http://defect.opensolaris.org/bz/show_bug.cgi?id=2394
Rafael Vanoni <rafael.vanoni at sun.com> changed:
What |Removed |Added
----------------------------------------------------------------------------
Status|ACCEPTED |CAUSEKNOWN
--- Comment #5 from Rafael Vanoni <rafael.vanoni at sun.com> 2008-07-16
05:20:22 ---
Further testing showed that this bug is still around.
Running PowerTOP from within dbx(1) and setting a watch on the stdscr variable
caused the execution to stop in the following situation
(dbx) print `stdscr
More than one identifier 'stdscr'.
Select one of the following:
0) Cancel
1) `powertop`stdscr
2) `libcurses.so.1`stdscr
> 1
`powertop`stdscr = 0
(dbx) where
=>[1] _memcpy(0x41e4a0, 0x41e528, 0x41e560, 0x41e4b0, 0x48, 0x2b0), at
0xfffffd7fff0df757
[2] event_bubblesort(0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x14b8790,
0x4014146b003e7470), at 0x4043e9
[3] show_eventstats(0x0, 0x0, 0x0, 0x0, 0x0, 0x0), at 0x405118
[4] main(0x0, 0x0, 0x0, 0x0, 0x0, 0x0), at 0x40414b
(dbx) up
0x00000000004043e9: event_bubblesort+0x0091: movq %r15,%rdi
(dbx) dis
0x00000000004043ec: event_bubblesort+0x0094: movq %r13,%rsi
0x00000000004043ef: event_bubblesort+0x0097: movq
$0x0000000000000088,%rdx
0x00000000004043f6: event_bubblesort+0x009e: call memcpy [PLT] [
0x403738, .-0xcbe ]
0x00000000004043fb: event_bubblesort+0x00a3: movl
$0x0000000000000001,%eax
0x0000000000404400: event_bubblesort+0x00a8: addq
$0xffffffffffffff78,%r14
0x0000000000404407: event_bubblesort+0x00af: decl %ebx
0x0000000000404409: event_bubblesort+0x00b1: cmpl %r12d,%ebx
0x000000000040440c: event_bubblesort+0x00b4: jge event_bubblesort+0x4e
[ 0x4043a6, .-0x66 ]
0x000000000040440e: event_bubblesort+0x00b6: movl 0x000000000001a0a0
[ 0x1a0a0 ](%rip),%ecx
0x0000000000404414: event_bubblesort+0x00bc: leal
0xfffffffffffffffe(%rcx),%ebx
(dbx)
Looking at display.c : event_bubblesort() revealed that the global variable
top_events, used to index the event_info[EVENT_NUM_MAX] array, wasn't being
checked at all. In some situations, it was reaching values higher than
EVENT_NUM_MAX causing illegal accesses during memcpy(3C) and a segfault.
The following patch (also attached) fixes this.
--- a/usr/src/cmd/powertop/display.c Wed Jul 16 11:32:10 2008 +0100
+++ b/usr/src/cmd/powertop/display.c Wed Jul 16 13:02:52 2008 +0100
@@ -58,6 +58,14 @@
event_info_t tmp;
int i, j;
int exchange;
+
+ /*
+ * top_events is calculated in events.c:walk() during
+ * pt_events_stat_collect(), but never checked. So we
+ * make sure it's not off limits
+ */
+ if (top_events > EVENT_NUM_MAX)
+ top_events = EVENT_NUM_MAX;
for (i = 0; i < top_events - 1; i++) {
exchange = 0;
--
Configure bugmail: http://defect.opensolaris.org/bz/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are on the CC list for the bug.
