cem 9c1e214f79 Fix core corruption caused by race in note_procstat_vmmap
This fix is spiritually similar to r287442 and was discovered thanks to
the KASSERT added in that revision.

NT_PROCSTAT_VMMAP output length, when packing kinfo structs, is tied to
the length of filenames corresponding to vnodes in the process' vm map
via vn_fullpath.  As vnodes may move during coredump, this is racy.

We do not remove the race, only prevent it from causing coredump
corruption.

- Add a sysctl, kern.coredump_pack_vmmapinfo, to allow users to disable
  kinfo packing for PROCSTAT_VMMAP notes.  This avoids VMMAP corruption
  and truncation, even if names change, at the cost of up to PATH_MAX
  bytes per mapped object.  The new sysctl is documented in core.5.

- Fix note_procstat_vmmap to self-limit in the second pass.  This
  addresses corruption, at the cost of sometimes producing a truncated
  result.

- Fix PROCSTAT_VMMAP consumers libutil (and libprocstat, via copy-paste)
  to grok the new zero padding.

Reported by:	pho (https://people.freebsd.org/~pho/stress/log/datamove4-2.txt)
Relnotes:	yes
Sponsored by:	EMC / Isilon Storage Division
Differential Revision:	https://reviews.freebsd.org/D3824
2015-10-06 18:07:00 +00:00

78 lines
1.5 KiB
C

#include <sys/cdefs.h>
__FBSDID("$FreeBSD$");
#include <sys/param.h>
#include <sys/user.h>
#include <sys/sysctl.h>
#include <stdlib.h>
#include <string.h>
#include "libutil.h"
struct kinfo_vmentry *
kinfo_getvmmap(pid_t pid, int *cntp)
{
int mib[4];
int error;
int cnt;
size_t len;
char *buf, *bp, *eb;
struct kinfo_vmentry *kiv, *kp, *kv;
*cntp = 0;
len = 0;
mib[0] = CTL_KERN;
mib[1] = KERN_PROC;
mib[2] = KERN_PROC_VMMAP;
mib[3] = pid;
error = sysctl(mib, 4, NULL, &len, NULL, 0);
if (error)
return (NULL);
len = len * 4 / 3;
buf = malloc(len);
if (buf == NULL)
return (NULL);
error = sysctl(mib, 4, buf, &len, NULL, 0);
if (error) {
free(buf);
return (NULL);
}
/* Pass 1: count items */
cnt = 0;
bp = buf;
eb = buf + len;
while (bp < eb) {
kv = (struct kinfo_vmentry *)(uintptr_t)bp;
if (kv->kve_structsize == 0)
break;
bp += kv->kve_structsize;
cnt++;
}
kiv = calloc(cnt, sizeof(*kiv));
if (kiv == NULL) {
free(buf);
return (NULL);
}
bp = buf;
eb = buf + len;
kp = kiv;
/* Pass 2: unpack */
while (bp < eb) {
kv = (struct kinfo_vmentry *)(uintptr_t)bp;
if (kv->kve_structsize == 0)
break;
/* Copy/expand into pre-zeroed buffer */
memcpy(kp, kv, kv->kve_structsize);
/* Advance to next packed record */
bp += kv->kve_structsize;
/* Set field size to fixed length, advance */
kp->kve_structsize = sizeof(*kp);
kp++;
}
free(buf);
*cntp = cnt;
return (kiv); /* Caller must free() return value */
}