cem f96df638b8 Detect badly behaved coredump note helpers
Coredump notes depend on being able to invoke dump routines twice; once
in a dry-run mode to get the size of the note, and another to actually
emit the note to the corefile.

When a note helper emits a different length section the second time
around than the length it requested the first time, the kernel produces
a corrupt coredump.

NT_PROCSTAT_FILES output length, when packing kinfo structs, is tied to
the length of filenames corresponding to vnodes in the process' fd table
via vn_fullpath.  As vnodes may move around during dump, this is racy.

So:

 - Detect badly behaved notes in putnote() and pad underfilled notes.

 - Add a fail point, debug.fail_point.fill_kinfo_vnode__random_path to
   exercise the NT_PROCSTAT_FILES corruption.  It simply picks random
   lengths to expand or truncate paths to in fo_fill_kinfo_vnode().

 - Add a sysctl, kern.coredump_pack_fileinfo, to allow users to
   disable kinfo packing for PROCSTAT_FILES notes.  This should avoid
   both FILES note corruption and truncation, even if filenames change,
   at the cost of about 1 kiB in padding bloat per open fd.  Document
   the new sysctl in core.5.

 - Fix note_procstat_files to self-limit in the 2nd pass.  Since
   sometimes this will result in a short write, pad up to our advertised
   size.  This addresses note corruption, at the risk of sometimes
   truncating the last several fd info entries.

 - Fix NT_PROCSTAT_FILES consumers libutil and libprocstat to grok the
   zero padding.

With suggestions from:	bjk, jhb, kib, wblock
Approved by:	markj (mentor)
Relnotes:	yes
Sponsored by:	EMC / Isilon Storage Division
Differential Revision:	https://reviews.freebsd.org/D3548
2015-09-03 20:32:10 +00:00

152 lines
4.9 KiB
Groff

.\" Copyright (c) 1980, 1991, 1993
.\" The Regents of the University of California. All rights reserved.
.\"
.\" Redistribution and use in source and binary forms, with or without
.\" modification, are permitted provided that the following conditions
.\" are met:
.\" 1. Redistributions of source code must retain the above copyright
.\" notice, this list of conditions and the following disclaimer.
.\" 2. Redistributions in binary form must reproduce the above copyright
.\" notice, this list of conditions and the following disclaimer in the
.\" documentation and/or other materials provided with the distribution.
.\" 3. Neither the name of the University nor the names of its contributors
.\" may be used to endorse or promote products derived from this software
.\" without specific prior written permission.
.\"
.\" THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
.\" ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
.\" SUCH DAMAGE.
.\"
.\" @(#)core.5 8.3 (Berkeley) 12/11/93
.\" $FreeBSD$
.\"
.Dd September 2, 2015
.Dt CORE 5
.Os
.Sh NAME
.Nm core
.Nd memory image file format
.Sh SYNOPSIS
.In sys/param.h
.Sh DESCRIPTION
A small number of signals which cause abnormal termination of a process
also cause a record of the process's in-core state to be written
to disk for later examination by one of the available debuggers.
(See
.Xr sigaction 2 . )
This memory image is written to a file named by default
.Nm programname.core
in the working directory;
provided the terminated process had write permission in the directory,
and provided the abnormality did not cause
a system crash.
(In this event, the decision to save the core file is arbitrary, see
.Xr savecore 8 . )
.Pp
The maximum size of a core file is limited by
.Xr setrlimit 2 .
Files which would be larger than the limit are not created.
.Pp
The name of the file is controlled via the
.Xr sysctl 8
variable
.Va kern.corefile .
The contents of this variable describes a filename to store
the core image to.
This filename can be absolute, or relative (which
will resolve to the current working directory of the program
generating it).
.Pp
The following format specifiers may be used in the
.Va kern.corefile
sysctl to insert additional information into the resulting core file
name:
.Bl -tag -width "1234567890" -compact -offset "12345"
.It Em \&%H
Machine hostname.
.It Em \&%I
An index starting at zero until the sysctl
.Em debug.ncores
is reached.
This can be useful for limiting the number of corefiles
generated by a particular process.
.It Em \&%N
process name.
.It Em \&%P
processes PID.
.It Em \&%U
process UID.
.El
.Pp
The name defaults to
.Em \&%N.core ,
yielding the traditional
.Fx
behaviour.
.Pp
By default, a process that changes user or group credentials whether
real or effective will not create a corefile.
This behaviour can be
changed to generate a core dump by setting the
.Xr sysctl 8
variable
.Va kern.sugid_coredump
to 1.
.Pp
Corefiles can be compressed by the kernel if the following item
is included in the kernel configuration file:
.Bl -tag -width "1234567890" -compact -offset "12345"
.It options
GZIO
.El
.Pp
When the GZIO option is included, the following sysctls control whether core
files will be compressed:
.Bl -tag -width "kern.compress_user_cores_gzlevel" -compact -offset "12345"
.It Em kern.compress_user_cores_gzlevel
Gzip compression level.
Defaults to 6.
.It Em kern.compress_user_cores
Actually compress user cores.
Compressed core files will have a suffix of
.Ql .gz
appended to them.
.El
.Sh NOTES
Corefiles are written with open file descriptor information as an ELF note.
By default, file paths are packed to only use as much space as needed.
However, file paths can change at any time, including during core dump,
and this can result in truncated file descriptor data.
.Pp
All file descriptor information can be preserved by disabling packing.
This potentially wastes up to PATH_MAX bytes per open fd.
Packing is disabled with
.Dl sysctl kern.coredump_pack_fileinfo=0 .
.Sh EXAMPLES
In order to store all core images in per-user private areas under
.Pa /var/coredumps ,
the following
.Xr sysctl 8
command can be used:
.Pp
.Dl sysctl kern.corefile=/var/coredumps/\&%U/\&%N.core
.Sh SEE ALSO
.Xr gdb 1 ,
.Xr kgdb 1 ,
.Xr setrlimit 2 ,
.Xr sigaction 2 ,
.Xr sysctl 8
.Sh HISTORY
A
.Nm
file format appeared in
.At v6 .