Maneesh Soni wrote:
Hi Dave,
crash seg faults while opening a kdump with NR_CPUS=128, due to buffer overflow
in max_cpudata_limit() on a i386 system.
--------
kmem_cache_s_array_nodes:
if (!readmem(cache+OFFSET(kmem_cache_s_array),
KVADDR, &cpudata[0],
sizeof(ulong) * ARRAY_LENGTH(kmem_cache_s_array),
"array cache array", RETURN_ON_ERROR))
goto bail_out;
for (i = max_limit = 0; (i < ARRAY_LENGTH(kmem_cache_s_array)) &&
cpudata[i]; i++) {
if (!readmem(cpudata[i]+OFFSET(array_cache_limit),
KVADDR, &limit, sizeof(int),
"array cache limit", RETURN_ON_ERROR))
goto bail_out;
if (limit > max_limit)
max_limit = limit;
}
*cpus = i; <<<<<< faults here
--------
The first readmem() call overwrites the parameter "cpus" on stack. ARRAY_LENGTH
gives 128 whereas we have 32 elements in cpudata[NR_CPUS].
Though the default NR_CPUS in kernel source is 32 but it can go upto
256 based on the kernel config option CONFIG_NR_CPUS. So, in crash it
should be defined as the max NR_CPUS. Please find the patch below which
makes sure to have max NR_CPUS for various architecture.
--- crash-4.0-2.30/defs.h 2006-06-07 01:16:33.000000000 +0530
+++ crash-4.0-2.30-fix/defs.h 2006-06-24 04:29:35.000000000 +0530
@@ -56,7 +56,7 @@
#define FALSE (0)
#ifdef X86
-#define NR_CPUS (32)
+#define NR_CPUS (256)
#endif
#ifdef X86_64
#define NR_CPUS (256)
@@ -68,7 +68,7 @@
#define NR_CPUS (32)
#endif
#ifdef IA64
-#define NR_CPUS (512)
+#define NR_CPUS (1024)
#endif
#ifdef PPC64
#define NR_CPUS (128)
Thanks
Maneesh
Hi Maneesh,
Thanks -- we probably ought to also have a check of that array length
being greater than NR_CPUS, and display the same type of error
message as seen in kernel_init():
error(FATAL, "recompile crash with larger NR_CPUS\n");
The error message above is only printed when the number of installed
cpus exceeds NR_CPUS, so it didn't help in this case.
Thanks,
Dave
