[haiku-bugs] Re: [Haiku] #10259: CDDA-related KDL: ASCII string corrupts kernel structures
- From: "ttcoder" <trac@xxxxxxxxxxxx>
- Date: Thu, 28 Nov 2013 15:26:56 -0000
#10259: CDDA-related KDL: ASCII string corrupts kernel structures
---------------------------------+----------------------------
Reporter: ttcoder | Owner: axeld
Type: bug | Status: assigned
Priority: normal | Milestone: R1
Component: File Systems/cdda | Version: R1/Development
Resolution: | Keywords:
Blocked By: | Blocking:
Has a Patch: 0 | Platform: All
---------------------------------+----------------------------
Comment (by ttcoder):
That {{{out == sizeof...}}} test (instead of >= ) seems super dangerous
and worth fixing indeed, there might be a use-case which triggers it; but
if triggered, wouldn't it become a "runaway" (extensive) memory corruption
crashing immediately, rather than a limited one which is stumbled upon by
somebody else as occurs here?
=====
I've shut down the concerned computer this morning, but only after
collecting a memory dump of the suspect areas, showing what's before and
after to get a sense of what might be out of place. EvilYak motivated me
into thinking that it might be possible to collect useful data after,
there's no certainty at all that the gone has gone to the weeds higher up,
it's probably only the data segments which are affected but not code
segments.
Looking at the memory dumps might ring a bell for someone more familiar
with the haiku internals.
Some commentary/thinking out loud..
- to recap, the starting point of it all is indirection on invalid
"pointer" {{{54202d40}}} which is in fact a series of ascii chars from CD
volume name "jogeir... - the wanderer".
- that volume name string is stored at address {{{df0778f0}}}.
- the _user_stop_notifying() code collected what it thought was a pointer,
in the middle of that volume name string (a few bytes further down, at
address {{{df077900}}}), because it indirected a pointer located at
address {{{df07c2d0}}} that points there.
- I did a contextual memory dump around the volume name string, to see if
it seems out of place, and a contextual dump around the pointer that
(incorrectly) indirects into that string, to see if it could be out of
place too.
- the {{{df077900}}} pointer is surrounded by other, similar values, in
what appears to be an array of structs of size 32 bytes: you can see value
{{{df077920}}}, {{{df077960}}} ..etc; the memory at address {{{df077920}}}
..etc, is located just below the "wanderer.." string and contains values
like {{{801a9fe0}}}; assuming these are legit, this would validate the
idea that there used to be a similar value on the three lines above, which
were clobbered by the "wanderer.." string (and also the "tcp data"
string..?), and the {{{df077900}}} pointer would just be innocent/legit:
when it tried to access the pointer there to perform its stop-notifying()
chore, the pointer was gone and replaced by 'T - ' instead, an ascii
string. Trying to indirect it -> Boom.
- on the other hand, the "- The wanderer..." string seems to be just an
strdup()ed string in the middle of other strdup()ed strings (suspiciously
close to the bottom "edge" of that bunch of strings tho, but let's suspend
disbelief), so maybe it is not out of place, and it is the {{{df077900}}}
pointer which has gone bad, or even the whole set of pointers beside it on
or about {{{df07c2d0}}} which are out of place.
--
Ticket URL: <http://dev.haiku-os.org/ticket/10259#comment:7>
Haiku <http://dev.haiku-os.org>
Haiku - the operating system.
Other related posts:
