From 77119010d27e0ee3114f6ac83b5c06984ae3dbab Mon Sep 17 00:00:00 2001 From: DistroBaker Date: Thu, 11 Mar 2021 19:56:02 +0000 Subject: [PATCH] Merged update from upstream sources This is an automated DistroBaker update from upstream sources. If you do not know what this is about or would like to opt out, contact the OSCI team. Source: https://src.fedoraproject.org/rpms/crash.git#a9cf6c58896ac8966eb358a945ba6b401833f684 --- ...nge-log-level-print-in-older-kernels.patch | 65 ++++ 0015-Makefile-reduce-crash-build-log.patch | 37 ++ ...ommand-on-5.12-rc1-and-later-kernels.patch | 32 ++ ...port-for-the-crash-s-custom-memory-a.patch | 325 ++++++++++++++++++ ...tential-read-to-already-freed-object.patch | 106 ++++++ ...-potential-write-to-object-of-0-size.patch | 64 ++++ crash.spec | 56 +-- 7 files changed, 664 insertions(+), 21 deletions(-) create mode 100644 0014-log-change-log-level-print-in-older-kernels.patch create mode 100644 0015-Makefile-reduce-crash-build-log.patch create mode 100644 0016-x86_64-fix-bt-command-on-5.12-rc1-and-later-kernels.patch create mode 100644 0017-Add-valgrind-support-for-the-crash-s-custom-memory-a.patch create mode 100644 0018-symbols-Fix-potential-read-to-already-freed-object.patch create mode 100644 0019-tools-Fix-potential-write-to-object-of-0-size.patch diff --git a/0014-log-change-log-level-print-in-older-kernels.patch b/0014-log-change-log-level-print-in-older-kernels.patch new file mode 100644 index 0000000..4de78b4 --- /dev/null +++ b/0014-log-change-log-level-print-in-older-kernels.patch @@ -0,0 +1,65 @@ +From a52f630e40ff8f7abc266bd4f1fe09f9087faeaa Mon Sep 17 00:00:00 2001 +From: John Pittman +Date: Thu, 18 Feb 2021 10:55:50 -0500 +Subject: [PATCH 1/6] log: change log level print in older kernels + +In older kernels that have the variable-length-record log_buf, the +log level and the log flags/facility are not separated. Since the +log level is only the last three bits, and the flags/facility and +level are separated in 5.10 and later kernels, only print those last +three bits when using 'log -m'. + +[ kh: modified commit message ] + +Suggested-by: David Jeffery +Signed-off-by: John Pittman +--- + defs.h | 1 + + help.c | 5 +++-- + kernel.c | 2 ++ + 3 files changed, 6 insertions(+), 2 deletions(-) + +diff --git a/defs.h b/defs.h +index 35cdac20420c..35b983abd403 100644 +--- a/defs.h ++++ b/defs.h +@@ -5627,6 +5627,7 @@ void clone_bt_info(struct bt_info *, struct bt_info *, struct task_context *); + void dump_kernel_table(int); + void dump_bt_info(struct bt_info *, char *where); + void dump_log(int); ++#define LOG_LEVEL(v) ((v) & 0x07) + #define SHOW_LOG_LEVEL (0x1) + #define SHOW_LOG_DICT (0x2) + #define SHOW_LOG_TEXT (0x4) +diff --git a/help.c b/help.c +index 587c7173f495..85b334a0419e 100644 +--- a/help.c ++++ b/help.c +@@ -3906,8 +3906,9 @@ char *help_log[] = { + " applicable to the variable-length record format.", + " -m Display the message log level in brackets preceding each message. For", + " the variable-length record format, the level will be displayed in ", +-" hexadecimal, and depending upon the kernel version, also contains the", +-" facility or flags bits.", ++" hexadecimal. In older kernels, by default, the facility/flag bits", ++" will be stripped to only show the level, but if needed, can still be", ++" shown with 'set debug 1'.", + " -a Dump the audit logs remaining in kernel audit buffers that have not", + " been copied out to the user-space audit daemon.", + " ", +diff --git a/kernel.c b/kernel.c +index ac765e302639..735263cbcd75 100644 +--- a/kernel.c ++++ b/kernel.c +@@ -5262,6 +5262,8 @@ dump_log_entry(char *logptr, int msg_flags) + fprintf(fp, "%s", buf); + } + ++ level = LOG_LEVEL(level); ++ + if (msg_flags & SHOW_LOG_LEVEL) { + sprintf(buf, "<%x>", level); + ilen += strlen(buf); +-- +2.29.2 + diff --git a/0015-Makefile-reduce-crash-build-log.patch b/0015-Makefile-reduce-crash-build-log.patch new file mode 100644 index 0000000..c11561b --- /dev/null +++ b/0015-Makefile-reduce-crash-build-log.patch @@ -0,0 +1,37 @@ +From 464edc6e6636c01521b46ec64134b90c7e7ced11 Mon Sep 17 00:00:00 2001 +From: Kazuhito Hagio +Date: Fri, 19 Feb 2021 14:43:55 +0900 +Subject: [PATCH 2/6] Makefile: reduce crash build log + +Currently the verbose output of tar command when extracting the +GDB source files occupies more than the half of crash build log. +It is not so helpful and makes the build log longer needlessly +especially on CI build test. Let's stop it. + +Also reduce about 600 lines of crash build log with wget's +"--progress=dot:mega" option when stderr is not a tty. + +Signed-off-by: Kazuhito Hagio +--- + Makefile | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +diff --git a/Makefile b/Makefile +index f66eba7418d1..b3c0d3a7f75b 100644 +--- a/Makefile ++++ b/Makefile +@@ -258,8 +258,9 @@ gdb_unzip: + @if [ ! -f ${GDB}.tar.gz ] && [ ! -f /usr/bin/wget ]; then \ + echo /usr/bin/wget is required to download ${GDB}.tar.gz; echo; exit 1; fi + @if [ ! -f ${GDB}.tar.gz ] && [ -f /usr/bin/wget ]; then \ +- wget http://ftp.gnu.org/gnu/gdb/${GDB}.tar.gz; fi +- @tar --exclude-from gdb.files -xvzmf ${GDB}.tar.gz ++ [ ! -t 2 ] && WGET_OPTS="--progress=dot:mega"; \ ++ wget $$WGET_OPTS http://ftp.gnu.org/gnu/gdb/${GDB}.tar.gz; fi ++ @tar --exclude-from gdb.files -xzmf ${GDB}.tar.gz + @make --no-print-directory gdb_patch + + gdb_patch: +-- +2.29.2 + diff --git a/0016-x86_64-fix-bt-command-on-5.12-rc1-and-later-kernels.patch b/0016-x86_64-fix-bt-command-on-5.12-rc1-and-later-kernels.patch new file mode 100644 index 0000000..bb5a10d --- /dev/null +++ b/0016-x86_64-fix-bt-command-on-5.12-rc1-and-later-kernels.patch @@ -0,0 +1,32 @@ +From 720279fc141100893ba6da6ab18e52776ecf7424 Mon Sep 17 00:00:00 2001 +From: Kazuhito Hagio +Date: Tue, 2 Mar 2021 13:38:18 +0900 +Subject: [PATCH 3/6] x86_64: fix "bt" command on 5.12-rc1 and later kernels + +Fix "bt" command on Linux 5.12-rc1 and later kernels that contain +commit 951c2a51ae75 ("x86/irq/64: Adjust the per CPU irq stack pointer +by 8"). Without the patch, the "bt" command and some of its options +that read irq stack fail with the error message "bt: read of stack at +
failed". + +Signed-off-by: Kazuhito Hagio +--- + x86_64.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/x86_64.c b/x86_64.c +index 23a40a04bbc4..f5b2f7b5f040 100644 +--- a/x86_64.c ++++ b/x86_64.c +@@ -1326,6 +1326,8 @@ x86_64_per_cpu_init(void) + KVADDR, &hardirq_stack_ptr, sizeof(void *), + "hardirq_stack_ptr (per_cpu)", QUIET|RETURN_ON_ERROR)) + continue; ++ if (hardirq_stack_ptr != PAGEBASE(hardirq_stack_ptr)) ++ hardirq_stack_ptr += 8; + ms->stkinfo.ibase[i] = hardirq_stack_ptr - ms->stkinfo.isize; + } else if (irq_sp) + ms->stkinfo.ibase[i] = irq_sp->value + kt->__per_cpu_offset[i]; +-- +2.29.2 + diff --git a/0017-Add-valgrind-support-for-the-crash-s-custom-memory-a.patch b/0017-Add-valgrind-support-for-the-crash-s-custom-memory-a.patch new file mode 100644 index 0000000..6d4e825 --- /dev/null +++ b/0017-Add-valgrind-support-for-the-crash-s-custom-memory-a.patch @@ -0,0 +1,325 @@ +From 7ca9a8e21dc1ecb33195b6c9fdd207f203308636 Mon Sep 17 00:00:00 2001 +From: HATAYAMA Daisuke +Date: Thu, 4 Mar 2021 20:20:28 +0900 +Subject: [PATCH 4/6] Add valgrind support for the crash's custom memory + allocator + +This adds valgrind support for the crash's custom memory allocator +using the way described in the following valgrind's Memcheck manual: + + https://www.valgrind.org/docs/manual/mc-manual.html#mc-manual.mempools + +This helps detecting various memory errors on the crash's custom +memory allocator. + +To enable this feature, build crash command as: + + # make valgrind + +Then, run crash commnad using valgrind as: + + # valgrind ./crash vmlinux vmcore + +Signed-off-by: HATAYAMA Daisuke +--- + Makefile | 4 +++ + README | 4 +++ + configure.c | 27 ++++++++++++++++++--- + help.c | 4 +++ + tools.c | 70 ++++++++++++++++++++++++++++++++++++++++++++++++++++- + 5 files changed, 104 insertions(+), 5 deletions(-) + +diff --git a/Makefile b/Makefile +index b3c0d3a7f75b..31a3d3de0c07 100644 +--- a/Makefile ++++ b/Makefile +@@ -333,6 +333,10 @@ snappy: make_configure + @./configure -x snappy ${CONF_TARGET_FLAG} -w -b + @make --no-print-directory gdb_merge + ++valgrind: make_configure ++ @./configure -x valgrind ${CONF_TARGET_FLAG} -w -b ++ @make --no-print-directory gdb_merge ++ + main.o: ${GENERIC_HFILES} main.c + ${CC} -c ${CRASH_CFLAGS} main.c ${WARNING_OPTIONS} ${WARNING_ERROR} + +diff --git a/README b/README +index e2af9249caa2..d4a830985056 100644 +--- a/README ++++ b/README +@@ -105,6 +105,10 @@ + use either the LZO or snappy compression libraries. To build crash with + either or both of those libraries, type "make lzo" or "make snappy". + ++ crash supports valgrind Memcheck tool on the crash's custom memory allocator. ++ To build crash with this feature enabled, type "make valgrind" and then run ++ crash with valgrind as "valgrind crash vmlinux vmcore". ++ + All of the alternate build commands above are "sticky" in that the + special "make" targets only have to be entered one time; all subsequent + builds will follow suit. +diff --git a/configure.c b/configure.c +index 7f6d19e0b87e..9480829ad2da 100644 +--- a/configure.c ++++ b/configure.c +@@ -1704,18 +1704,22 @@ get_extra_flags(char *filename, char *initial) + * a CFLAGS.extra file and an LDFLAGS.extra file. + + * For lzo: ++ * - enter -DLZO in the CFLAGS.extra file ++ * - enter -llzo2 in the LDFLAGS.extra file ++ * ++ * For snappy: + * - enter -DSNAPPY in the CFLAGS.extra file + * - enter -lsnappy in the LDFLAGS.extra file + * +- * For snappy: +- * - enter -DLZO in the CFLAGS.extra file +- * - enter -llzo2 in the LDFLAGS.extra file. ++ * For valgrind: ++ * - enter -DVALGRIND in the CFLAGS.extra file + */ + void + add_extra_lib(char *option) + { + int lzo, add_DLZO, add_llzo2; + int snappy, add_DSNAPPY, add_lsnappy; ++ int valgrind, add_DVALGRIND; + char *cflags, *ldflags; + FILE *fp_cflags, *fp_ldflags; + char *mode; +@@ -1723,6 +1727,7 @@ add_extra_lib(char *option) + + lzo = add_DLZO = add_llzo2 = 0; + snappy = add_DSNAPPY = add_lsnappy = 0; ++ valgrind = add_DVALGRIND = 0; + + ldflags = get_extra_flags("LDFLAGS.extra", NULL); + cflags = get_extra_flags("CFLAGS.extra", NULL); +@@ -1743,12 +1748,24 @@ add_extra_lib(char *option) + add_lsnappy++; + } + ++ if (strcmp(option, "valgrind") == 0) { ++ valgrind++; ++ if (!cflags || !strstr(cflags, "-DVALGRIND")) ++ add_DVALGRIND++; ++ } ++ + if ((lzo || snappy) && + file_exists("diskdump.o") && (unlink("diskdump.o") < 0)) { + perror("diskdump.o"); + return; + } + ++ if (valgrind && ++ file_exists("tools.o") && (unlink("tools.o") < 0)) { ++ perror("tools.o"); ++ return; ++ } ++ + mode = file_exists("CFLAGS.extra") ? "r+" : "w+"; + if ((fp_cflags = fopen("CFLAGS.extra", mode)) == NULL) { + perror("CFLAGS.extra"); +@@ -1762,13 +1779,15 @@ add_extra_lib(char *option) + return; + } + +- if (add_DLZO || add_DSNAPPY) { ++ if (add_DLZO || add_DSNAPPY || add_DVALGRIND) { + while (fgets(inbuf, 512, fp_cflags)) + ; + if (add_DLZO) + fputs("-DLZO\n", fp_cflags); + if (add_DSNAPPY) + fputs("-DSNAPPY\n", fp_cflags); ++ if (add_DVALGRIND) ++ fputs("-DVALGRIND\n", fp_cflags); + } + + if (add_llzo2 || add_lsnappy) { +diff --git a/help.c b/help.c +index 85b334a0419e..531f50a7cd82 100644 +--- a/help.c ++++ b/help.c +@@ -9387,6 +9387,10 @@ README_ENTER_DIRECTORY, + " use either the LZO or snappy compression libraries. To build crash with", + " either or both of those libraries, type \"make lzo\" or \"make snappy\".", + "", ++" crash supports valgrind Memcheck tool on the crash's custom memory allocator.", ++" To build crash with this feature enabled, type \"make valgrind\" and then run", ++" crash with valgrind as \"valgrind crash vmlinux vmcore\".", ++"", + " All of the alternate build commands above are \"sticky\" in that the", + " special \"make\" targets only have to be entered one time; all subsequent", + " builds will follow suit.", +diff --git a/tools.c b/tools.c +index 71bac6d0ee9a..e6978ae44ead 100644 +--- a/tools.c ++++ b/tools.c +@@ -18,6 +18,11 @@ + #include "defs.h" + #include + ++#ifdef VALGRIND ++#include ++#include ++#endif ++ + static void print_number(struct number_option *, int, int); + static long alloc_hq_entry(void); + struct hq_entry; +@@ -5679,8 +5684,21 @@ buf_init(void) + + bp->smallest = 0x7fffffff; + bp->total = 0.0; +-} + ++#ifdef VALGRIND ++ VALGRIND_MAKE_MEM_NOACCESS(&bp->buf_1K, sizeof(bp->buf_1K)); ++ VALGRIND_MAKE_MEM_NOACCESS(&bp->buf_2K, sizeof(bp->buf_2K)); ++ VALGRIND_MAKE_MEM_NOACCESS(&bp->buf_4K, sizeof(bp->buf_4K)); ++ VALGRIND_MAKE_MEM_NOACCESS(&bp->buf_8K, sizeof(bp->buf_8K)); ++ VALGRIND_MAKE_MEM_NOACCESS(&bp->buf_32K, sizeof(bp->buf_32K)); ++ ++ VALGRIND_CREATE_MEMPOOL(&bp->buf_1K, 0, 1); ++ VALGRIND_CREATE_MEMPOOL(&bp->buf_2K, 0, 1); ++ VALGRIND_CREATE_MEMPOOL(&bp->buf_4K, 0, 1); ++ VALGRIND_CREATE_MEMPOOL(&bp->buf_8K, 0, 1); ++ VALGRIND_CREATE_MEMPOOL(&bp->buf_32K, 0, 1); ++#endif ++} + + /* + * Free up all buffers used by the last command. +@@ -5707,6 +5725,26 @@ void free_all_bufs(void) + if (bp->mallocs != bp->frees) + error(WARNING, "malloc/free mismatch (%ld/%ld)\n", + bp->mallocs, bp->frees); ++ ++#ifdef VALGRIND ++ VALGRIND_DESTROY_MEMPOOL(&bp->buf_1K); ++ VALGRIND_DESTROY_MEMPOOL(&bp->buf_2K); ++ VALGRIND_DESTROY_MEMPOOL(&bp->buf_4K); ++ VALGRIND_DESTROY_MEMPOOL(&bp->buf_8K); ++ VALGRIND_DESTROY_MEMPOOL(&bp->buf_32K); ++ ++ VALGRIND_MAKE_MEM_NOACCESS(&bp->buf_1K, sizeof(bp->buf_1K)); ++ VALGRIND_MAKE_MEM_NOACCESS(&bp->buf_2K, sizeof(bp->buf_2K)); ++ VALGRIND_MAKE_MEM_NOACCESS(&bp->buf_4K, sizeof(bp->buf_4K)); ++ VALGRIND_MAKE_MEM_NOACCESS(&bp->buf_8K, sizeof(bp->buf_8K)); ++ VALGRIND_MAKE_MEM_NOACCESS(&bp->buf_32K, sizeof(bp->buf_32K)); ++ ++ VALGRIND_CREATE_MEMPOOL(&bp->buf_1K, 0, 1); ++ VALGRIND_CREATE_MEMPOOL(&bp->buf_2K, 0, 1); ++ VALGRIND_CREATE_MEMPOOL(&bp->buf_4K, 0, 1); ++ VALGRIND_CREATE_MEMPOOL(&bp->buf_8K, 0, 1); ++ VALGRIND_CREATE_MEMPOOL(&bp->buf_32K, 0, 1); ++#endif + } + + /* +@@ -5731,6 +5769,9 @@ freebuf(char *addr) + for (i = 0; i < NUMBER_1K_BUFS; i++) { + if (addr == (char *)&bp->buf_1K[i]) { + bp->buf_inuse[B1K] &= ~(1 << i); ++#ifdef VALGRIND ++ VALGRIND_MEMPOOL_FREE(&bp->buf_1K, addr); ++#endif + return; + } + } +@@ -5738,6 +5779,9 @@ freebuf(char *addr) + for (i = 0; i < NUMBER_2K_BUFS; i++) { + if (addr == (char *)&bp->buf_2K[i]) { + bp->buf_inuse[B2K] &= ~(1 << i); ++#ifdef VALGRIND ++ VALGRIND_MEMPOOL_FREE(&bp->buf_2K, addr); ++#endif + return; + } + } +@@ -5745,6 +5789,9 @@ freebuf(char *addr) + for (i = 0; i < NUMBER_4K_BUFS; i++) { + if (addr == (char *)&bp->buf_4K[i]) { + bp->buf_inuse[B4K] &= ~(1 << i); ++#ifdef VALGRIND ++ VALGRIND_MEMPOOL_FREE(&bp->buf_4K, addr); ++#endif + return; + } + } +@@ -5752,6 +5799,9 @@ freebuf(char *addr) + for (i = 0; i < NUMBER_8K_BUFS; i++) { + if (addr == (char *)&bp->buf_8K[i]) { + bp->buf_inuse[B8K] &= ~(1 << i); ++#ifdef VALGRIND ++ VALGRIND_MEMPOOL_FREE(&bp->buf_8K, addr); ++#endif + return; + } + } +@@ -5759,6 +5809,9 @@ freebuf(char *addr) + for (i = 0; i < NUMBER_32K_BUFS; i++) { + if (addr == (char *)&bp->buf_32K[i]) { + bp->buf_inuse[B32K] &= ~(1 << i); ++#ifdef VALGRIND ++ VALGRIND_MEMPOOL_FREE(&bp->buf_32K, addr); ++#endif + return; + } + } +@@ -5924,6 +5977,9 @@ getbuf(long reqsize) + bp->buf_inuse[B1K] |= (1 << bdx); + bp->buf_1K_maxuse = MAX(bp->buf_1K_maxuse, + count_bits_int(bp->buf_inuse[B1K])); ++#ifdef VALGRIND ++ VALGRIND_MEMPOOL_ALLOC(&bp->buf_1K, bufp, 1024); ++#endif + BZERO(bufp, 1024); + return(bufp); + } +@@ -5938,6 +5994,9 @@ getbuf(long reqsize) + bp->buf_inuse[B2K] |= (1 << bdx); + bp->buf_2K_maxuse = MAX(bp->buf_2K_maxuse, + count_bits_int(bp->buf_inuse[B2K])); ++#ifdef VALGRIND ++ VALGRIND_MEMPOOL_ALLOC(&bp->buf_2K, bufp, 2048); ++#endif + BZERO(bufp, 2048); + return(bufp); + } +@@ -5952,6 +6011,9 @@ getbuf(long reqsize) + bp->buf_inuse[B4K] |= (1 << bdx); + bp->buf_4K_maxuse = MAX(bp->buf_4K_maxuse, + count_bits_int(bp->buf_inuse[B4K])); ++#ifdef VALGRIND ++ VALGRIND_MEMPOOL_ALLOC(&bp->buf_4K, bufp, 4096); ++#endif + BZERO(bufp, 4096); + return(bufp); + } +@@ -5966,6 +6028,9 @@ getbuf(long reqsize) + bp->buf_inuse[B8K] |= (1 << bdx); + bp->buf_8K_maxuse = MAX(bp->buf_8K_maxuse, + count_bits_int(bp->buf_inuse[B8K])); ++#ifdef VALGRIND ++ VALGRIND_MEMPOOL_ALLOC(&bp->buf_8K, bufp, 8192); ++#endif + BZERO(bufp, 8192); + return(bufp); + } +@@ -5980,6 +6045,9 @@ getbuf(long reqsize) + bp->buf_inuse[B32K] |= (1 << bdx); + bp->buf_32K_maxuse = MAX(bp->buf_32K_maxuse, + count_bits_int(bp->buf_inuse[B32K])); ++#ifdef VALGRIND ++ VALGRIND_MEMPOOL_ALLOC(&bp->buf_32K, bufp, 32768); ++#endif + BZERO(bufp, 32768); + return(bufp); + } +-- +2.29.2 + diff --git a/0018-symbols-Fix-potential-read-to-already-freed-object.patch b/0018-symbols-Fix-potential-read-to-already-freed-object.patch new file mode 100644 index 0000000..4c28fe5 --- /dev/null +++ b/0018-symbols-Fix-potential-read-to-already-freed-object.patch @@ -0,0 +1,106 @@ +From 9d476851b2525522b71219578c14aee3c4580cae Mon Sep 17 00:00:00 2001 +From: HATAYAMA Daisuke +Date: Thu, 4 Mar 2021 20:20:29 +0900 +Subject: [PATCH 5/6] symbols: Fix potential read to already freed object + +valgrind detects the following potential invalid read to some already +freed object: + + Invalid read of size 4 + at 0x539641: datatype_info (symbols.c:5791) + by 0x4EC8B1: dump_variable_length_record_log (kernel.c:5313) + by 0x4EC8B1: dump_log (kernel.c:5042) + by 0x4C5A25: get_panicmsg (task.c:6275) + by 0x4F3E71: display_sys_stats (kernel.c:5645) + by 0x464BC7: main_loop (main.c:797) + by 0x6BF262: captured_command_loop (main.c:258) + by 0x6BD869: catch_errors (exceptions.c:557) + by 0x6C02E5: captured_main (main.c:1064) + by 0x6BD869: catch_errors (exceptions.c:557) + by 0x6C0596: gdb_main (main.c:1079) + by 0x6C0596: gdb_main_entry (main.c:1099) + by 0x46316F: main (main.c:708) + Address 0xb498c8 is 72 bytes inside a block of size 1,024 free'd + at 0x471261: freebuf (tools.c:5766) + by 0x53946B: datatype_info (symbols.c:5747) + by 0x4FEA2A: net_init (net.c:173) + by 0x464A55: main_loop (main.c:777) + by 0x6BF262: captured_command_loop (main.c:258) + by 0x6BD869: catch_errors (exceptions.c:557) + by 0x6C02E5: captured_main (main.c:1064) + by 0x6BD869: catch_errors (exceptions.c:557) + by 0x6C0596: gdb_main (main.c:1079) + by 0x6C0596: gdb_main_entry (main.c:1099) + by 0x46316F: main (main.c:708) + Block was alloc'd at + at 0x471C80: getbuf (tools.c:5965) + by 0x5392B7: datatype_info (symbols.c:5624) + by 0x4FEA2A: net_init (net.c:173) + by 0x464A55: main_loop (main.c:777) + by 0x6BF262: captured_command_loop (main.c:258) + by 0x6BD869: catch_errors (exceptions.c:557) + by 0x6C02E5: captured_main (main.c:1064) + by 0x6BD869: catch_errors (exceptions.c:557) + by 0x6C0596: gdb_main (main.c:1079) + by 0x6C0596: gdb_main_entry (main.c:1099) + by 0x46316F: main (main.c:708) + +This was caused by the fact that in datatype_info(), the object +associated with the variable req is freed too early although it's +still be referred to after the freeing. + +Fix this by changing the way allocating the object from by GETBUF() to +by allocation on stack, which simplifies the code because explicit +free() operations are unnecessary. + +Signed-off-by: HATAYAMA Daisuke +--- + symbols.c | 10 +++------- + 1 file changed, 3 insertions(+), 7 deletions(-) + +diff --git a/symbols.c b/symbols.c +index ed5f731fa1b3..215d523fb325 100644 +--- a/symbols.c ++++ b/symbols.c +@@ -5611,7 +5611,7 @@ datatype_init(void) + long + datatype_info(char *name, char *member, struct datatype_member *dm) + { +- struct gnu_request *req; ++ struct gnu_request request, *req = &request; + long offset, size, member_size; + int member_typecode; + ulong type_found; +@@ -5625,7 +5625,7 @@ datatype_info(char *name, char *member, struct datatype_member *dm) + + strcpy(buf, name); + +- req = (struct gnu_request *)GETBUF(sizeof(struct gnu_request)); ++ BZERO(req, sizeof(*req)); + req->command = GNU_GET_DATATYPE; + req->flags |= GNU_RETURN_ON_ERROR; + req->name = buf; +@@ -5633,10 +5633,8 @@ datatype_info(char *name, char *member, struct datatype_member *dm) + req->fp = pc->nullfp; + + gdb_interface(req); +- if (req->flags & GNU_COMMAND_FAILED) { +- FREEBUF(req); ++ if (req->flags & GNU_COMMAND_FAILED) + return (dm == MEMBER_TYPE_NAME_REQUEST) ? 0 : -1; +- } + + if (!req->typecode) { + sprintf(buf, "struct %s", name); +@@ -5748,8 +5746,6 @@ datatype_info(char *name, char *member, struct datatype_member *dm) + break; + } + +- FREEBUF(req); +- + if (dm && (dm != MEMBER_SIZE_REQUEST) && (dm != MEMBER_TYPE_REQUEST) && + (dm != STRUCT_SIZE_REQUEST) && (dm != MEMBER_TYPE_NAME_REQUEST)) { + dm->type = type_found; +-- +2.29.2 + diff --git a/0019-tools-Fix-potential-write-to-object-of-0-size.patch b/0019-tools-Fix-potential-write-to-object-of-0-size.patch new file mode 100644 index 0000000..697172c --- /dev/null +++ b/0019-tools-Fix-potential-write-to-object-of-0-size.patch @@ -0,0 +1,64 @@ +From 9c0c6c1b3750beafe4ac6a5441c2dbe26157d548 Mon Sep 17 00:00:00 2001 +From: HATAYAMA Daisuke +Date: Thu, 4 Mar 2021 20:20:30 +0900 +Subject: [PATCH 6/6] tools: Fix potential write to object of 0 size + +valgrind detects the following invalid write on the call of strcpy(): + + Invalid write of size 1 + at 0x483CCFE: strcpy (vg_replace_strmem.c:511) + by 0x47202B: extract_hex (tools.c:1152) + by 0x5104ED: search_for_switch_to (x86_64.c:6342) + by 0x51D6EE: x86_64_thread_return_init (x86_64.c:6368) + by 0x51D6EE: x86_64_init (x86_64.c:721) + by 0x464A2D: main_loop (main.c:770) + by 0x6BF1B2: captured_command_loop (main.c:258) + by 0x6BD7B9: catch_errors (exceptions.c:557) + by 0x6C0235: captured_main (main.c:1064) + by 0x6BD7B9: catch_errors (exceptions.c:557) + by 0x6C04E6: gdb_main (main.c:1079) + by 0x6C04E6: gdb_main_entry (main.c:1099) + by 0x46316F: main (main.c:708) + Address 0x2b439eb8 is 0 bytes after a block of size 40 alloc'd + at 0x483BAE9: calloc (vg_replace_malloc.c:760) + by 0x471794: getbuf (tools.c:6036) + by 0x47201D: extract_hex (tools.c:1151) + by 0x5104ED: search_for_switch_to (x86_64.c:6342) + by 0x51D6EE: x86_64_thread_return_init (x86_64.c:6368) + by 0x51D6EE: x86_64_init (x86_64.c:721) + by 0x464A2D: main_loop (main.c:770) + by 0x6BF1B2: captured_command_loop (main.c:258) + by 0x6BD7B9: catch_errors (exceptions.c:557) + by 0x6C0235: captured_main (main.c:1064) + by 0x6BD7B9: catch_errors (exceptions.c:557) + by 0x6C04E6: gdb_main (main.c:1079) + by 0x6C04E6: gdb_main_entry (main.c:1099) + by 0x46316F: main (main.c:708) + +This is due to strcpy() receives empty string in its 1st argument +because the size of the buffer associated with buf variable then is of +size 0 due to lack of consideration of the terminal '\0' byte. + +Fix this by +1 to the buffer size for the terminal '\0' byte. + +Signed-off-by: HATAYAMA Daisuke +--- + tools.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/tools.c b/tools.c +index e6978ae44ead..a26b101f6481 100644 +--- a/tools.c ++++ b/tools.c +@@ -1150,7 +1150,7 @@ extract_hex(char *s, ulong *result, char stripchar, ulong first_instance) + ulong value; + char *buf; + +- buf = GETBUF(strlen(s)); ++ buf = GETBUF(strlen(s) + 1); + strcpy(buf, s); + argc = parse_line(buf, arglist); + +-- +2.29.2 + diff --git a/crash.spec b/crash.spec index 8252b7b..85ece6c 100644 --- a/crash.spec +++ b/crash.spec @@ -4,36 +4,41 @@ Summary: Kernel analysis utility for live systems, netdump, diskdump, kdump, LKCD or mcore dumpfiles Name: crash Version: 7.2.9 -Release: 4%{?dist} +Release: 5%{?dist} License: GPLv3 Source0: https://github.com/crash-utility/crash/archive/crash-%{version}.tar.gz Source1: http://ftp.gnu.org/gnu/gdb/gdb-7.6.tar.gz URL: https://crash-utility.github.io ExclusiveOS: Linux ExclusiveArch: %{ix86} ia64 x86_64 ppc ppc64 s390 s390x %{arm} aarch64 ppc64le -BuildRequires: ncurses-devel zlib-devel lzo-devel snappy-devel bison readline-devel +BuildRequires: ncurses-devel zlib-devel lzo-devel snappy-devel bison BuildRequires: gcc gcc-c++ BuildRequires: make Requires: binutils Provides: bundled(libiberty) Provides: bundled(gdb) = 7.6 Patch0: lzo_snappy.patch -Patch1: use_system_readline_v3.patch -Patch2: printk-add-support-for-lockless-ringbuffer.patch -Patch3: printk-use-committed-finalized-state-values.patch -Patch4: 0001-x86_64-VC-exception-stack-support.patch -Patch5: 0002-netdump-fix-regression-for-raw-RAM-dumpfiles.patch -Patch6: 0003-arm64-update-mapping-symbol-filter-in-arm64_verify_s.patch -Patch7: 0004-extensions-eppic.mk-move-ping-check-to-recipe-script.patch -Patch8: 0005-Fix-segmentation-fault-when-ikconfig-passed-nonstand.patch -Patch9: 0006-netdump-fix-illegal-read-from-already-freed-buffer.patch -Patch10: 0007-tools-fix-potential-source-and-destination-overlap-w.patch -Patch11: 0008-set-add-ability-to-un-set-scope.patch -Patch12: 0009-Fix-sys-t-mod-S-after-mod-t-when-crash-runs-with-s-o.patch -Patch13: 0010-Fix-dev-d-option-on-Linux-5.11-rc1-and-later-kernels.patch -Patch14: 0011-Fix-kmem-v-option-on-Linux-5.11-rc1-and-later-kernel.patch -Patch15: 0012-mod-Show-the-base-address-of-module.patch -Patch16: 0013-xen-increase-__PHYSICAL_MASK_SHIFT_XEN-to-52.patch +Patch1: printk-add-support-for-lockless-ringbuffer.patch +Patch2: printk-use-committed-finalized-state-values.patch +Patch3: 0001-x86_64-VC-exception-stack-support.patch +Patch4: 0002-netdump-fix-regression-for-raw-RAM-dumpfiles.patch +Patch5: 0003-arm64-update-mapping-symbol-filter-in-arm64_verify_s.patch +Patch6: 0004-extensions-eppic.mk-move-ping-check-to-recipe-script.patch +Patch7: 0005-Fix-segmentation-fault-when-ikconfig-passed-nonstand.patch +Patch8: 0006-netdump-fix-illegal-read-from-already-freed-buffer.patch +Patch9: 0007-tools-fix-potential-source-and-destination-overlap-w.patch +Patch10: 0008-set-add-ability-to-un-set-scope.patch +Patch11: 0009-Fix-sys-t-mod-S-after-mod-t-when-crash-runs-with-s-o.patch +Patch12: 0010-Fix-dev-d-option-on-Linux-5.11-rc1-and-later-kernels.patch +Patch13: 0011-Fix-kmem-v-option-on-Linux-5.11-rc1-and-later-kernel.patch +Patch14: 0012-mod-Show-the-base-address-of-module.patch +Patch15: 0013-xen-increase-__PHYSICAL_MASK_SHIFT_XEN-to-52.patch +Patch16: 0014-log-change-log-level-print-in-older-kernels.patch +Patch17: 0015-Makefile-reduce-crash-build-log.patch +Patch18: 0016-x86_64-fix-bt-command-on-5.12-rc1-and-later-kernels.patch +Patch19: 0017-Add-valgrind-support-for-the-crash-s-custom-memory-a.patch +Patch20: 0018-symbols-Fix-potential-read-to-already-freed-object.patch +Patch21: 0019-tools-Fix-potential-write-to-object-of-0-size.patch %description The core analysis suite is a self-contained tool that can be used to @@ -54,9 +59,9 @@ offered by Mission Critical Linux, or the LKCD kernel patch. %prep %setup -n %{name}-%{version} -q %patch0 -p1 -b lzo_snappy.patch -%patch1 -p1 -b use_system_readline_v3.patch -%patch2 -p1 -b printk-add-support-for-lockless-ringbuffer.patch -%patch3 -p1 -b printk-use-committed-finalized-state-values.patch +%patch1 -p1 -b printk-add-support-for-lockless-ringbuffer.patch +%patch2 -p1 -b printk-use-committed-finalized-state-values.patch +%patch3 -p1 %patch4 -p1 %patch5 -p1 %patch6 -p1 @@ -70,6 +75,11 @@ offered by Mission Critical Linux, or the LKCD kernel patch. %patch14 -p1 %patch15 -p1 %patch16 -p1 +%patch17 -p1 +%patch18 -p1 +%patch19 -p1 +%patch20 -p1 +%patch21 -p1 %build # This package has an internal copy of GDB which has broken configure code for @@ -101,6 +111,10 @@ cp -p defs.h %{buildroot}%{_includedir}/crash %{_includedir}/* %changelog +* Mon Mar 08 2021 Lianbo Jiang - 7.2.9-5 +- Fix Segmentation fault +- Update to the latest upstream: commit <9c0c6c1b3750> + * Fri Feb 05 2021 Lianbo Jiang - 7.2.9-4 - Update to the latest upstream: commit