bin/137890: [libkvm] ps segfaults with -ax when inspecting core files

Mon Aug 17 22:30:09 UTC 2009

>Number:         137890
>Category:       bin
>Synopsis:       [libkvm] ps segfaults with -ax when inspecting core files
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    freebsd-bugs
>State:          open
>Quarter:        
>Keywords:       
>Date-Required:
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Mon Aug 17 22:30:09 UTC 2009
>Closed-Date:
>Last-Modified:
>Originator:     Bruce Cran
>Release:        8.0-BETA2
>Organization:
>Environment:
FreeBSD tau.draftnet 8.0-BETA2 FreeBSD 8.0-BETA2 #0: Sun Aug 16 19:32:23 BST 2009     brucec at tau.draftnet:/usr/obj/usr/src/sys/DELL  amd64
>Description:
When recovering from a crash, crashinfo(8) is run; it executes 'ps -ax -M corefile' which causes ps to segfault and attempt to write a 1GB core file to /

The crash can be reproduced after the system has booted by running 'ps -ax -M /var/crash/vmcore.x'.  The faulty code appears to be in lib/libkvm/kvm_proc.c around line 561, though the underlying cause is that the symbol table appears to be unreadable (inferred from the -1 return value of kvm_nlist).

It seems it's stepping past the nlist array and calls
vsnprintf with a bad argument. kvm_nlist returns -1 to report that the
symbol table couldn't be read, but the code assumes it has returned a
positive number to indicate that there's an invalid entry, so it starts
searching for that entry where n_type is 0.

tau# gdb ps
GNU gdb 6.1.1 [FreeBSD]
[...]

(gdb) run -ax -M /var/crash/vmcore.3
Starting program: /bin/ps -ax -M /var/crash/vmcore.3

Program received signal SIGSEGV, Segmentation fault.
0x000000080096340b in strlen (str=Variable "str" is not available.
) at /usr/src/lib/libc/string/strlen.c:88
88		    if (*p == '\0')
(gdb) bt
#0  0x000000080096340b in strlen (str=Variable "str" is not available.
) at /usr/src/lib/libc/string/strlen.c:88
#1  0x000000080095c082 in __vfprintf (fp=0x7fffffffd9a0,
fmt0=0x800773915 "%s: no such symbol", ap=0x7fffffffdb10)
at /usr/src/lib/libc/stdio/vfprintf.c:825 #2  0x00000008008cc696 in
vsnprintf (str=Variable "str" is not available. )
at /usr/src/lib/libc/stdio/vsnprintf.c:70 #3  0x0000000800772e89 in
_kvm_err (kd=Variable "kd" is not available. )
at /usr/src/lib/libkvm/kvm.c:104 #4  0x0000000800770907 in kvm_getprocs
(kd=0x800b02300, op=8, arg=0, cnt=0x7fffffffdf1c)
at /usr/src/lib/libkvm/kvm_proc.c:561 #5  0x0000000000405322 in main
(argc=4, argv=0x7fffffffe9a8) at /usr/src/bin/ps/ps.c:511 (gdb) frame 4
#4  0x0000000800770907 in kvm_getprocs (kd=0x800b02300, op=8, arg=0,
cnt=0x7fffffffdf1c) at /usr/src/lib/libkvm/kvm_proc.c:561
561				_kvm_err(kd, kd->program, (gdb) list
556			nl[5].n_name = 0; 557	
558			if (kvm_nlist(kd, nl) != 0) {
559				for (p = nl; p->n_type != 0; ++p)
560					;
561				_kvm_err(kd, kd->program,
562					 "%s: no such symbol",
p->n_name); 563				return (0);
564			}
565			if (KREAD(kd, nl[0].n_value, &nprocs)) {
(gdb) print nl
$1 = {{n_name = 0x8007738ef "_nprocs", n_type = 240 'ð', n_other = -1
'ÿ', n_desc = -1, n_value = 34365215744}, { n_name = 0x8007738f7
"_allproc", n_type = 160 ' ', n_other = -100 '\234', n_desc = 80,
n_value = 0}, { n_name = 0x800773900 "_zombproc", n_type = 57 '9',
n_other = 2 '\002', n_desc = 81, n_value = 34367538496}, { n_name =
0x80077390a "_ticks", n_type = 74 'J', n_other = 0 '\0', n_desc = 0,
n_value = 34365215744}, { n_name = 0x800773911 "_hz", n_type = 168 '¨',
n_other = -23 'é', n_desc = -1, n_value = 140737488349576}, {n_name =
0x0, n_type = 1 '\001', n_other = 0 '\0', n_desc = 0, n_value =
34365024109}} 
>How-To-Repeat:
Run 'ps -ax -M /var/crash/vmcore.x'
>Fix:

>Release-Note:
>Audit-Trail:
>Unformatted: