Skip site navigation (1)Skip section navigation (2)
Date:      Wed, 22 Jun 2005 18:31:53 +0300
From:      Maxim Sobolev <sobomax@portaone.com>
To:        John Baldwin <jhb@FreeBSD.ORG>
Cc:        sobomax@FreeBSD.ORG, Kris Kennaway <kris@obsecurity.org>, Andrew Gallatin <gallatin@cs.duke.edu>, freebsd-amd64@FreeBSD.ORG, current@FreeBSD.ORG
Subject:   Re: Fatal trap 12 in exec_copyout_strings()
Message-ID:  <42B98469.7060505@portaone.com>
In-Reply-To: <200506221031.55875.jhb@FreeBSD.org>
References:  <20050510223636.GA49927@xor.obsecurity.org> <200506171434.49008.jhb@FreeBSD.org> <17080.29141.918333.170950@grasshopper.cs.duke.edu> <200506221031.55875.jhb@FreeBSD.org>

next in thread | previous in thread | raw e-mail | index | archive | help
Good catch! Sorry for missing it.

-Maxim

John Baldwin wrote:
> On Tuesday 21 June 2005 04:00 pm, Andrew Gallatin wrote:
> 
>>John Baldwin writes:
>> > On Sunday 29 May 2005 01:50 pm, Kris Kennaway wrote:
>> > > On Tue, May 10, 2005 at 03:36:36PM -0700, Kris Kennaway wrote:
>> > > > Got this on a dual amd64 with 8GB RAM running 6.0 from last week:
>> > > >
>> > > > Fatal trap 12: page fault while in kernel mode
>> > > > cpuid = 1; apic id = 01
>> > > > fault virtual address   = 0xffffffffa9cdc000
>> > > > fault code      = supervisor read, page not present
>> > > > instruction pointer     = 0x8:0xffffffff8037759f
>> > > > stack pointer         = 0x10:0xffffffffba1637d0
>> > > > frame pointer         = 0x10:0xffffffffba163820
>> > > > code segment    = base 0x0, limit 0xfffff, type 0x1b
>> > > >                 = DPL 0, pres 1, long 1, def32 0, gran 1
>> > > > processor eflags        = interrupt enabled, resume, IOPL = 0
>> > > > current process         = 52247 (sh)
>> > > > [thread pid 52247 tid 100149 ]
>> > > > Stopped at      exec_copyout_strings+0x12f:
>> > > > db> wh
>> > > > Tracing pid 52247 tid 100149 td 0xffffff016e5724c0
>> > > > exec_copyout_strings() at exec_copyout_strings+0x12f
>> > > > do_execve() at do_execve+0x39a
>> > > > kern_execve() at kern_execve+0xab
>> > > > execve() at execve+0x49
>> > > > syscall() at syscall+0x382
>> > > > Xfast_syscall() at Xfast_syscall+0xa8
>> > > > --- syscall (59, FreeBSD ELF64, execve), rip = 0x80090622c, rsp =
>> > > > 0x7fffffffe058, rbp = 0xffffffff --- db>
>> > >
>> > > I've got this panic twice more since.
>> >
>> > Do you have a kernel.debug?  Can you do 'list
>> > *exec_copyout_strings+0x12f'?  I think I've seen reports of the
>> > linux32_exec_copyout_strings() having a similar fault as well on amd64.
>>
>>I just got this on my freshly installed UP, 512MB athlon64.  For me,
>>its 100% reproducable when running a cross-compiler built on
>>FreeBSD-4.
>>
>>(kgdb) p *imgp->args
>>$33 = {
>>  buf = 0xffffffff90ba3000 <Address 0xffffffff90ba3000 out of bounds>,
>>  begin_argv = 0xffffffff90ba3000 <Address 0xffffffff90ba3000 out of
>>bounds>, begin_envv = 0xffffffff90ba313d <Address 0xffffffff90ba313d out of
>>bounds>, endp = 0xffffffff90ba389f <Address 0xffffffff90ba389f out of
>>bounds>, fname = 0xffffffff90be3000
>>"/home/gallatin/lanaitools/intel_FreeBSD/lib/gcc-lib/lanai/2.95.2..1.6/cc1"
>>, stringspace = 259937,
>>  argc = 23,
>>  envc = 46
>>}
>>
>>I'm puzzled.  fname seems to be buf+ARGV_MAX, so its not
>>like something randomly scribbled on this memory.
>>
>>In the debugger, the memory just below buf+ARGV_MAX seems to be
>>unmapped.  But we've done copyins in freebsd32_exec_copyin_args(),
>>otherwise endp would not have been advanced.  So we've written to this
>>memory.
>>
>>It is almost like somebody freed buf through buf + 262144.
> 
> 
> I think I figured it out.  sobomax@ changed how much memory exec_copyin_args() 
> and exec_free_args() allocated and freed without updating 
> freebsd32_exec_copyin_args() and linux_exec_copyin_args(), so more memory was 
> freed than was allocated which would free memory out from other execs.  Patch 
> is below.  Let me know if it fixes the problem.
> 
> Index: amd64/linux32/linux32_machdep.c
> ===================================================================
> RCS file: /usr/cvs/src/sys/amd64/linux32/linux32_machdep.c,v
> retrieving revision 1.9
> diff -u -r1.9 linux32_machdep.c
> --- amd64/linux32/linux32_machdep.c	5 Apr 2005 15:28:06 -0000	1.9
> +++ amd64/linux32/linux32_machdep.c	22 Jun 2005 14:26:03 -0000
> @@ -113,7 +113,8 @@
>  	 * Allocate temporary demand zeroed space for argument and
>  	 *	environment strings
>  	 */
> -	args->buf = (char *) kmem_alloc_wait(exec_map, PATH_MAX + ARG_MAX);
> +	args->buf = (char *) kmem_alloc_wait(exec_map,
> +	    PATH_MAX + ARG_MAX + MAXSHELLCMDLEN);
>  	if (args->buf == NULL)
>  		return (ENOMEM);
>  	args->begin_argv = args->buf;
> Index: compat/freebsd32/freebsd32_misc.c
> ===================================================================
> RCS file: /usr/cvs/src/sys/compat/freebsd32/freebsd32_misc.c,v
> retrieving revision 1.35
> diff -u -r1.35 freebsd32_misc.c
> --- compat/freebsd32/freebsd32_misc.c	11 Jun 2005 14:58:20 -0000	1.35
> +++ compat/freebsd32/freebsd32_misc.c	22 Jun 2005 14:26:11 -0000
> @@ -237,7 +237,8 @@
>  	 * Allocate temporary demand zeroed space for argument and
>  	 *	environment strings
>  	 */
> -	args->buf = (char *) kmem_alloc_wait(exec_map, PATH_MAX + ARG_MAX);
> +	args->buf = (char *) kmem_alloc_wait(exec_map,
> +	    PATH_MAX + ARG_MAX + MAXSHELLCMDLEN);
>  	if (args->buf == NULL)
>  		return (ENOMEM);
>  	args->begin_argv = args->buf;
> 




Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?42B98469.7060505>