thr3ads.net - freebsd stable - FreeBSD/i386 stable/9 @239722: REDZONE: Buffer underflow detected [Aug 2012]

If this information is useful, please help other people find it:
Share via:

David Wolfskill

2012-Aug-27 13:13 UTC

FreeBSD/i386 stable/9 @239722: REDZONE: Buffer underflow detected

I've been tracking stable/9 on a daily basis on one of the slices
of my laptop for a while now, b ut just happened to review the
scrollback on vty0 this morning, and noticed the (hightlighted, though
that doesn't show up in the below cut/paste) whines "REDZONE: Buffer
underflow detected...."

I included a few line before & after to provide some context.

As far as I have been able to tell, it's running OK; still, perhaps
there's something worth chasing down?

The uname -a output is:

FreeBSD g1-227.catwhisker.org 9.1-PRERELEASE FreeBSD 9.1-PRERELEASE #228
239646M: Fri Aug 24 04:58:07 PDT 2012    
root@g1-227.catwhisker.org:/usr/obj/usr/src/sys/CANARY  i386

though the GRN there is a little bit misleading, as both kernel &
userland were rebuilt with sources @239722M around 05:00 hrs. this
morning US/Pacific time.

Anyway, here's the cut/paster:

...
Mounting local file systems:.
Setting hostname: localhost.
Starting dhclient.
em0: no link .............. giving up
/etc/rc.d/dhclient: WARNING: failed to start dhclient
wlan0: Ethernet address: 00:21:6a:26:34:c0
Starting wpa_supplicant.
Starting dhclient.
wlan0: no link ......wlan0: link state changed to UP
 got link
dhclient: /etc/dhclient-enter-hooks invoked with reason PREINIT
dhclient: Setting hostname from localhost to null string
dhclient: /etc/dhclient-exit-hooks invoked with reason PREINIT
dhclient: reason was PREINIT; no action taken
dhclient: Exiting /etc/dhclient-exit-hooks (PREINIT) with exit_status 0
DHCPREQUEST on wlan0 to 255.255.255.255 port 67
DHCPACK from 172.17.0.1
Expensive timeout(9) function: 0xc0b91b10(0) 0.010922407 s
bound to 172.17.1.227 -- renewal in 43200 seconds.
Starting Network: lo0 em0 iwn0 fwe0 fwip0 ipfw0.
lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> metric 0 mtu 16384
        options=600003<RXCSUM,TXCSUM,RXCSUM_IPV6,TXCSUM_IPV6>
        inet6 ::1 prefixlen 128
        inet6 fe80::1%lo0 prefixlen 64 scopeid 0xe
        inet 127.0.0.1 netmask 0xff000000
        nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>
em0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
       
options=4219b<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,VLAN_HWCSUM,TSO4,WOL
_MAGIC,VLAN_HWTSO>
        ether 00:24:e8:9c:11:0f
        nd6 options=29<PERFORMNUD,IFDISABLED,AUTO_LINKLOCAL>
        media: Ethernet autoselect
        status: no carrier
iwn0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 2290
        ether 00:21:6a:26:34:c0
        nd6 options=29<PERFORMNUD,IFDISABLED,AUTO_LINKLOCAL>
        media: IEEE 802.11 Wireless Ethernet autoselect mode 11g
        status: associated
fwe0: flags=8802<BROADCAST,SIMPLEX,MULTICAST> metric 0 mtu 1500
        options=8<VLAN_MTU>
        ether 4a:4f:c0:37:06:01
        nd6 options=29<PERFORMNUD,IFDISABLED,AUTO_LINKLOCAL>
        ch 1 dma -1
fwip0: flags=8802<BROADCAST,SIMPLEX,MULTICAST> metric 0 mtu 1500
        lladdr 4a.4f.c0.0.10.37.6.1.a.2.ff.fe.0.0.0.0
        nd6 options=29<PERFORMNUD,IFDISABLED,AUTO_LINKLOCAL>
ipfw0: flags=8801<UP,SIMPLEX,MULTICAST> metric 0 mtu 65536
        nd6 options=29<PERFORMNUD,IFDISABLED,AUTO_LINKLOCAL>
Starting devd.
REDZONE: Buffer underflow detected. 1 byte corrupted before 0xced40080 (42949667
96 bytes allocated).
Allocation backtrace:
#0 0xc0ce5fef at redzone_setup+0xcf
#1 0xc0a5a959 at malloc+0x1d9
#2 0xc0a9b200 at devctl_queue_data_f+0x40
#3 0xc0aa066a at devaddq+0x20a
#4 0xc0a9d58c at device_attach+0x46c
#5 0xc0a9e35b at bus_generic_attach+0x2b
#6 0xc0530cf5 at acpi_pci_attach+0x185
#7 0xc0a9d489 at device_attach+0x369
#8 0xc0a9e35b at bus_generic_attach+0x2b
#9 0xc0532e52 at acpi_pcib_attach+0x262
#10 0xc053414f at acpi_pcib_pci_attach+0x9f
#11 0xc0a9d489 at device_attach+0x369
#12 0xc0a9e35b at bus_generic_attach+0x2b
#13 0xc0530cf5 at acpi_pci_attach+0x185
#14 0xc0a9d489 at device_attach+0x369
#15 0xc0a9e35b at bus_generic_attach+0x2b
#16 0xc0532e52 at acpi_pcib_attach+0x262
#17 0xc0533845 at acpi_pcib_acpi_attach+0x2c5
Free backtrace:
#0 0xc0ce62aa at redzone_check+0x1ca
#1 0xc0a5a9a8 at free+0x38
#2 0xc0a9b086 at devread+0x1a6
#3 0xc0a256d7 at giant_read+0x87
#4 0xc096e292 at devfs_read_f+0xc2
#5 0xc0ab6f29 at dofileread+0x99
#6 0xc0ab6b48 at sys_read+0x98
#7 0xc0ddc197 at syscall+0x387
#8 0xc0dc4f51 at Xint0x80_syscall+0x21
REDZONE: Buffer overflow detected. 10 bytes corrupted after 0xced3fe8c (42949667
96 bytes allocated).
Allocation backtrace:
#0 0xc0ce5fef at redzone_setup+0xcf
#1 0xc0a5a959 at malloc+0x1d9
#2 0xc0a9b200 at devctl_queue_data_f+0x40
#3 0xc0aa066a at devaddq+0x20a
#4 0xc0a9d58c at device_attach+0x46c
#5 0xc0a9e35b at bus_generic_attach+0x2b
#6 0xc0530cf5 at acpi_pci_attach+0x185
#7 0xc0a9d489 at device_attach+0x369
#8 0xc0a9e35b at bus_generic_attach+0x2b
#9 0xc0532e52 at acpi_pcib_attach+0x262
#10 0xc053414f at acpi_pcib_pci_attach+0x9f
#11 0xc0a9d489 at device_attach+0x369
#12 0xc0a9e35b at bus_generic_attach+0x2b
#13 0xc0530cf5 at acpi_pci_attach+0x185
#14 0xc0a9d489 at device_attach+0x369
#15 0xc0a9e35b at bus_generic_attach+0x2b
#16 0xc0532e52 at acpi_pcib_attach+0x262
#17 0xc0533845 at acpi_pcib_acpi_attach+0x2c5
Free backtrace:
#0 0xc0ce63f2 at redzone_check+0x312
#1 0xc0a5a9a8 at free+0x38
#2 0xc0a9b086 at devread+0x1a6
#3 0xc0a256d7 at giant_read+0x87
#4 0xc096e292 at devfs_read_f+0xc2
#5 0xc0ab6f29 at dofileread+0x99
#6 0xc0ab6b48 at sys_read+0x98
#7 0xc0ddc197 at syscall+0x387
#8 0xc0dc4f51 at Xint0x80_syscall+0x21
Starting Network: usbus0.
Starting Network: usbus1.
Starting Network: usbus2.
Starting Network: usbus3.
Starting Network: usbus4.
Starting Network: usbus5.
Starting Network: usbus6.
Starting Network: usbus7.
Starting Network: fwe0.
fwe0: flags=8802<BROADCAST,SIMPLEX,MULTICAST> metric 0 mtu 1500
        options=8<VLAN_MTU>
        ether 4a:4f:c0:37:06:01
        nd6 options=29<PERFORMNUD,IFDISABLED,AUTO_LINKLOCAL>
        ch 1 dma -1
Starting Network: fwip0.
fwip0: flags=8802<BROADCAST,SIMPLEX,MULTICAST> metric 0 mtu 1500
        lladdr 4a.4f.c0.0.10.37.6.1.a.2.ff.fe.0.0.0.0
        nd6 options=29<PERFORMNUD,IFDISABLED,AUTO_LINKLOCAL>
dhclient already running? (pid=699).
add net ::ffff:0.0.0.0: gateway ::1
add net ::0.0.0.0: gateway ::1
add net fe80::: gateway ::1
add net ff02::: gateway ::1
...

I'll be happy to test patches.

Peace,
david
-- 
David H. Wolfskill				david@catwhisker.org
Depriving a girl or boy of an opportunity for education is evil.

See http://www.catwhisker.org/~david/publickey.gpg for my public key.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 196 bytes
Desc: not available
Url :
http://lists.freebsd.org/pipermail/freebsd-stable/attachments/20120827/30af4584/attachment.pgp

John Baldwin

2012-Aug-27 18:41 UTC

head link

FreeBSD/i386 stable/9 @239722: REDZONE: Buffer underflow detected

On Monday, August 27, 2012 9:13:11 am David Wolfskill
wrote:> Starting devd.
> REDZONE: Buffer underflow detected. 1 byte corrupted before 0xced40080 (4294966796 bytes allocated).

This size seems wait outlandish.  The only malloc in devctl_queue_data_f() is:

	struct dev_event_info *n1 = NULL, *n2 = NULL;

	...
	n1 = malloc(sizeof(*n1), M_BUS, flags);

On amd64 that structure's size is 24 bytes.  On i386 it is probably similar.
Certainly not 4GB.  I cannot see any overflow bugs with
'struct dev_event_info' objects.  In this case I think the redzone
metadata
that specified the object's size was corrupted, but I've no idea how
that
could occur.

-- 
John Baldwin

freebsd stable - Aug 2012 - FreeBSD/i386 stable/9 @239722: REDZONE: Buffer underflow detected

FreeBSD/i386 stable/9 @239722: REDZONE: Buffer underflow detected

FreeBSD/i386 stable/9 @239722: REDZONE: Buffer underflow detected