kern/117010: [linuxolator] linux_getdents() get something like
buffer overflow or else
Vladimir Ermakov
samflanker at gmail.com
Mon Oct 8 01:30:02 PDT 2007
>Number: 117010
>Category: kern
>Synopsis: [linuxolator] linux_getdents() get something like buffer overflow or else
>Confidential: no
>Severity: critical
>Priority: low
>Responsible: freebsd-bugs
>State: open
>Quarter:
>Keywords:
>Date-Required:
>Class: sw-bug
>Submitter-Id: current-users
>Arrival-Date: Mon Oct 08 08:30:01 GMT 2007
>Closed-Date:
>Last-Modified:
>Originator: Vladimir Ermakov
>Release: 7.0-CURRENT
>Organization:
_
>Environment:
uname -a
FreeBSD damask 7.0-CURRENT FreeBSD 7.0-CURRENT #0: Wed Sep 12 17:04:55
SAMST 2007 root at localhost:/usr/obj/usr/src/sys/CS2 i386
>Description:
# su hlds -c "ktrace -i ./hlds_run -game cstrike +ip 0.0.0.0 +port 27015
+map de_dust -debug"
Auto detecting CPU
Using Pentium II Optimised binary.
Enabling debug mode
Auto-restarting the server on crash
Console initialized.
scandir failed:/usr/home/hlds/1.6/./platform/SAVE
Protocol version 47
Exe version 1.1.2.5/Stdio (cstrike)
Exe build: 20:02:49 Oct 24 2006 (3651)
STEAM Auth Server
couldn't exec language.cfg
Server IP address 0.0.0.0:27015
scandir failed:/usr/home/hlds/1.6/./platform/SAVE
*** glibc detected *** ./hlds_i686: double free or corruption (!prev):
0x08da3738 ***
======= Backtrace: =========
/lib/libc.so.6[0x2811ac88]
/lib/libc.so.6(cfree+0x90)[0x2811e230]
/lib/libc.so.6(closedir+0x28)[0x2813ecf8]
/lib/libc.so.6(scandir+0x14b)[0x2813f21b]
/usr/home/hlds/1.6/filesystem_stdio_i386.so(findFileInDirCaseInsensitive__FPCc+0xe4)[0x28af41d8]
/usr/home/hlds/1.6/filesystem_stdio_i386.so(FS_stat__17CFileSystem_StdioPCcP4stat+0x40)[0x28af861c]
/usr/home/hlds/1.6/filesystem_stdio_i386.so(FastFindFileSize__15CBaseFileSystemPCQ215CBaseFileSystem11CSearchPathPCc+0x17e)[0x28af572a]
/usr/home/hlds/1.6/filesystem_stdio_i386.so(Size__15CBaseFileSystemPCc+0x5b)[0x28af557b]
/usr/home/hlds/1.6/engine_i686.so(FS_FileSize+0x2a)[0x2828679e]
======= Memory map: ========
08048000-08054000 r-xp 0003a000 00:00 1931338
/usr/home/hlds/1.6/hlds_i686
08054000-0805b000 rw-p 0003a000 00:00 1931338
/usr/home/hlds/1.6/hlds_i686
0805b000-0805e000 rw-p 00d60000 00:00 0
0805e000-08dbb000 rwxp 00d60000 00:00 0
28054000-2806d000 r-xp 0001e000 00:00 1719480
/usr/compat/linux/lib/ld-2.5.so
2806d000-2806e000 r-xp 0001e000 00:00 1719480
/usr/compat/linux/lib/ld-2.5.so
2806e000-2806f000 rw-p 00002000 00:00 0
2806f000-28070000 rwxp 00002000 00:00 0
28071000-28073000 r-xp 00004000 00:00 1719493
/usr/compat/linux/lib/libdl-2.5.so
28073000-28074000 r-xp 00004000 00:00 1719493
/usr/compat/linux/lib/libdl-2.5.so
28074000-28075000 rwxp 00004000 00:00 1719493
/usr/compat/linux/lib/libdl-2.5.so
28075000-28076000 rwxp 00001000 00:00 0
28076000-28088000 r-xp 0001e000 00:00 1719511
/usr/compat/linux/lib/libpthread-2.5.so
28088000-28089000 r-xp 0001e000 00:00 1719511
/usr/compat/linux/lib/libpthread-2.5.so
28089000-2808a000 rwxp 0001e000 00:00 1719511 /usr/compat/linuxAbort
trap (core dumped)
debug.cmds:1: Error in sourced command file:
Previous frame inner to this frame (corrupt stack?)
email debug.log to linux at valvesoftware.com
Wed Sep 12 20:27:04 SAMST 2007: Server restart in 10 seconds
Wed Sep 12 20:27:06 SAMST 2007: Server Quit
#
===================================================
# uname -a
FreeBSD damask 7.0-CURRENT FreeBSD 7.0-CURRENT #0: Wed Sep 12 17:04:55
SAMST 2007 root at localhost:/usr/obj/usr/src/sys/CS2 i386
# sysctl compat
compat.linux.oss_version: 198144
compat.linux.osrelease: 2.6.16
compat.linux.osname: Linux
# kldstat
Id Refs Address Size Name
1 14 0xc0400000 3e6ee0 kernel
2 1 0xc07e7000 69514 acpi.ko
3 1 0xc3ddd000 7000 linprocfs.ko
4 2 0xc3de4000 21000 linux.ko
5 1 0xc3e0e000 3000 linsysfs.ko
# mount|grep linux
linprocfs on /usr/compat/linux/proc (linprocfs, local)
linsysfs on /usr/compat/linux/sys (linsysfs, local)
# pkg_info | grep linux
linux_base-fc6-6_3 Base set of packages needed in Linux mode (for
i386/amd64)
[private links to debug.log & ktrace.out]
please send me message after downloaded this files (for removing)
for full description see this topic
http://lists.freebsd.org/pipermail/freebsd-emulation/2007-August/003918.html
http://lists.freebsd.org/pipermail/freebsd-emulation/2007-September/003960.html
http://lists.freebsd.org/pipermail/freebsd-emulation/2007-September/004024.html
===========================================================================
On Thu, 13 Sep 2007 16:39:49 +0400 Boris Samorodov wrote:
> Just to note once more, that is for CURRENT and
> linux_base-fc6/2.6.16:
> > Here is the relevant kdump:
> > ftp://ftp.ipt.ru/pub/linux/hldc.kdump.txt
> And the corresponding dump for linux_base-fc4/2.6.16 (which works
> fine):
> ftp://ftp.ipt.ru/pub/linux/fc4.dump.txt
> You may easily notice the difference if open those urls at two tabs
> within your brouser. ;-)
Some more info. If cstrike/sound/weapons is moved (ex. renamed) the
server loads fine.
I've done an RTFS and seen that linux_getdents and linux_getdents64
use different data structures. Linux_base-fc4 uses linux_getdents64
here and succeeds while linux_base-fc6 quite the opposite.
The directory cstrike/sound/weapons is the largest (165 files), other
directories are way smaller. Seems that linux_getdents() get something
like buffer overflow or else.
BTW, why does linux_base-fc6 uses linux_getdents everywhere while
linux_base-fc4 uses linux_getdents64?
WBR
--
Boris Samorodov (bsam)
Research Engineer, http://www.ipt.ru Telephone & Internet SP
FreeBSD committer, http://www.FreeBSD.org The Power To Serve
http://lists.freebsd.org/pipermail/freebsd-emulation/2007-September/003965.html
>How-To-Repeat:
install Counter-Strike 1.6 server on FreeBSD
instruction http://weec.ovl.ru/csdivision/index.php?topic=552.0
# su games -c "./hlds_run -game cstrike +ip 0.0.0.0 +port 27015 +map de_dust"
>Fix:
_
>Release-Note:
>Audit-Trail:
>Unformatted:
More information about the freebsd-bugs
mailing list