On Wed, Oct 17, 2018 at 04:20:18PM +0200, [email protected] wrote: > >Synopsis: fmt(1) causes a trap with activated canaries > >Category: system > >Environment: > System : OpenBSD 6.3 > Details : OpenBSD 6.3 (GENERIC) #11: Thu Sep 20 15:53:36 CEST 2018 > > [email protected]:/usr/src/sys/arch/amd64/compile/GENERIC > > Architecture: OpenBSD.amd64 > Machine : amd64 > >Description: > This problem has been found while using fmt(1) to reflow > mail in mutt. The test case has been found with afl. Without > any malloc.conf settings the free() call in fmt will not > cause a trap (of course). But with an activated canary in > malloc.conf it causes a trap. Other inputs may trigger > similar errors, this has been the smallest one I could find. > This has been tested on 6.3 and a -current snapshot of sep > 30th. > >How-To-Repeat: > Create a file t: > 0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 > 00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 > (100 '0's on one line followed by 101 '0's on the second) > > Set the C flag on malloc.conf. > ls -l /etc/malloc.conf > lrwxr-xr-x 1 root wheel 1 Oct 17 15:42 /etc/malloc.conf -> C > > Run 'fmt t' > fmt(39666) in realloc(): chunk canary corrupted 0xfc10db83780 0x64@0x64 > Abort trap
Also seen in the Oct 11 snapshot (amd64): $ MALLOC_OPTIONS=C fmt file fmt(27646) in realloc(): chunk canary corrupted 0x523a4d89080 0x64@0x64 Abort trap (core dumped) Andreas > > >Fix: > I have not worked on a fix yet, since I don't know whether > this is a known problem. The error seems to lie in the > canary code, but I am not familiar with it. > > dmesg: > OpenBSD 6.3 (GENERIC) #11: Thu Sep 20 15:53:36 CEST 2018 > [email protected]:/usr/src/sys/arch/amd64/compile/GENERIC > real mem = 1056817152 (1007MB) > avail mem = 1017868288 (970MB) > mpath0 at root > scsibus0 at mpath0: 256 targets > mainbus0 at root > bios0 at mainbus0: SMBIOS rev. 2.8 @ 0xf59c0 (9 entries) > bios0: vendor SeaBIOS version > "rel-1.11.0-0-g63451fca13-prebuilt.qemu-project.org" date 04/01/2014 > bios0: QEMU Standard PC (i440FX + PIIX, 1996) > acpi0 at bios0: rev 0 > acpi0: sleep states S3 S4 S5 > acpi0: tables DSDT FACP APIC HPET > acpi0: wakeup devices > acpitimer0 at acpi0: 3579545 Hz, 24 bits > acpimadt0 at acpi0 addr 0xfee00000: PC-AT compat > cpu0 at mainbus0: apid 0 (boot processor) > cpu0: Virtual CPU a7769a6388d5, 2400.47 MHz > cpu0: > FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,MMX,FXSR,SSE,SSE2,SSE3,PCLMUL,SSSE3,FMA3,CX16,PCID,SSE4.1,SSE4.2,x2APIC,MOVBE,POPCNT,DEADLINE,AES,XSAVE,AVX,F16C,RDRAND,HV,NXE,RDTSCP,LONG,LAHF,ABM,FSGSBASE,BMI1,AVX2,SMEP,BMI2,ERMS,INVPCID,ARAT,XSAVEOPT,MELTDOWN > cpu0: 64KB 64b/line 2-way I-cache, 64KB 64b/line 2-way D-cache, 512KB > 64b/line 16-way L2 cache > cpu0: ITLB 255 4KB entries direct-mapped, 255 4MB entries direct-mapped > cpu0: DTLB 255 4KB entries direct-mapped, 255 4MB entries direct-mapped > cpu0: smt 0, core 0, package 0 > mtrr: Pentium Pro MTRR support, 8 var ranges, 88 fixed ranges > cpu0: apic clock running at 999MHz > ioapic0 at mainbus0: apid 0 pa 0xfec00000, version 11, 24 pins > acpihpet0 at acpi0: 100000000 Hz > acpiprt0 at acpi0: bus 0 (PCI0) > acpicpu0 at acpi0: C1(@1 halt!) > "ACPI0006" at acpi0 not configured > "PNP0A06" at acpi0 not configured > "PNP0A06" at acpi0 not configured > "PNP0A06" at acpi0 not configured > "QEMU0002" at acpi0 not configured > "ACPI0010" at acpi0 not configured > pvbus0 at mainbus0: KVM > pci0 at mainbus0 bus 0 > pchb0 at pci0 dev 0 function 0 "Intel 82441FX" rev 0x02 > pcib0 at pci0 dev 1 function 0 "Intel 82371SB ISA" rev 0x00 > pciide0 at pci0 dev 1 function 1 "Intel 82371SB IDE" rev 0x00: DMA, channel 0 > wired to compatibility, channel 1 wired to compatibility > pciide0: channel 0 disabled (no drives) > atapiscsi0 at pciide0 channel 1 drive 0 > scsibus1 at atapiscsi0: 2 targets > cd0 at scsibus1 targ 0 lun 0: <QEMU, QEMU DVD-ROM, 2.5+> ATAPI 5/cdrom > removable > cd0(pciide0:1:0): using PIO mode 4, DMA mode 2 > uhci0 at pci0 dev 1 function 2 "Intel 82371SB USB" rev 0x01: apic 0 int 11 > piixpm0 at pci0 dev 1 function 3 "Intel 82371AB Power" rev 0x03: apic 0 int 9 > iic0 at piixpm0 > vga1 at pci0 dev 2 function 0 "Cirrus Logic CL-GD5446" rev 0x00 > wsdisplay0 at vga1 mux 1: console (80x25, vt100 emulation) > wsdisplay0: screen 1-5 added (80x25, vt100 emulation) > virtio0 at pci0 dev 3 function 0 "Qumranet Virtio Network" rev 0x00 > vio0 at virtio0: address 56:00:00:63:f9:a8 > virtio0: msix shared > virtio1 at pci0 dev 4 function 0 "Qumranet Virtio Storage" rev 0x00 > vioblk0 at virtio1 > scsibus2 at vioblk0: 2 targets > sd0 at scsibus2 targ 0 lun 0: <VirtIO, Block Device, > SCSI3 0/direct fixed > sd0: 25600MB, 512 bytes/sector, 52428800 sectors > virtio1: msix shared > virtio2 at pci0 dev 5 function 0 "Qumranet Virtio Memory" rev 0x00 > viomb0 at virtio2 > virtio2: apic 0 int 10 > virtio3 at pci0 dev 6 function 0 "Qumranet Virtio RNG" rev 0x00 > viornd0 at virtio3 > virtio3: apic 0 int 10 > isa0 at pcib0 > isadma0 at isa0 > fdc0 at isa0 port 0x3f0/6 irq 6 drq 2 > pckbc0 at isa0 port 0x60/5 irq 1 irq 12 > pckbd0 at pckbc0 (kbd slot) > wskbd0 at pckbd0: console keyboard, using wsdisplay0 > pms0 at pckbc0 (aux slot) > wsmouse0 at pms0 mux 0 > pcppi0 at isa0 port 0x61 > spkr0 at pcppi0 > usb0 at uhci0: USB revision 1.0 > uhub0 at usb0 configuration 1 interface 0 "Intel UHCI root hub" rev 1.00/1.00 > addr 1 > uhidev0 at uhub0 port 1 configuration 1 interface 0 "QEMU QEMU USB Tablet" > rev 2.00/0.00 addr 2 > uhidev0: iclass 3/0 > ums0 at uhidev0: 3 buttons, Z dir > wsmouse1 at ums0 mux 0 > vscsi0 at root > scsibus3 at vscsi0: 256 targets > softraid0 at root > scsibus4 at softraid0: 256 targets > root on sd0a (3e42872db93f9870.a) swap on sd0b dump on sd0b > fd0 at fdc0 drive 1: density unknown > > usbdevs: > Controller /dev/usb0: > addr 1: full speed, self powered, config 1, UHCI root hub(0x0000), > Intel(0x8086), rev 1.00 > port 1 addr 2: full speed, power 100 mA, config 1, QEMU USB Tablet(0x0001), > QEMU(0x0627), rev 0.00, iSerialNumber 42 > port 2 powered > -- Andreas Kusalananda Kähäri, National Bioinformatics Infrastructure Sweden (NBIS), Uppsala University, Sweden.
