hlds/1.6/hlds_i686 08054000-0805b000 rw-p 0003a000 00:00 1931338 /usr/home/hlds/1.6/hlds_i686 0805b000-0805e000 rw-p 00d60000 00:00 0 0805e000-08dbb000 rwxp 00d60000 00:00 0 28054000-2806d000 r-xp 0001e000 00:00 1719480 /usr/compat/linux/lib/ld-2.5.so 2806d000-2806e000 r-xp 0001e000 00:00 1719480 /usr/compat/linux/lib/ld-2.5.so 2806e000-2806f000 rw-p 00002000 00:00 0 2806f000-28070000 rwxp 00002000 00:00 0 28071000-28073000 r-xp 00004000 00:00 1719493 /usr/compat/linux/lib/libdl-2.5.so 28073000-28074000 r-xp 00004000 00:00 1719493 /usr/compat/linux/lib/libdl-2.5.so 28074000-28075000 rwxp 00004000 00:00 1719493 /usr/compat/linux/lib/libdl-2.5.so 28075000-28076000 rwxp 00001000 00:00 0 28076000-28088000 r-xp 0001e000 00:00 1719511 /usr/compat/linux/lib/libpthread-2.5.so 28088000-28089000 r-xp 0001e000 00:00 1719511 /usr/compat/linux/lib/libpthread-2.5.so 28089000-2808a000 rwxp 0001e000 00:00 1719511 /usr/compat/linuxAbort trap (core dumped) debug.cmds:1: Error in sourced command file: Previous frame inner to this frame (corrupt stack?) email debug.log to linux at valvesoftware.com Wed Sep 12 20:27:04 SAMST 2007: Server restart in 10 seconds Wed Sep 12 20:27:06 SAMST 2007: Server Quit # =================================================== # uname -a FreeBSD damask 7.0-CURRENT FreeBSD 7.0-CURRENT #0: Wed Sep 12 17:04:55 SAMST 2007 root at localhost:/usr/obj/usr/src/sys/CS2 i386 # sysctl compat compat.linux.oss_version: 198144 compat.linux.osrelease: 2.6.16 compat.linux.osname: Linux # kldstat Id Refs Address Size Name 1 14 0xc0400000 3e6ee0 kernel 2 1 0xc07e7000 69514 acpi.ko 3 1 0xc3ddd000 7000 linprocfs.ko 4 2 0xc3de4000 21000 linux.ko 5 1 0xc3e0e000 3000 linsysfs.ko # mount|grep linux linprocfs on /usr/compat/linux/proc (linprocfs, local) linsysfs on /usr/compat/linux/sys (linsysfs, local) # pkg_info | grep linux linux_base-fc6-6_3 Base set of packages needed in Linux mode (for i386/amd64) [private links to debug.log & ktrace.out] please send me message after downloaded this files (for removing) for full description see this topic http://lists.freebsd.org/pipermail/freebsd-emulation/2007-August/003918.html http://lists.freebsd.org/pipermail/freebsd-emulation/2007-September/003960.html http://lists.freebsd.org/pipermail/freebsd-emulation/2007-September/004024.html =========================================================================== On Thu, 13 Sep 2007 16:39:49 +0400 Boris Samorodov wrote: > Just to note once more, that is for CURRENT and > linux_base-fc6/2.6.16: > > Here is the relevant kdump: > > ftp://ftp.ipt.ru/pub/linux/hldc.kdump.txt > And the corresponding dump for linux_base-fc4/2.6.16 (which works > fine): > ftp://ftp.ipt.ru/pub/linux/fc4.dump.txt > You may easily notice the difference if open those urls at two tabs > within your brouser. ;-) Some more info. If cstrike/sound/weapons is moved (ex. renamed) the server loads fine. I've done an RTFS and seen that linux_getdents and linux_getdents64 use different data structures. Linux_base-fc4 uses linux_getdents64 here and succeeds while linux_base-fc6 quite the opposite. The directory cstrike/sound/weapons is the largest (165 files), other directories are way smaller. Seems that linux_getdents() get something like buffer overflow or else. BTW, why does linux_base-fc6 uses linux_getdents everywhere while linux_base-fc4 uses linux_getdents64? WBR -- Boris Samorodov (bsam) Research Engineer, http://www.ipt.ru Telephone & Internet SP FreeBSD committer, http://www.FreeBSD.org The Power To Serve http://lists.freebsd.org/pipermail/freebsd-emulation/2007-September/003965.html >How-To-Repeat: install Counter-Strike 1.6 server on FreeBSD instruction http://weec.ovl.ru/csdivision/index.php?topic=552.0 # su games -c "./hlds_run -game cstrike +ip 0.0.0.0 +port 27015 +map de_dust" >Fix: _ >Release-Note: >Audit-Trail: >Unformatted: