Fix core corruption caused by race in note_procstat_vmmap
ClosedPublic
Actions

Authored by cem on Oct 6 2015, 3:26 AM.

Details

Reviewers

kib
bjk
markj
jhb
wblock

Group Reviewers

manpages

Commits

rS288944: Fix core corruption caused by race in note_procstat_vmmap

Summary

This fix is spiritually similar to r287442 and was discovered thanks to
the KASSERT added in that revision.

NT_PROCSTAT_VMMAP output length, when packing kinfo structs, is tied to
the length of filenames corresponding to vnodes in the process' vm map
via vn_fullpath. As vnodes may move during coredump, this is racy.

We do not remove the race, only prevent it from causing coredump
corruption.

Add a sysctl, kern.coredump_pack_vmmapinfo, to allow users to disable kinfo packing for PROCSTAT_VMMAP notes. This avoids VMMAP corruption and truncation, even if names change, at the cost of up to PATH_MAX bytes per mapped object. The new sysctl is documented in core.5.

Fix note_procstat_vmmap to self-limit in the second pass. This addresses corruption, at the cost of sometimes producing a truncated result.

Fix PROCSTAT_VMMAP consumers libutil (and libprocstat, via copy-paste) to grok the new zero padding.

Reported by: pho (https://people.freebsd.org/~pho/stress/log/datamove4-2.txt)
Relnotes: yes
Sponsored by: EMC / Isilon Storage Division

Diff Detail

Repository

rS FreeBSD src repository - subversion

Lint

Lint Not Applicable

Unit

Tests Not Applicable

Event Timeline

cem updated this revision to Diff 9180.Oct 6 2015, 3:26 AM

cem retitled this revision from to Fix core corruption caused by race in note_procstat_vmmap.

cem updated this object.

cem edited the test plan for this revision. (Show Details)

cem added reviewers: bjk, jhb, kib, wblock, markj.

cem added a subscriber: benno.

Herald added a reviewer: manpages. · View Herald TranscriptOct 6 2015, 3:26 AM

Herald added a subscriber: imp. · View Herald Transcript

cem updated this object.Oct 6 2015, 3:29 AM

cem edited edge metadata.

markj added inline comments.Oct 6 2015, 6:00 PM

lib/libprocstat/libprocstat.c
1870 ↗	(On Diff #9180)	How does a record with kve_structsize == 0 get emitted?

cem added inline comments.Oct 6 2015, 6:02 PM

lib/libprocstat/libprocstat.c
1870 ↗	(On Diff #9180)	Undersized notes are padded with zero bytes, and kve_structsize is the first member of the struct. It's exactly the same as kf_structsize == 0 for FILE notes.