Page MenuHomeFreeBSD

Fix core corruption caused by race in note_procstat_vmmap
ClosedPublic

Authored by cem on Oct 6 2015, 3:26 AM.
Tags
None
Referenced Files
Unknown Object (File)
Mon, Jan 13, 2:36 AM
Unknown Object (File)
Fri, Jan 10, 4:39 PM
Unknown Object (File)
Wed, Jan 8, 9:29 AM
Unknown Object (File)
Sat, Jan 4, 8:02 AM
Unknown Object (File)
Thu, Jan 2, 11:18 PM
Unknown Object (File)
Dec 2 2024, 10:02 PM
Unknown Object (File)
Nov 24 2024, 1:14 AM
Unknown Object (File)
Nov 8 2024, 4:00 PM
Subscribers

Details

Summary

This fix is spiritually similar to r287442 and was discovered thanks to
the KASSERT added in that revision.

NT_PROCSTAT_VMMAP output length, when packing kinfo structs, is tied to
the length of filenames corresponding to vnodes in the process' vm map
via vn_fullpath. As vnodes may move during coredump, this is racy.

We do not remove the race, only prevent it from causing coredump
corruption.

  • Add a sysctl, kern.coredump_pack_vmmapinfo, to allow users to disable kinfo packing for PROCSTAT_VMMAP notes. This avoids VMMAP corruption and truncation, even if names change, at the cost of up to PATH_MAX bytes per mapped object. The new sysctl is documented in core.5.
  • Fix note_procstat_vmmap to self-limit in the second pass. This addresses corruption, at the cost of sometimes producing a truncated result.
  • Fix PROCSTAT_VMMAP consumers libutil (and libprocstat, via copy-paste) to grok the new zero padding.

Reported by: pho (https://people.freebsd.org/~pho/stress/log/datamove4-2.txt)
Relnotes: yes
Sponsored by: EMC / Isilon Storage Division

Diff Detail

Repository
rS FreeBSD src repository - subversion
Lint
Lint Passed
Unit
No Test Coverage
Build Status
Buildable 694
Build 694: arc lint + arc unit

Event Timeline

cem retitled this revision from to Fix core corruption caused by race in note_procstat_vmmap.
cem updated this object.
cem edited the test plan for this revision. (Show Details)
cem added reviewers: bjk, jhb, kib, wblock, markj.
cem added a subscriber: benno.
cem edited edge metadata.
lib/libprocstat/libprocstat.c
1870

How does a record with kve_structsize == 0 get emitted?

lib/libprocstat/libprocstat.c
1870

Undersized notes are padded with zero bytes, and kve_structsize is the first member of the struct. It's exactly the same as kf_structsize == 0 for FILE notes.

This revision was automatically updated to reflect the committed changes.