svn commit: r310086 - head/sys/dev/xen/blkfront

Dimitry Andric dim at FreeBSD.org
Thu Dec 15 19:07:21 UTC 2016 

On 15 Dec 2016, at 08:01, Colin Percival <cperciva at tarsnap.com> wrote:
> 
> On 12/14/16 11:28, Dimitry Andric wrote:
>> Log:
>>  In xbd_connect(), use correct scanf conversion specifiers for the
>>  feature_barrier and feature_flush variables.  Otherwise, adjacent
>>  variables on the stack, such as sector_size, may be overwritten, with
>>  disastrous results.
> 
> Thanks!  Did you happen to notice what stack variable (if any?) was being
> overwritten under clang 3.8.0?  Just wondering if there might be some
> undiscovered issue lurking in FreeBSD releases which will cause other less
> obvious problems.

Here is a little overview of the locations on the stack (e.g. offsets
from %rbp) with different compiler versions:

clang 3.8.x and earlier:
        [ -56: -48)     sectors
        [ -64: -56)     sector_size
        [ -72: -64)     phys_sector_size
        [ -76: -72)     binfo
        [ -80: -76)     feature_barrier
        [ -84: -80)     feature_flush

Here, writing 8 bytes of data to feature_barrier will most likely
overwrite binfo with zeroes, but since that is usually zero already,
not much will happen.

Similarly, writing 8 bytes of data to feature_flush will most likely
overwrite feature_barrier with zeroes, effectively always turning off
that feature.

clang 3.9.0 and later:
        [ -80: -72)     phys_sector_size
        [ -88: -80)     sector_size
        [ -92: -88)     feature_flush
        [ -96: -92)     feature_barrier
        [-104: -96)     indirectpages
        [-112:-104)     sectors
        [-132:-128)     binfo

As is now known, here the effect was that sector_size is effectively
zeroed when feature_flush is written.  Not good. :)

gcc 4.2.1:
        [ -44: -40)     binfo
        [ -48: -44)     feature_barrier
        [ -52: -48)     feature_flush
        [ -64: -56)     sectors
        [ -72: -64)     sector_size
        [ -80: -72)     phys_sector_size

For our base gcc, the results are similar to clang 3.8.x and earlier:
writing 8 bytes of data to feature_barrier will most likely overwrite
binfo with zeroes, to not much effect.  Same story for feature_flush.

gcc 6.2.0:
        [ -64: -56)     phys_sector_size
        [ -72: -64)     sector_size
        [ -80: -72)     sectors
        [ -84: -80)     feature_flush
        [ -88: -84)     feature_barrier
        [ -92: -88)     binfo

With a more recent version of gcc, writing 8 bytes of data to
feature_flush will most likely zero least significant half of sectors.
Unless the virtual disk has 2^32 or more sectors, it will turn up as
zero length.

-Dimitry

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 194 bytes
Desc: Message signed with OpenPGP using GPGMail
URL: <http://lists.freebsd.org/pipermail/svn-src-all/attachments/20161215/915edba7/attachment.sig>

More information about the svn-src-all mailing list