stable/9 @r241776 panic: REDZONE: Buffer underflow detected...

Mateusz Guzik mjguzik at gmail.com
Sun Oct 21 22:09:20 UTC 2012 

On Sat, Oct 20, 2012 at 07:10:19AM -0700, David Wolfskill wrote:
> This seems ... fairly weird to me.
> 
> Yesterday, I built & booted:
> 
> FreeBSD g1-227.catwhisker.org 9.1-PRERELEASE FreeBSD 9.1-PRERELEASE #274 241726M: Fri Oct 19 05:40:05 PDT 2012     root at g1-227.catwhisker.org:/usr/obj/usr/src/sys/CANARY  i386
> 
> and used the machine all day; nothing unusual (including various
> reboots (e.g. when I disembarked the train for the final leg of my
> commute home, so I powered the laptop off).
> 
> This morning, I built:
> 
> FreeBSD g1-227.catwhisker.org 9.1-PRERELEASE FreeBSD 9.1-PRERELEASE #275 241776M: Sat Oct 20 04:34:45 PDT 2012     root at g1-227.catwhisker.org:/usr/obj/usr/src/sys/CANARY  i386
> 
> and on first reboot, I got a panic.
> 
[..]
> 
> ...
> Starting devd.
> REDZONE: Buffer underflow detected.  1 byte corrupted before 0xced40080 (4294966796 bytes allocated).
> Allocation backtrace:
> #0 0xc0ceac8f at redzone_setup+0xcf
> #1 0xc0a5d5c9 at malloc+0x1d9
> ...[about 20 more such lines I didn't record]...
> 
> > bt
> Tracing pid 901 tid 100106 td 0xd2b99000
> kdb_enter(...)
> panic(...)
> free(...)
> devread(ce8c2d00,f7274c0c,0,c0b1e4f0,d279e380,...) at devread+0x1a6
> giant_read(...) at giant_read+0x87
> devfs_read(...) at devfs_read+0xc6
> dofileread(...) at dofileread+0x99
> sys_read(...) at sys_read+0x98
> syscall(f7274d08) at syscall+0x387
> 

This looks a lot like issue you reported a couple of months earlier,
even affected buffer address matches.

At least part of REDZONE metadata placed directly before the buffer is
corrupted. So the idea is to set a watchpoint at a place that is known
to contain wrong data (in this case allocation size) and wait for some
code to try to modify it.

I hacked up the following (really ugly, but should do the job):
http://people.freebsd.org/~mjg/patches/watchpoint-hack.diff

Note: this assumes that address of affected buffer is always the same.

Assuming I didn't mess anything up, instructions are simple:
Just try to reproduce the issue, at some point you should be dropped to
the debugger. If that happens when dumpdevice is configured, please get a
core. Otherwise just a backtrace ("bt" command).

Note 2: this code does no clear the watchpoint, so if it fails to catch
the offending case, it may catch completely legitimate code later.

More information about the freebsd-stable mailing list