[Bug 224485] [ipfw][dummynet] "REDZONE: Buffer overflow detected." after "ipfw pipe show"

bugzilla-noreply at freebsd.org bugzilla-noreply at freebsd.org
Wed Dec 20 14:42:48 UTC 2017 

https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=224485

            Bug ID: 224485
           Summary: [ipfw][dummynet] "REDZONE: Buffer overflow detected."
                    after "ipfw pipe show"
           Product: Base System
           Version: 11.1-STABLE
          Hardware: amd64
                OS: Any
            Status: New
          Severity: Affects Only Me
          Priority: ---
         Component: kern
          Assignee: freebsd-bugs at FreeBSD.org
          Reporter: david at catwhisker.org

Created attachment 188994
  --> https://bugs.freebsd.org/bugzilla/attachment.cgi?id=188994&action=edit
This machine's kernel configuration file ("CANARY")

Issuing "ipfw pipe show" yields the following (in /var/log/messages):

Dec 20 14:15:30 g1-252 kernel: REDZONE: Buffer overflow detected. 16 bytes
corrupted after 0xfffff801d9cc9f48 (328 bytes allocated).
Dec 20 14:15:30 g1-252 kernel: Allocation backtrace:
Dec 20 14:15:30 g1-252 kernel: #0 0xffffffff80d49299 at redzone_setup+0xe9
Dec 20 14:15:30 g1-252 kernel: #1 0xffffffff80a1175d at malloc+0x22d
Dec 20 14:15:30 g1-252 kernel: #2 0xffffffff80c95e07 at dummynet_get+0x337
Dec 20 14:15:30 g1-252 kernel: #3 0xffffffff80ba4102 at rip_ctloutput+0x102
Dec 20 14:15:30 g1-252 kernel: #4 0xffffffff80ac2d9d at sogetopt+0xcd
Dec 20 14:15:30 g1-252 kernel: #5 0xffffffff80ac756b at kern_getsockopt+0xdb
Dec 20 14:15:30 g1-252 kernel: #6 0xffffffff80ac7462 at sys_getsockopt+0x52
Dec 20 14:15:30 g1-252 kernel: #7 0xffffffff80e3a66a at amd64_syscall+0xa6a
Dec 20 14:15:30 g1-252 kernel: #8 0xffffffff80e1cedb at Xfast_syscall+0xfb
Dec 20 14:15:30 g1-252 kernel: Free backtrace:
Dec 20 14:15:30 g1-252 kernel: #0 0xffffffff80d49604 at redzone_check+0x304
Dec 20 14:15:30 g1-252 kernel: #1 0xffffffff80a117b6 at free+0x46
Dec 20 14:15:30 g1-252 kernel: #2 0xffffffff80c9623d at dummynet_get+0x76d
Dec 20 14:15:30 g1-252 kernel: #3 0xffffffff80ba4102 at rip_ctloutput+0x102
Dec 20 14:15:30 g1-252 kernel: #4 0xffffffff80ac2d9d at sogetopt+0xcd
Dec 20 14:15:30 g1-252 kernel: #5 0xffffffff80ac756b at kern_getsockopt+0xdb
Dec 20 14:15:30 g1-252 kernel: #6 0xffffffff80ac7462 at sys_getsockopt+0x52
Dec 20 14:15:30 g1-252 kernel: #7 0xffffffff80e3a66a at amd64_syscall+0xa6a
Dec 20 14:15:30 g1-252 kernel: #8 0xffffffff80e1cedb at Xfast_syscall+0xfb

Similarly, "ipfw sched show" yields:

Dec 20 14:15:43 g1-252 kernel: REDZONE: Buffer overflow detected. 16 bytes
corrupted after 0xfffff80196cf9348 (328 bytes allocated).
Dec 20 14:15:43 g1-252 kernel: Allocation backtrace:
Dec 20 14:15:43 g1-252 kernel: #0 0xffffffff80d49299 at redzone_setup+0xe9
Dec 20 14:15:43 g1-252 kernel: #1 0xffffffff80a1175d at malloc+0x22d
Dec 20 14:15:43 g1-252 kernel: #2 0xffffffff80c95e07 at dummynet_get+0x337
Dec 20 14:15:43 g1-252 kernel: #3 0xffffffff80ba4102 at rip_ctloutput+0x102
Dec 20 14:15:43 g1-252 kernel: #4 0xffffffff80ac2d9d at sogetopt+0xcd
Dec 20 14:15:43 g1-252 kernel: #5 0xffffffff80ac756b at kern_getsockopt+0xdb
Dec 20 14:15:43 g1-252 kernel: #6 0xffffffff80ac7462 at sys_getsockopt+0x52
Dec 20 14:15:43 g1-252 kernel: #7 0xffffffff80e3a66a at amd64_syscall+0xa6a
Dec 20 14:15:43 g1-252 kernel: #8 0xffffffff80e1cedb at Xfast_syscall+0xfb
Dec 20 14:15:43 g1-252 kernel: Free backtrace:
Dec 20 14:15:43 g1-252 kernel: #0 0xffffffff80d49604 at redzone_check+0x304
Dec 20 14:15:43 g1-252 kernel: #1 0xffffffff80a117b6 at free+0x46
Dec 20 14:15:43 g1-252 kernel: #2 0xffffffff80c9623d at dummynet_get+0x76d
Dec 20 14:15:43 g1-252 kernel: #3 0xffffffff80ba4102 at rip_ctloutput+0x102
Dec 20 14:15:43 g1-252 kernel: #4 0xffffffff80ac2d9d at sogetopt+0xcd
Dec 20 14:15:43 g1-252 kernel: #5 0xffffffff80ac756b at kern_getsockopt+0xdb
Dec 20 14:15:43 g1-252 kernel: #6 0xffffffff80ac7462 at sys_getsockopt+0x52
Dec 20 14:15:43 g1-252 kernel: #7 0xffffffff80e3a66a at amd64_syscall+0xa6a
Dec 20 14:15:43 g1-252 kernel: #8 0xffffffff80e1cedb at Xfast_syscall+0xfb

I note that "ipfw queue show" does NOT yield a whine. :-)

This is running stable/11 on amd64:
FreeBSD g1-252.catwhisker.org 11.1-STABLE FreeBSD 11.1-STABLE #485 
r327021M/327021:1101506: Wed Dec 20 04:34:23 PST 2017    
root at g1-252.catwhisker.org:/common/S1/obj/usr/src/sys/CANARY  amd64

(Though a quick reality-check running head @r327017 on the same system
(different slice; same hardware & same ipfw ruleset) yielded a similar whine
for "ipfw pipe show".)

Kernel modules loaded:
g1-252(11.1-S)[3] kldstat 
Id Refs Address            Size     Name
 1   40 0xffffffff80200000 1e4cef8  kernel
 2    1 0xffffffff8204e000 21e30    geom_eli.ko
 3    3 0xffffffff82070000 ad1c8    linux.ko
 4    4 0xffffffff8211e000 e208     linux_common.ko
 5    1 0xffffffff8212d000 4d80     coretemp.ko
 6    1 0xffffffff82132000 546d8    iwn5000fw.ko
 7    1 0xffffffff82187000 e14658   nvidia.ko
 8    1 0xffffffff82f9c000 e0a8     cuse.ko
 9    1 0xffffffff82fab000 a268     filemon.ko
10    1 0xffffffff83211000 bbbf     tmpfs.ko
11    1 0xffffffff8321d000 5bc8     fdescfs.ko
12    1 0xffffffff83223000 a8f2     linprocfs.ko
13    1 0xffffffff8322e000 3d133    linux64.ko
14    1 0xffffffff8326c000 78e      rtc.ko
g1-252(11.1-S)[4] 

The kernel is based on GENERIC; has some devices I don't need on a laptop
snipped out, and IPFIREWALL_DEFAULT_TO_ACCEPT is explicitly not enabled. 
Current ipfw stuff:

g1-252(11.1-S)[4] sudo ipfw show
00100 203030  21519482 allow ip from any to any via lo0
00200      0         0 deny ip from any to 127.0.0.0/8
00300      0         0 deny ip from 127.0.0.0/8 to any
00400  84647  98610106 reass ip from any to any in
00500      0         0 allow ip from any to any via tun0
00600      0         0 allow ip from 172.17.1.252 to 172.17.1.252
00700      0         0 deny log ip from any to any ipoptions ssrr,lsrr,rr,ts
00800      0         0 deny log ip from table(1) to 172.17.1.252
00900      0         0 deny log ip from 172.17.1.252 to table(1)
01000      0         0 deny log ip from table(2) to 172.17.1.252 dst-port 22
01100      0         0 deny log ip from table(3) to 172.17.1.252 dst-port
80,443
01200      0         0 deny udp from any 135-139 to any
01300      0         0 deny udp from any to any dst-port 135-139
01400      0         0 deny tcp from any 135-139 to any
01500      0         0 deny tcp from any to any dst-port 135-139
01600      0         0 deny udp from any 445 to any
01700      0         0 deny udp from any to any dst-port 445
01800      0         0 deny tcp from any 445 to any
01900      0         0 deny tcp from any to any dst-port 445
02000      0         0 deny udp from any to any dst-port 631
02100      0         0 deny udp from any to any dst-port 1985
02200      0         0 deny udp from any to any dst-port 2222
02300      0         0 deny udp from any to any dst-port 5353
02400      0         0 deny ip from 224.0.0.0/4 to any
02500      0         0 deny ip from any to 224.0.0.0/4
02600     12      1008 skipto 60000 icmp from any to any icmptypes
0,3,4,8,11,12
02700      0         0 skipto 60000 udp from 172.17.1.252 68 to 172.17.0.1
dst-port 67 keep-state :default
02800      0         0 skipto 60000 udp from 172.17.0.1 67 to 172.17.1.252
dst-port 68 keep-state :default
02900      0         0 skipto 60000 udp from 172.17.1.252 68 to 172.17.0.1
dst-port 67 keep-state :default
03000      0         0 skipto 60000 udp from 172.17.0.1 67 to 172.17.1.252
dst-port 68 keep-state :default
03100      0         0 skipto 60000 udp from 172.17.1.252 to 172.17.255.255
dst-port 192 keep-state :default
03200      0         0 skipto 60000 udp from any 192 to 172.17.1.252
03300      0         0 skipto 60000 udp from 172.17.0.0/16 162 to
172.17.255.255 dst-port 162 keep-state :default
03400      0         0 deny ip from any to 172.17.255.255
03500      0         0 deny ip from 172.17.255.255 to any
03600 141401 103424861 skipto 60000 tcp from any to any established
03700    597     35820 skipto 60000 tcp from 172.17.1.252 to any setup
03800      0         0 skipto 60000 log tcp from any to any dst-port 22 setup
03900      0         0 skipto 60000 log tcp from any to any dst-port 3690 setup
04000      0         0 skipto 60000 tcp from any to 172.17.1.252 dst-port 80
setup
04100      0         0 skipto 60000 tcp from any to 172.17.1.252 dst-port 443
setup
04200      0         0 deny log tcp from any to any setup
04300   1331    246776 skipto 60000 udp from 172.17.1.252 to any dst-port 53
keep-state :default
04400      0         0 deny log udp from any to any dst-port 123 iplen 0-75
04500    184     13984 skipto 60000 udp from 172.17.1.252 to any dst-port 123
keep-state :default
04600      0         0 skipto 60000 udp from any 123 to 255.255.255.255
dst-port 123 keep-state :default
04700      0         0 skipto 60000 udp from 172.17.1.252 to any keep-state
:default
04800      0         0 deny log ip from any to any
60000  84617  98587266 allow ip from any to any in
60100  58908   5135183 queue 1 ip from any to any out
65535      1       340 deny ip from any to any
g1-252(11.1-S)[5] sudo ipfw pipe show
00001: unlimited         0 ms burst 0 
q131073  50 sl. 0 flows (1 buckets) sched 65537 weight 0 lmax 0 pri 0 droptail
 sched 65537 type FIFO flags 0x0 0 buckets 0 active
g1-252(11.1-S)[6] sudo ipfw sched show
00001: unlimited         0 ms burst 0 
q65537  50 sl. 0 flows (1 buckets) sched 1 weight 0 lmax 0 pri 0 droptail
 sched 1 type FQ_CODEL flags 0x0 0 buckets 0 active
 FQ_CODEL target 5ms interval 100ms quantum 1514 limit 10240 flows 1024 ECN
   Children flowsets: 1 
g1-252(11.1-S)[7] sudo ipfw queue show
q00001  50 sl. 0 flows (1 buckets) sched 1 weight 0 lmax 0 pri 0 droptail
g1-252(11.1-S)[8]

This (REDZONE whine) is readily reproducible for me.

I will attach a copy of the kernel configuration file ("CANARY").

-- 
You are receiving this mail because:
You are the assignee for the bug.

More information about the freebsd-bugs mailing list