svn commit: r360233 - in head: contrib/jemalloc . . . : This partially breaks a 2-socket 32-bit powerpc (old PowerMac G4) based on head -r360311
Mark Millard
marklmi at yahoo.com
Tue May 5 08:52:35 UTC 2020
[This report just shows an interesting rpcbind crash:
a pointer was filled with part of a string instead,
leading to a failed memory access attempt from the junk
address produced.]
Core was generated by `/usr/sbin/rpcbind'.
Program terminated with signal SIGSEGV, Segmentation fault.
#0 0x5024405c in rendezvous_request (xprt=<optimized out>, msg=<optimized out>) at /usr/src/lib/libc/rpc/svc_vc.c:335
335 cd->recvsize = r->recvsize;
(gdb) list
330 _setsockopt(sock, IPPROTO_TCP, TCP_NODELAY, &len, sizeof (len));
331 }
332
333 cd = (struct cf_conn *)newxprt->xp_p1;
334
335 cd->recvsize = r->recvsize;
336 cd->sendsize = r->sendsize;
337 cd->maxrec = r->maxrec;
338
339 if (cd->maxrec != 0) {
(gdb) print/c *cd
Cannot access memory at address 0x2d202020
FYI:
. . .
0x50244050 <+452>: bl 0x502e3404 <00000000.plt_pic32._setsockopt>
0x50244054 <+456>: lwz r27,80(r29)
0x50244058 <+460>: lwz r3,4(r24)
=> 0x5024405c <+464>: stw r3,436(r27)
Note the 80(r29) use.
(gdb) info reg
r0 0x50244020 1344552992
r1 0xffffb400 4294947840
r2 0x500a1018 1342836760
r3 0x2328 9000
r4 0x32ef559c 854545820
r5 0x0 0
r6 0xffffb360 4294947680
r7 0xffffb364 4294947684
r8 0x5004733c 1342468924
r9 0x0 0
r10 0x20 32
r11 0x50252ea0 1344614048
r12 0x24200ca0 606080160
r13 0x0 0
r14 0x0 0
r15 0xffffbc28 4294949928
r16 0x10002848 268445768
r17 0x10040000 268697600
r18 0x2 2
r19 0x0 0
r20 0x1 1
r21 0x5004c044 1342488644
r22 0xffffb63c 4294948412
r23 0x80 128
r24 0x50048010 1342472208
r25 0x14 20
r26 0xffffb630 4294948400
r27 0x2d202020 757080096
r28 0xf 15
r29 0x50047308 1342468872
r30 0x5030112c 1345327404
r31 0x10040000 268697600
pc 0x5024405c 0x5024405c <rendezvous_request+464>
msr <unavailable>
cr 0x842000a0 2216689824
lr 0x50244020 0x50244020 <rendezvous_request+404>
ctr 0x50252ea0 1344614048
xer 0x0 0
fpscr 0x0 0
vscr <unavailable>
vrsave <unavailable>
(gdb) x/s 0x50047308+72
0x50047350: " - - -\n"
So it tried to use "- " as a pointer value.
It appears that the r29 value was from:
0x50243f90 <+260>: mr r28,r3
0x50243f94 <+264>: lwz r4,0(r24)
0x50243f98 <+268>: lwz r5,4(r24)
0x50243f9c <+272>: mr r3,r28
0x50243fa0 <+276>: bl 0x5024308c <makefd_xprt>
0x50243fa4 <+280>: lwz r27,36(r1)
0x50243fa8 <+284>: mr r29,r3
The makefd_xprt being used as part of:
/*
* make a new transporter (re-uses xprt)
*/
newxprt = makefd_xprt(sock, r->sendsize, r->recvsize);
newxprt->xp_rtaddr.buf = mem_alloc(len);
if (newxprt->xp_rtaddr.buf == NULL)
return (FALSE);
memcpy(newxprt->xp_rtaddr.buf, &addr, len);
newxprt->xp_rtaddr.len = len;
#ifdef PORTMAP
if (addr.ss_family == AF_INET || addr.ss_family == AF_LOCAL) {
newxprt->xp_raddr = *(struct sockaddr_in *)newxprt->xp_rtaddr.buf;
newxprt->xp_addrlen = sizeof (struct sockaddr_in);
}
#endif /* PORTMAP */
if (__rpc_fd2sockinfo(sock, &si) && si.si_proto == IPPROTO_TCP) {
len = 1;
/* XXX fvdl - is this useful? */
_setsockopt(sock, IPPROTO_TCP, TCP_NODELAY, &len, sizeof (len));
}
cd = (struct cf_conn *)newxprt->xp_p1;
cd->recvsize = r->recvsize;
cd->sendsize = r->sendsize;
cd->maxrec = r->maxrec;
FYI:
(gdb) print *r
$5 = {sendsize = 9000, recvsize = 9000, maxrec = 9000}
There is more evidence of strings in pointers in *newxprt
(xp_tp, oa_base, xp_p1, xp_p2, xp_p3):
(gdb) print *newxprt
$7 = {xp_fd = 15, xp_port = 0, xp_ops = 0x50329e1c, xp_addrlen = 16, xp_raddr = {sin_len = 16 '\020', sin_family = 1 '\001', sin_port = 0, sin_addr = {s_addr = 0},
sin_zero = "\000\000\000\000\000\000\000"}, xp_ops2 = 0x756e6978, xp_tp = 0x2020 <error: Cannot access memory at address 0x2020>,
xp_netid = 0x10010000 <error: Cannot access memory at address 0x10010000>, xp_ltaddr = {maxlen = 0, len = 0, buf = 0x0}, xp_rtaddr = {maxlen = 539828256, len = 16, buf = 0x50047330}, xp_verf = {
oa_flavor = 0, oa_base = 0x202d2020 <error: Cannot access memory at address 0x202d2020>, oa_length = 538976288}, xp_p1 = 0x2d202020, xp_p2 = 0x20202020, xp_p3 = 0x2d0a0079, xp_type = 543780384}
(gdb) print (char*)(&newxprt->xp_verf.oa_base)
$24 = 0x50047350 " - - -\n"
(gdb) print (char*)(&newxprt->xp_p3)+3
$13 = 0x50047363 "y in FreeBSD.\n"
(gdb) print (char*)(&newxprt->xp_type)
$25 = 0x50047364 " in FreeBSD.\n"
===
Mark Millard
marklmi at yahoo.com
( dsl-only.net went
away in early 2018-Mar)
More information about the svn-src-head
mailing list