[Bug 273438] PANIC: memory modified after free on relatively idle riscv -CURRENT

Go to: [ bottom of page ] [ top of archives ] [ this month ]

From: <bugzilla-noreply_at_freebsd.org>
Date: Tue, 30 Jan 2024 20:30:23 UTC

https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=273438

Mitchell Horne <mhorne@freebsd.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|New                         |Open

--- Comment #8 from Mitchell Horne <mhorne@freebsd.org> ---
(In reply to Mitchell Horne from comment #7)

Okay I spoke too soon re: the offset; it is trivially calculated as 0x908 -
0x7f8 = 0x188 = 392. According to gdb, the struct dmu_buf_impl member at offset
392, for your revision, is db_user, an 8 byte pointer. 

The expected contents of uninitialized memory is 0xdeadc0deadc0de, but your
reports consistently show the affected address as 0x00000000de00c0de. So it is
only partially overwritten, and therefore not an abuse of the db_user field in
a dmu_buf_impl_t object.

So, I'm thinking this allocation missed the zone's cache (empty), and the
memory could have belonged to anything before that, meaning use-after-free
could exist anywhere... 

I'll have to see what other tips I can learn to help identify this. On other
platforms we could use KASAN, but for riscv it is not implemented yet.

-- 
You are receiving this mail because:
You are the assignee for the bug.