Conrad Meyer e6b95927f3 Fix core corruption caused by race in note_procstat_vmmap
This fix is spiritually similar to r287442 and was discovered thanks to
the KASSERT added in that revision.

NT_PROCSTAT_VMMAP output length, when packing kinfo structs, is tied to
the length of filenames corresponding to vnodes in the process' vm map
via vn_fullpath.  As vnodes may move during coredump, this is racy.

We do not remove the race, only prevent it from causing coredump
corruption.

- Add a sysctl, kern.coredump_pack_vmmapinfo, to allow users to disable
  kinfo packing for PROCSTAT_VMMAP notes.  This avoids VMMAP corruption
  and truncation, even if names change, at the cost of up to PATH_MAX
  bytes per mapped object.  The new sysctl is documented in core.5.

- Fix note_procstat_vmmap to self-limit in the second pass.  This
  addresses corruption, at the cost of sometimes producing a truncated
  result.

- Fix PROCSTAT_VMMAP consumers libutil (and libprocstat, via copy-paste)
  to grok the new zero padding.

Reported by:	pho (https://people.freebsd.org/~pho/stress/log/datamove4-2.txt)
Relnotes:	yes
Sponsored by:	EMC / Isilon Storage Division
Differential Revision:	https://reviews.freebsd.org/D3824
2015-10-06 18:07:00 +00:00

165 lines
5.4 KiB
Groff

.\" Copyright (c) 1980, 1991, 1993
.\" The Regents of the University of California. All rights reserved.
.\"
.\" Redistribution and use in source and binary forms, with or without
.\" modification, are permitted provided that the following conditions
.\" are met:
.\" 1. Redistributions of source code must retain the above copyright
.\" notice, this list of conditions and the following disclaimer.
.\" 2. Redistributions in binary form must reproduce the above copyright
.\" notice, this list of conditions and the following disclaimer in the
.\" documentation and/or other materials provided with the distribution.
.\" 3. Neither the name of the University nor the names of its contributors
.\" may be used to endorse or promote products derived from this software
.\" without specific prior written permission.
.\"
.\" THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
.\" ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
.\" SUCH DAMAGE.
.\"
.\" @(#)core.5 8.3 (Berkeley) 12/11/93
.\" $FreeBSD$
.\"
.Dd October 5, 2015
.Dt CORE 5
.Os
.Sh NAME
.Nm core
.Nd memory image file format
.Sh SYNOPSIS
.In sys/param.h
.Sh DESCRIPTION
A small number of signals which cause abnormal termination of a process
also cause a record of the process's in-core state to be written
to disk for later examination by one of the available debuggers.
(See
.Xr sigaction 2 . )
This memory image is written to a file named by default
.Nm programname.core
in the working directory;
provided the terminated process had write permission in the directory,
and provided the abnormality did not cause
a system crash.
(In this event, the decision to save the core file is arbitrary, see
.Xr savecore 8 . )
.Pp
The maximum size of a core file is limited by
.Xr setrlimit 2 .
Files which would be larger than the limit are not created.
.Pp
The name of the file is controlled via the
.Xr sysctl 8
variable
.Va kern.corefile .
The contents of this variable describes a filename to store
the core image to.
This filename can be absolute, or relative (which
will resolve to the current working directory of the program
generating it).
.Pp
The following format specifiers may be used in the
.Va kern.corefile
sysctl to insert additional information into the resulting core file
name:
.Bl -tag -width "1234567890" -compact -offset "12345"
.It Em \&%H
Machine hostname.
.It Em \&%I
An index starting at zero until the sysctl
.Em debug.ncores
is reached.
This can be useful for limiting the number of corefiles
generated by a particular process.
.It Em \&%N
process name.
.It Em \&%P
processes PID.
.It Em \&%U
process UID.
.El
.Pp
The name defaults to
.Em \&%N.core ,
yielding the traditional
.Fx
behaviour.
.Pp
By default, a process that changes user or group credentials whether
real or effective will not create a corefile.
This behaviour can be
changed to generate a core dump by setting the
.Xr sysctl 8
variable
.Va kern.sugid_coredump
to 1.
.Pp
Corefiles can be compressed by the kernel if the following item
is included in the kernel configuration file:
.Bl -tag -width "1234567890" -compact -offset "12345"
.It options
GZIO
.El
.Pp
When the GZIO option is included, the following sysctls control whether core
files will be compressed:
.Bl -tag -width "kern.compress_user_cores_gzlevel" -compact -offset "12345"
.It Em kern.compress_user_cores_gzlevel
Gzip compression level.
Defaults to 6.
.It Em kern.compress_user_cores
Actually compress user cores.
Compressed core files will have a suffix of
.Ql .gz
appended to them.
.El
.Sh NOTES
Corefiles are written with open file descriptor information as an ELF note.
By default, file paths are packed to only use as much space as needed.
However, file paths can change at any time, including during core dump,
and this can result in truncated file descriptor data.
.Pp
All file descriptor information can be preserved by disabling packing.
This potentially wastes up to PATH_MAX bytes per open fd.
Packing is disabled with
.Dl sysctl kern.coredump_pack_fileinfo=0 .
.Pp
Similarly, corefiles are written with vmmap information as an ELF note, which
contains file paths.
By default, they are packed to only use as much space as
needed.
By the same mechanism as for the open files note, these paths can also
change at any time and result in a truncated note.
.Pp
All vmmap information can be preserved by disabling packing.
Like the file information, this potentially wastes up to PATH_MAX bytes per
mapped object.
Packing is disabled with
.Dl sysctl kern.coredump_pack_vmmapinfo=0 .
.Sh EXAMPLES
In order to store all core images in per-user private areas under
.Pa /var/coredumps ,
the following
.Xr sysctl 8
command can be used:
.Pp
.Dl sysctl kern.corefile=/var/coredumps/\&%U/\&%N.core
.Sh SEE ALSO
.Xr gdb 1 ,
.Xr kgdb 1 ,
.Xr setrlimit 2 ,
.Xr sigaction 2 ,
.Xr sysctl 8
.Sh HISTORY
A
.Nm
file format appeared in
.At v6 .