redzone catching a buffer overflow in swapoff_one

Shawn Webb Mon, 03 Sep 2018 10:44:19 -0700

I'm unsure whether this is a false positive or true positive, but it
looks like there may be a buffer overflow in swapoff_one:


Sep  3 13:13:13 hbsd-dev-laptop kernel: [619] REDZONE: Buffer overflow 
detected. 16 bytes corrupted after 0xfffffe1fe0023248 (2237000 bytes allocated).
Sep  3 13:13:13 hbsd-dev-laptop kernel: [619] Allocation backtrace:
Sep  3 13:13:13 hbsd-dev-laptop kernel: [619] #0 0xffffffff80e188e1 at 
redzone_setup+0xe1
Sep  3 13:13:13 hbsd-dev-laptop kernel: [619] #1 0xffffffff80ac8007 at 
malloc+0x1d7
Sep  3 13:13:13 hbsd-dev-laptop kernel: [619] #2 0xffffffff80b1f449 at 
blist_create+0x99
Sep  3 13:13:13 hbsd-dev-laptop kernel: [619] #3 0xffffffff80e1daa7 at 
swaponsomething+0xe7
Sep  3 13:13:13 hbsd-dev-laptop kernel: [619] #4 0xffffffff80e1c233 at 
sys_swapon+0x413
Sep  3 13:13:13 hbsd-dev-laptop kernel: [619] #5 0xffffffff80fc0e5e at 
amd64_syscall+0x29e
Sep  3 13:13:13 hbsd-dev-laptop kernel: [619] #6 0xffffffff80f9dc9d at 
fast_syscall_common+0x101
Sep  3 13:13:13 hbsd-dev-laptop kernel: [619] Free backtrace:
Sep  3 13:13:13 hbsd-dev-laptop kernel: [619] #0 0xffffffff80e18c28 at 
redzone_check+0x2f8
Sep  3 13:13:13 hbsd-dev-laptop kernel: [619] #1 0xffffffff80ac85af at 
free_dbg+0x5f
Sep  3 13:13:13 hbsd-dev-laptop kernel: [619] #2 0xffffffff80ac84aa at free+0x1a
Sep  3 13:13:13 hbsd-dev-laptop kernel: [619] #3 0xffffffff80e1cae5 at 
swapoff_one+0x675
Sep  3 13:13:13 hbsd-dev-laptop kernel: [619] #4 0xffffffff80e1cc57 at 
swapoff_all+0xd7
Sep  3 13:13:13 hbsd-dev-laptop kernel: [619] #5 0xffffffff80b9991a at 
bufshutdown+0x2ca
Sep  3 13:13:13 hbsd-dev-laptop kernel: [619] #6 0xffffffff80aec36e at 
kern_reboot+0x21e
Sep  3 13:13:13 hbsd-dev-laptop kernel: [619] #7 0xffffffff80aec0f9 at 
sys_reboot+0x3a9
Sep  3 13:13:13 hbsd-dev-laptop kernel: [619] #8 0xffffffff80fc0e5e at 
amd64_syscall+0x29e
Sep  3 13:13:13 hbsd-dev-laptop kernel: [619] #9 0xffffffff80f9dc9d at 
fast_syscall_common+0x101

Of course, I'm running HardenedBSD 12-CURRENT/amd64. I've synced with
FreeBSD at this commit:
https://github.com/freebsd/freebsd/commit/2f2449cc1cdfc19ae34b2317e792af489418a01a

So my src tree is at this commit:
https://github.com/HardenedBSD/hardenedBSD/commit/98f90fadab000b818a731be4650ac1a47144501c

I've not yet studied the swap pager's code and plan to start learning
it soon.

Thanks,

-- 
Shawn Webb
Cofounder and Security Engineer
HardenedBSD

Tor-ified Signal:    +1 443-546-8752
Tor+XMPP+OTR:        latt...@is.a.hacker.sx
GPG Key ID:          0x6A84658F52456EEE
GPG Key Fingerprint: 2ABA B6BD EF6A F486 BE89  3D9E 6A84 658F 5245 6EEE

signature.asc
Description: PGP signature

redzone catching a buffer overflow in swapoff_one

Reply via email to