cvs commit: src/sys/kern kern_malloc.c src/share/man/man9 Makefile redzone.9 src/sys/vm redzone.c redzone.h src/sys/conf NOTES files options

Andrew Gallatin gallatin at cs.duke.edu
Wed Feb 1 07:48:00 PST 2006 

Pawel Jakub Dawidek [pjd at FreeBSD.org] wrote:
> pjd         2006-01-31 11:09:22 UTC
> 
>   FreeBSD src repository
> 
>   Modified files:
>     sys/kern             kern_malloc.c 
>     share/man/man9       Makefile 
>     sys/conf             NOTES files options 
>   Added files:
>     share/man/man9       redzone.9 
>     sys/vm               redzone.c redzone.h 
>   Log:
>   Add buffer corruption protection (RedZone) for kernel's malloc(9).
>   It detects both: buffer underflows and buffer overflows bugs at runtime
>   (on free(9) and realloc(9)) and prints backtraces from where memory was
>   allocated and from where it was freed.
>   

If I enable DEBUG_REDZONE on an amd64 machine (UP, 512MB ram),
I get this panic on startup:

FreeBSD 7.0-CURRENT #0: Tue Jan 31 17:17:41 EST 2006
    gallatin at venice:/usr/src/sys/amd64/compile/VENICEW
WARNING: WITNESS option enabled, expect reduced performance.
Memory modified after free 0xffffff0000006d00(248) val=5 @ 0xffffff0000006dd0
kernel trap 9 with interrupts disabled

Fatal trap 9: general protection fault while in kernel mode
instruction pointer     = 0x8:0xffffffff80302bd0
stack pointer           = 0x10:0xffffffff8075c9f0
frame pointer           = 0x10:0xffffffff8075cb10
code segment            = base 0x0, limit 0xfffff, type 0x1b
                        = DPL 0, pres 1, long 1, def32 0, gran 1
processor eflags        = resume, IOPL = 0
current process         = 0 ()
[thread pid 0 tid 0 ]
Stopped at      strlen: cmpb    $0,0(%rdi)
db> tr
Tracing pid 0 tid 0 td 0xffffffff805d70a0
strlen() at strlen
vsnprintf() at vsnprintf+0x2e
panic() at panic+0x18c
mtrash_ctor() at mtrash_ctor+0x78
uma_zalloc_arg() at uma_zalloc_arg+0x306
malloc() at malloc+0xb0
init_dynamic_kenv() at init_dynamic_kenv+0x6b
mi_startup() at mi_startup+0xd3
btext() at btext+0x2c
db> 

The place where it tried to panic is:

(gdb) l *mtrash_ctor +0x78
0xffffffff8039b128 is at ../../../vm/uma_dbg.c:137.
132
133             for (p = mem; cnt > 0; cnt--, p++)
134                     if (*p != uma_junk) {
135                             printf("Memory modified after free %p(%d) val=%x @ %p\n",
136                                 mem, size, *p, p);
137                             panic("Most recently used by %s\n", (*ksp == NULL)?
138                                 "none" : (*ksp)->ks_shortdesc);
139                     }
140             return (0);
141     }


Removing DEBUG_REDZONE allows me to boot again.  Does DEBUG_REDZONE not
work on amd64, or is there a bad interaction in general with the 
mtrash'ing done by INVARIANTS, or is this something else entirely?

Drew

More information about the cvs-all mailing list