On 09/30/15 13:03, Robert Blayzor wrote:> On Sep 30, 2015, at 3:54 PM, Xin Li <delphij at delphij.net> wrote: >> >> Can you make this change and see if it helps? >> >> Index: rpcb_svc_com.c >> ==================================================================>> --- rpcb_svc_com.c (revision 288421) >> +++ rpcb_svc_com.c (working copy) >> @@ -1052,7 +1052,7 @@ static bool_t >> netbuf_copybuf(struct netbuf *dst, const struct netbuf *src) >> { >> >> - assert(dst->buf == NULL); >> + assert(dst->len == 0 || dst->buf == NULL); > ? > > > Same result: > > > Assertion failed: (dst->len == 0 || dst->buf == NULL), function netbuf_copybuf, file rpcb_svc_com.c, line 1056.Hmm this suggests there were either a use-after-free or a memory leak with existing code. I will need some time to further investigate this. In the meantime, please comment out the assertion (which turns the crash back into memory leak in the worst case). Cheers, -- Xin LI <delphij at delphij.net> https://www.delphij.net/ FreeBSD - The Power to Serve! Live free or die -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 833 bytes Desc: OpenPGP digital signature URL: <http://lists.freebsd.org/pipermail/freebsd-security/attachments/20150930/40a5bc84/attachment.bin>
On 09/30/15 13:13, Xin Li wrote:> On 09/30/15 13:03, Robert Blayzor wrote: >> On Sep 30, 2015, at 3:54 PM, Xin Li <delphij at delphij.net> wrote: >>> >>> Can you make this change and see if it helps? >>> >>> Index: rpcb_svc_com.c >>> ==================================================================>>> --- rpcb_svc_com.c (revision 288421) >>> +++ rpcb_svc_com.c (working copy) >>> @@ -1052,7 +1052,7 @@ static bool_t >>> netbuf_copybuf(struct netbuf *dst, const struct netbuf *src) >>> { >>> >>> - assert(dst->buf == NULL); >>> + assert(dst->len == 0 || dst->buf == NULL); >> ? >> >> >> Same result: >> >> >> Assertion failed: (dst->len == 0 || dst->buf == NULL), function netbuf_copybuf, file rpcb_svc_com.c, line 1056. > > Hmm this suggests there were either a use-after-free or a memory leak > with existing code. I will need some time to further investigate this. > > In the meantime, please comment out the assertion (which turns the crash > back into memory leak in the worst case).Please try the attached patch, which will reallocate buffer only when the passed in netbuf is of a different size. Cheers, -- Xin LI <delphij at delphij.net> https://www.delphij.net/ FreeBSD - The Power to Serve! Live free or die -------------- next part -------------- A non-text attachment was scrubbed... Name: rpcbind.diff Type: text/x-patch Size: 713 bytes Desc: not available URL: <http://lists.freebsd.org/pipermail/freebsd-security/attachments/20150930/c2c3466c/attachment.bin> -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 833 bytes Desc: OpenPGP digital signature URL: <http://lists.freebsd.org/pipermail/freebsd-security/attachments/20150930/c2c3466c/attachment-0001.bin>
On Sep 30, 2015, at 6:04 PM, Xin Li <delphij at delphij.net> wrote:> > Please try the attached patch, which will reallocate buffer only when > the passed in netbuf is of a different size.Patch installed and things appear to be running ok. Will monitor next 24hrs and report back if any problems. -- Robert inoc.net!rblayzor Jabber: rblayzor.AT.inoc.net PGP Key: 78BEDCE1 @ pgp.mit.edu
On Sep 30, 2015, at 6:04 PM, Xin Li <delphij at delphij.net> wrote:> > Please try the attached patch, which will reallocate buffer only when > the passed in netbuf is of a different size.Looks like this patch did the trick. It?s been several hours, rpcbind seems happy along with all other RPC services. -- Robert inoc.net!rblayzor Jabber: rblayzor.AT.inoc.net PGP Key: 78BEDCE1 @ pgp.mit.edu