From bce16fc0beae1d6c0f6d51ea81ac7531be57ad81 Mon Sep 17 00:00:00 2001 From: Lianbo Jiang Date: Mon, 8 Mar 2021 20:32:39 +0800 Subject: [PATCH] Fix Segmentation fault and update to the latest upstream Remove the use_system_readline_v3.patch and the dependency of readline-devel. Update to the latest upstream: commit <9c0c6c1b3750> Release crash-7.2.9-5 Signed-off-by: Lianbo Jiang --- ...nge-log-level-print-in-older-kernels.patch | 65 ++++ 0015-Makefile-reduce-crash-build-log.patch | 37 ++ ...ommand-on-5.12-rc1-and-later-kernels.patch | 32 ++ ...port-for-the-crash-s-custom-memory-a.patch | 325 ++++++++++++++++++ ...tential-read-to-already-freed-object.patch | 106 ++++++ ...-potential-write-to-object-of-0-size.patch | 64 ++++ crash.spec | 56 +-- 7 files changed, 664 insertions(+), 21 deletions(-) create mode 100644 0014-log-change-log-level-print-in-older-kernels.patch create mode 100644 0015-Makefile-reduce-crash-build-log.patch create mode 100644 0016-x86_64-fix-bt-command-on-5.12-rc1-and-later-kernels.patch create mode 100644 0017-Add-valgrind-support-for-the-crash-s-custom-memory-a.patch create mode 100644 0018-symbols-Fix-potential-read-to-already-freed-object.patch create mode 100644 0019-tools-Fix-potential-write-to-object-of-0-size.patch diff --git a/0014-log-change-log-level-print-in-older-kernels.patch b/0014-log-change-log-level-print-in-older-kernels.patch new file mode 100644 index 0000000..4de78b4 --- /dev/null +++ b/0014-log-change-log-level-print-in-older-kernels.patch @@ -0,0 +1,65 @@ +From a52f630e40ff8f7abc266bd4f1fe09f9087faeaa Mon Sep 17 00:00:00 2001 +From: John Pittman +Date: Thu, 18 Feb 2021 10:55:50 -0500 +Subject: [PATCH 1/6] log: change log level print in older kernels + +In older kernels that have the variable-length-record log_buf, the +log level and the log flags/facility are not separated. Since the +log level is only the last three bits, and the flags/facility and +level are separated in 5.10 and later kernels, only print those last +three bits when using 'log -m'. + +[ kh: modified commit message ] + +Suggested-by: David Jeffery +Signed-off-by: John Pittman +--- + defs.h | 1 + + help.c | 5 +++-- + kernel.c | 2 ++ + 3 files changed, 6 insertions(+), 2 deletions(-) + +diff --git a/defs.h b/defs.h +index 35cdac20420c..35b983abd403 100644 +--- a/defs.h ++++ b/defs.h +@@ -5627,6 +5627,7 @@ void clone_bt_info(struct bt_info *, struct bt_info *, struct task_context *); + void dump_kernel_table(int); + void dump_bt_info(struct bt_info *, char *where); + void dump_log(int); ++#define LOG_LEVEL(v) ((v) & 0x07) + #define SHOW_LOG_LEVEL (0x1) + #define SHOW_LOG_DICT (0x2) + #define SHOW_LOG_TEXT (0x4) +diff --git a/help.c b/help.c +index 587c7173f495..85b334a0419e 100644 +--- a/help.c ++++ b/help.c +@@ -3906,8 +3906,9 @@ char *help_log[] = { + " applicable to the variable-length record format.", + " -m Display the message log level in brackets preceding each message. For", + " the variable-length record format, the level will be displayed in ", +-" hexadecimal, and depending upon the kernel version, also contains the", +-" facility or flags bits.", ++" hexadecimal. In older kernels, by default, the facility/flag bits", ++" will be stripped to only show the level, but if needed, can still be", ++" shown with 'set debug 1'.", + " -a Dump the audit logs remaining in kernel audit buffers that have not", + " been copied out to the user-space audit daemon.", + " ", +diff --git a/kernel.c b/kernel.c +index ac765e302639..735263cbcd75 100644 +--- a/kernel.c ++++ b/kernel.c +@@ -5262,6 +5262,8 @@ dump_log_entry(char *logptr, int msg_flags) + fprintf(fp, "%s", buf); + } + ++ level = LOG_LEVEL(level); ++ + if (msg_flags & SHOW_LOG_LEVEL) { + sprintf(buf, "<%x>", level); + ilen += strlen(buf); +-- +2.29.2 + diff --git a/0015-Makefile-reduce-crash-build-log.patch b/0015-Makefile-reduce-crash-build-log.patch new file mode 100644 index 0000000..c11561b --- /dev/null +++ b/0015-Makefile-reduce-crash-build-log.patch @@ -0,0 +1,37 @@ +From 464edc6e6636c01521b46ec64134b90c7e7ced11 Mon Sep 17 00:00:00 2001 +From: Kazuhito Hagio +Date: Fri, 19 Feb 2021 14:43:55 +0900 +Subject: [PATCH 2/6] Makefile: reduce crash build log + +Currently the verbose output of tar command when extracting the +GDB source files occupies more than the half of crash build log. +It is not so helpful and makes the build log longer needlessly +especially on CI build test. Let's stop it. + +Also reduce about 600 lines of crash build log with wget's +"--progress=dot:mega" option when stderr is not a tty. + +Signed-off-by: Kazuhito Hagio +--- + Makefile | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +diff --git a/Makefile b/Makefile +index f66eba7418d1..b3c0d3a7f75b 100644 +--- a/Makefile ++++ b/Makefile +@@ -258,8 +258,9 @@ gdb_unzip: + @if [ ! -f ${GDB}.tar.gz ] && [ ! -f /usr/bin/wget ]; then \ + echo /usr/bin/wget is required to download ${GDB}.tar.gz; echo; exit 1; fi + @if [ ! -f ${GDB}.tar.gz ] && [ -f /usr/bin/wget ]; then \ +- wget http://ftp.gnu.org/gnu/gdb/${GDB}.tar.gz; fi +- @tar --exclude-from gdb.files -xvzmf ${GDB}.tar.gz ++ [ ! -t 2 ] && WGET_OPTS="--progress=dot:mega"; \ ++ wget $$WGET_OPTS http://ftp.gnu.org/gnu/gdb/${GDB}.tar.gz; fi ++ @tar --exclude-from gdb.files -xzmf ${GDB}.tar.gz + @make --no-print-directory gdb_patch + + gdb_patch: +-- +2.29.2 + diff --git a/0016-x86_64-fix-bt-command-on-5.12-rc1-and-later-kernels.patch b/0016-x86_64-fix-bt-command-on-5.12-rc1-and-later-kernels.patch new file mode 100644 index 0000000..bb5a10d --- /dev/null +++ b/0016-x86_64-fix-bt-command-on-5.12-rc1-and-later-kernels.patch @@ -0,0 +1,32 @@ +From 720279fc141100893ba6da6ab18e52776ecf7424 Mon Sep 17 00:00:00 2001 +From: Kazuhito Hagio +Date: Tue, 2 Mar 2021 13:38:18 +0900 +Subject: [PATCH 3/6] x86_64: fix "bt" command on 5.12-rc1 and later kernels + +Fix "bt" command on Linux 5.12-rc1 and later kernels that contain +commit 951c2a51ae75 ("x86/irq/64: Adjust the per CPU irq stack pointer +by 8"). Without the patch, the "bt" command and some of its options +that read irq stack fail with the error message "bt: read of stack at +
failed". + +Signed-off-by: Kazuhito Hagio +--- + x86_64.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/x86_64.c b/x86_64.c +index 23a40a04bbc4..f5b2f7b5f040 100644 +--- a/x86_64.c ++++ b/x86_64.c +@@ -1326,6 +1326,8 @@ x86_64_per_cpu_init(void) + KVADDR, &hardirq_stack_ptr, sizeof(void *), + "hardirq_stack_ptr (per_cpu)", QUIET|RETURN_ON_ERROR)) + continue; ++ if (hardirq_stack_ptr != PAGEBASE(hardirq_stack_ptr)) ++ hardirq_stack_ptr += 8; + ms->stkinfo.ibase[i] = hardirq_stack_ptr - ms->stkinfo.isize; + } else if (irq_sp) + ms->stkinfo.ibase[i] = irq_sp->value + kt->__per_cpu_offset[i]; +-- +2.29.2 + diff --git a/0017-Add-valgrind-support-for-the-crash-s-custom-memory-a.patch b/0017-Add-valgrind-support-for-the-crash-s-custom-memory-a.patch new file mode 100644 index 0000000..6d4e825 --- /dev/null +++ b/0017-Add-valgrind-support-for-the-crash-s-custom-memory-a.patch @@ -0,0 +1,325 @@ +From 7ca9a8e21dc1ecb33195b6c9fdd207f203308636 Mon Sep 17 00:00:00 2001 +From: HATAYAMA Daisuke +Date: Thu, 4 Mar 2021 20:20:28 +0900 +Subject: [PATCH 4/6] Add valgrind support for the crash's custom memory + allocator + +This adds valgrind support for the crash's custom memory allocator +using the way described in the following valgrind's Memcheck manual: + + https://www.valgrind.org/docs/manual/mc-manual.html#mc-manual.mempools + +This helps detecting various memory errors on the crash's custom +memory allocator. + +To enable this feature, build crash command as: + + # make valgrind + +Then, run crash commnad using valgrind as: + + # valgrind ./crash vmlinux vmcore + +Signed-off-by: HATAYAMA Daisuke +--- + Makefile | 4 +++ + README | 4 +++ + configure.c | 27 ++++++++++++++++++--- + help.c | 4 +++ + tools.c | 70 ++++++++++++++++++++++++++++++++++++++++++++++++++++- + 5 files changed, 104 insertions(+), 5 deletions(-) + +diff --git a/Makefile b/Makefile +index b3c0d3a7f75b..31a3d3de0c07 100644 +--- a/Makefile ++++ b/Makefile +@@ -333,6 +333,10 @@ snappy: make_configure + @./configure -x snappy ${CONF_TARGET_FLAG} -w -b + @make --no-print-directory gdb_merge + ++valgrind: make_configure ++ @./configure -x valgrind ${CONF_TARGET_FLAG} -w -b ++ @make --no-print-directory gdb_merge ++ + main.o: ${GENERIC_HFILES} main.c + ${CC} -c ${CRASH_CFLAGS} main.c ${WARNING_OPTIONS} ${WARNING_ERROR} + +diff --git a/README b/README +index e2af9249caa2..d4a830985056 100644 +--- a/README ++++ b/README +@@ -105,6 +105,10 @@ + use either the LZO or snappy compression libraries. To build crash with + either or both of those libraries, type "make lzo" or "make snappy". + ++ crash supports valgrind Memcheck tool on the crash's custom memory allocator. ++ To build crash with this feature enabled, type "make valgrind" and then run ++ crash with valgrind as "valgrind crash vmlinux vmcore". ++ + All of the alternate build commands above are "sticky" in that the + special "make" targets only have to be entered one time; all subsequent + builds will follow suit. +diff --git a/configure.c b/configure.c +index 7f6d19e0b87e..9480829ad2da 100644 +--- a/configure.c ++++ b/configure.c +@@ -1704,18 +1704,22 @@ get_extra_flags(char *filename, char *initial) + * a CFLAGS.extra file and an LDFLAGS.extra file. + + * For lzo: ++ * - enter -DLZO in the CFLAGS.extra file ++ * - enter -llzo2 in the LDFLAGS.extra file ++ * ++ * For snappy: + * - enter -DSNAPPY in the CFLAGS.extra file + * - enter -lsnappy in the LDFLAGS.extra file + * +- * For snappy: +- * - enter -DLZO in the CFLAGS.extra file +- * - enter -llzo2 in the LDFLAGS.extra file. ++ * For valgrind: ++ * - enter -DVALGRIND in the CFLAGS.extra file + */ + void + add_extra_lib(char *option) + { + int lzo, add_DLZO, add_llzo2; + int snappy, add_DSNAPPY, add_lsnappy; ++ int valgrind, add_DVALGRIND; + char *cflags, *ldflags; + FILE *fp_cflags, *fp_ldflags; + char *mode; +@@ -1723,6 +1727,7 @@ add_extra_lib(char *option) + + lzo = add_DLZO = add_llzo2 = 0; + snappy = add_DSNAPPY = add_lsnappy = 0; ++ valgrind = add_DVALGRIND = 0; + + ldflags = get_extra_flags("LDFLAGS.extra", NULL); + cflags = get_extra_flags("CFLAGS.extra", NULL); +@@ -1743,12 +1748,24 @@ add_extra_lib(char *option) + add_lsnappy++; + } + ++ if (strcmp(option, "valgrind") == 0) { ++ valgrind++; ++ if (!cflags || !strstr(cflags, "-DVALGRIND")) ++ add_DVALGRIND++; ++ } ++ + if ((lzo || snappy) && + file_exists("diskdump.o") && (unlink("diskdump.o") < 0)) { + perror("diskdump.o"); + return; + } + ++ if (valgrind && ++ file_exists("tools.o") && (unlink("tools.o") < 0)) { ++ perror("tools.o"); ++ return; ++ } ++ + mode = file_exists("CFLAGS.extra") ? "r+" : "w+"; + if ((fp_cflags = fopen("CFLAGS.extra", mode)) == NULL) { + perror("CFLAGS.extra"); +@@ -1762,13 +1779,15 @@ add_extra_lib(char *option) + return; + } + +- if (add_DLZO || add_DSNAPPY) { ++ if (add_DLZO || add_DSNAPPY || add_DVALGRIND) { + while (fgets(inbuf, 512, fp_cflags)) + ; + if (add_DLZO) + fputs("-DLZO\n", fp_cflags); + if (add_DSNAPPY) + fputs("-DSNAPPY\n", fp_cflags); ++ if (add_DVALGRIND) ++ fputs("-DVALGRIND\n", fp_cflags); + } + + if (add_llzo2 || add_lsnappy) { +diff --git a/help.c b/help.c +index 85b334a0419e..531f50a7cd82 100644 +--- a/help.c ++++ b/help.c +@@ -9387,6 +9387,10 @@ README_ENTER_DIRECTORY, + " use either the LZO or snappy compression libraries. To build crash with", + " either or both of those libraries, type \"make lzo\" or \"make snappy\".", + "", ++" crash supports valgrind Memcheck tool on the crash's custom memory allocator.", ++" To build crash with this feature enabled, type \"make valgrind\" and then run", ++" crash with valgrind as \"valgrind crash vmlinux vmcore\".", ++"", + " All of the alternate build commands above are \"sticky\" in that the", + " special \"make\" targets only have to be entered one time; all subsequent", + " builds will follow suit.", +diff --git a/tools.c b/tools.c +index 71bac6d0ee9a..e6978ae44ead 100644 +--- a/tools.c ++++ b/tools.c +@@ -18,6 +18,11 @@ + #include "defs.h" + #include + ++#ifdef VALGRIND ++#include ++#include ++#endif ++ + static void print_number(struct number_option *, int, int); + static long alloc_hq_entry(void); + struct hq_entry; +@@ -5679,8 +5684,21 @@ buf_init(void) + + bp->smallest = 0x7fffffff; + bp->total = 0.0; +-} + ++#ifdef VALGRIND ++ VALGRIND_MAKE_MEM_NOACCESS(&bp->buf_1K, sizeof(bp->buf_1K)); ++ VALGRIND_MAKE_MEM_NOACCESS(&bp->buf_2K, sizeof(bp->buf_2K)); ++ VALGRIND_MAKE_MEM_NOACCESS(&bp->buf_4K, sizeof(bp->buf_4K)); ++ VALGRIND_MAKE_MEM_NOACCESS(&bp->buf_8K, sizeof(bp->buf_8K)); ++ VALGRIND_MAKE_MEM_NOACCESS(&bp->buf_32K, sizeof(bp->buf_32K)); ++ ++ VALGRIND_CREATE_MEMPOOL(&bp->buf_1K, 0, 1); ++ VALGRIND_CREATE_MEMPOOL(&bp->buf_2K, 0, 1); ++ VALGRIND_CREATE_MEMPOOL(&bp->buf_4K, 0, 1); ++ VALGRIND_CREATE_MEMPOOL(&bp->buf_8K, 0, 1); ++ VALGRIND_CREATE_MEMPOOL(&bp->buf_32K, 0, 1); ++#endif ++} + + /* + * Free up all buffers used by the last command. +@@ -5707,6 +5725,26 @@ void free_all_bufs(void) + if (bp->mallocs != bp->frees) + error(WARNING, "malloc/free mismatch (%ld/%ld)\n", + bp->mallocs, bp->frees); ++ ++#ifdef VALGRIND ++ VALGRIND_DESTROY_MEMPOOL(&bp->buf_1K); ++ VALGRIND_DESTROY_MEMPOOL(&bp->buf_2K); ++ VALGRIND_DESTROY_MEMPOOL(&bp->buf_4K); ++ VALGRIND_DESTROY_MEMPOOL(&bp->buf_8K); ++ VALGRIND_DESTROY_MEMPOOL(&bp->buf_32K); ++ ++ VALGRIND_MAKE_MEM_NOACCESS(&bp->buf_1K, sizeof(bp->buf_1K)); ++ VALGRIND_MAKE_MEM_NOACCESS(&bp->buf_2K, sizeof(bp->buf_2K)); ++ VALGRIND_MAKE_MEM_NOACCESS(&bp->buf_4K, sizeof(bp->buf_4K)); ++ VALGRIND_MAKE_MEM_NOACCESS(&bp->buf_8K, sizeof(bp->buf_8K)); ++ VALGRIND_MAKE_MEM_NOACCESS(&bp->buf_32K, sizeof(bp->buf_32K)); ++ ++ VALGRIND_CREATE_MEMPOOL(&bp->buf_1K, 0, 1); ++ VALGRIND_CREATE_MEMPOOL(&bp->buf_2K, 0, 1); ++ VALGRIND_CREATE_MEMPOOL(&bp->buf_4K, 0, 1); ++ VALGRIND_CREATE_MEMPOOL(&bp->buf_8K, 0, 1); ++ VALGRIND_CREATE_MEMPOOL(&bp->buf_32K, 0, 1); ++#endif + } + + /* +@@ -5731,6 +5769,9 @@ freebuf(char *addr) + for (i = 0; i < NUMBER_1K_BUFS; i++) { + if (addr == (char *)&bp->buf_1K[i]) { + bp->buf_inuse[B1K] &= ~(1 << i); ++#ifdef VALGRIND ++ VALGRIND_MEMPOOL_FREE(&bp->buf_1K, addr); ++#endif + return; + } + } +@@ -5738,6 +5779,9 @@ freebuf(char *addr) + for (i = 0; i < NUMBER_2K_BUFS; i++) { + if (addr == (char *)&bp->buf_2K[i]) { + bp->buf_inuse[B2K] &= ~(1 << i); ++#ifdef VALGRIND ++ VALGRIND_MEMPOOL_FREE(&bp->buf_2K, addr); ++#endif + return; + } + } +@@ -5745,6 +5789,9 @@ freebuf(char *addr) + for (i = 0; i < NUMBER_4K_BUFS; i++) { + if (addr == (char *)&bp->buf_4K[i]) { + bp->buf_inuse[B4K] &= ~(1 << i); ++#ifdef VALGRIND ++ VALGRIND_MEMPOOL_FREE(&bp->buf_4K, addr); ++#endif + return; + } + } +@@ -5752,6 +5799,9 @@ freebuf(char *addr) + for (i = 0; i < NUMBER_8K_BUFS; i++) { + if (addr == (char *)&bp->buf_8K[i]) { + bp->buf_inuse[B8K] &= ~(1 << i); ++#ifdef VALGRIND ++ VALGRIND_MEMPOOL_FREE(&bp->buf_8K, addr); ++#endif + return; + } + } +@@ -5759,6 +5809,9 @@ freebuf(char *addr) + for (i = 0; i < NUMBER_32K_BUFS; i++) { + if (addr == (char *)&bp->buf_32K[i]) { + bp->buf_inuse[B32K] &= ~(1 << i); ++#ifdef VALGRIND ++ VALGRIND_MEMPOOL_FREE(&bp->buf_32K, addr); ++#endif + return; + } + } +@@ -5924,6 +5977,9 @@ getbuf(long reqsize) + bp->buf_inuse[B1K] |= (1 << bdx); + bp->buf_1K_maxuse = MAX(bp->buf_1K_maxuse, + count_bits_int(bp->buf_inuse[B1K])); ++#ifdef VALGRIND ++ VALGRIND_MEMPOOL_ALLOC(&bp->buf_1K, bufp, 1024); ++#endif + BZERO(bufp, 1024); + return(bufp); + } +@@ -5938,6 +5994,9 @@ getbuf(long reqsize) + bp->buf_inuse[B2K] |= (1 << bdx); + bp->buf_2K_maxuse = MAX(bp->buf_2K_maxuse, + count_bits_int(bp->buf_inuse[B2K])); ++#ifdef VALGRIND ++ VALGRIND_MEMPOOL_ALLOC(&bp->buf_2K, bufp, 2048); ++#endif + BZERO(bufp, 2048); + return(bufp); + } +@@ -5952,6 +6011,9 @@ getbuf(long reqsize) + bp->buf_inuse[B4K] |= (1 << bdx); + bp->buf_4K_maxuse = MAX(bp->buf_4K_maxuse, + count_bits_int(bp->buf_inuse[B4K])); ++#ifdef VALGRIND ++ VALGRIND_MEMPOOL_ALLOC(&bp->buf_4K, bufp, 4096); ++#endif + BZERO(bufp, 4096); + return(bufp); + } +@@ -5966,6 +6028,9 @@ getbuf(long reqsize) + bp->buf_inuse[B8K] |= (1 << bdx); + bp->buf_8K_maxuse = MAX(bp->buf_8K_maxuse, + count_bits_int(bp->buf_inuse[B8K])); ++#ifdef VALGRIND ++ VALGRIND_MEMPOOL_ALLOC(&bp->buf_8K, bufp, 8192); ++#endif + BZERO(bufp, 8192); + return(bufp); + } +@@ -5980,6 +6045,9 @@ getbuf(long reqsize) + bp->buf_inuse[B32K] |= (1 << bdx); + bp->buf_32K_maxuse = MAX(bp->buf_32K_maxuse, + count_bits_int(bp->buf_inuse[B32K])); ++#ifdef VALGRIND ++ VALGRIND_MEMPOOL_ALLOC(&bp->buf_32K, bufp, 32768); ++#endif + BZERO(bufp, 32768); + return(bufp); + } +-- +2.29.2 + diff --git a/0018-symbols-Fix-potential-read-to-already-freed-object.patch b/0018-symbols-Fix-potential-read-to-already-freed-object.patch new file mode 100644 index 0000000..4c28fe5 --- /dev/null +++ b/0018-symbols-Fix-potential-read-to-already-freed-object.patch @@ -0,0 +1,106 @@ +From 9d476851b2525522b71219578c14aee3c4580cae Mon Sep 17 00:00:00 2001 +From: HATAYAMA Daisuke +Date: Thu, 4 Mar 2021 20:20:29 +0900 +Subject: [PATCH 5/6] symbols: Fix potential read to already freed object + +valgrind detects the following potential invalid read to some already +freed object: + + Invalid read of size 4 + at 0x539641: datatype_info (symbols.c:5791) + by 0x4EC8B1: dump_variable_length_record_log (kernel.c:5313) + by 0x4EC8B1: dump_log (kernel.c:5042) + by 0x4C5A25: get_panicmsg (task.c:6275) + by 0x4F3E71: display_sys_stats (kernel.c:5645) + by 0x464BC7: main_loop (main.c:797) + by 0x6BF262: captured_command_loop (main.c:258) + by 0x6BD869: catch_errors (exceptions.c:557) + by 0x6C02E5: captured_main (main.c:1064) + by 0x6BD869: catch_errors (exceptions.c:557) + by 0x6C0596: gdb_main (main.c:1079) + by 0x6C0596: gdb_main_entry (main.c:1099) + by 0x46316F: main (main.c:708) + Address 0xb498c8 is 72 bytes inside a block of size 1,024 free'd + at 0x471261: freebuf (tools.c:5766) + by 0x53946B: datatype_info (symbols.c:5747) + by 0x4FEA2A: net_init (net.c:173) + by 0x464A55: main_loop (main.c:777) + by 0x6BF262: captured_command_loop (main.c:258) + by 0x6BD869: catch_errors (exceptions.c:557) + by 0x6C02E5: captured_main (main.c:1064) + by 0x6BD869: catch_errors (exceptions.c:557) + by 0x6C0596: gdb_main (main.c:1079) + by 0x6C0596: gdb_main_entry (main.c:1099) + by 0x46316F: main (main.c:708) + Block was alloc'd at + at 0x471C80: getbuf (tools.c:5965) + by 0x5392B7: datatype_info (symbols.c:5624) + by 0x4FEA2A: net_init (net.c:173) + by 0x464A55: main_loop (main.c:777) + by 0x6BF262: captured_command_loop (main.c:258) + by 0x6BD869: catch_errors (exceptions.c:557) + by 0x6C02E5: captured_main (main.c:1064) + by 0x6BD869: catch_errors (exceptions.c:557) + by 0x6C0596: gdb_main (main.c:1079) + by 0x6C0596: gdb_main_entry (main.c:1099) + by 0x46316F: main (main.c:708) + +This was caused by the fact that in datatype_info(), the object +associated with the variable req is freed too early although it's +still be referred to after the freeing. + +Fix this by changing the way allocating the object from by GETBUF() to +by allocation on stack, which simplifies the code because explicit +free() operations are unnecessary. + +Signed-off-by: HATAYAMA Daisuke +--- + symbols.c | 10 +++------- + 1 file changed, 3 insertions(+), 7 deletions(-) + +diff --git a/symbols.c b/symbols.c +index ed5f731fa1b3..215d523fb325 100644 +--- a/symbols.c ++++ b/symbols.c +@@ -5611,7 +5611,7 @@ datatype_init(void) + long + datatype_info(char *name, char *member, struct datatype_member *dm) + { +- struct gnu_request *req; ++ struct gnu_request request, *req = &request; + long offset, size, member_size; + int member_typecode; + ulong type_found; +@@ -5625,7 +5625,7 @@ datatype_info(char *name, char *member, struct datatype_member *dm) + + strcpy(buf, name); + +- req = (struct gnu_request *)GETBUF(sizeof(struct gnu_request)); ++ BZERO(req, sizeof(*req)); + req->command = GNU_GET_DATATYPE; + req->flags |= GNU_RETURN_ON_ERROR; + req->name = buf; +@@ -5633,10 +5633,8 @@ datatype_info(char *name, char *member, struct datatype_member *dm) + req->fp = pc->nullfp; + + gdb_interface(req); +- if (req->flags & GNU_COMMAND_FAILED) { +- FREEBUF(req); ++ if (req->flags & GNU_COMMAND_FAILED) + return (dm == MEMBER_TYPE_NAME_REQUEST) ? 0 : -1; +- } + + if (!req->typecode) { + sprintf(buf, "struct %s", name); +@@ -5748,8 +5746,6 @@ datatype_info(char *name, char *member, struct datatype_member *dm) + break; + } + +- FREEBUF(req); +- + if (dm && (dm != MEMBER_SIZE_REQUEST) && (dm != MEMBER_TYPE_REQUEST) && + (dm != STRUCT_SIZE_REQUEST) && (dm != MEMBER_TYPE_NAME_REQUEST)) { + dm->type = type_found; +-- +2.29.2 + diff --git a/0019-tools-Fix-potential-write-to-object-of-0-size.patch b/0019-tools-Fix-potential-write-to-object-of-0-size.patch new file mode 100644 index 0000000..697172c --- /dev/null +++ b/0019-tools-Fix-potential-write-to-object-of-0-size.patch @@ -0,0 +1,64 @@ +From 9c0c6c1b3750beafe4ac6a5441c2dbe26157d548 Mon Sep 17 00:00:00 2001 +From: HATAYAMA Daisuke +Date: Thu, 4 Mar 2021 20:20:30 +0900 +Subject: [PATCH 6/6] tools: Fix potential write to object of 0 size + +valgrind detects the following invalid write on the call of strcpy(): + + Invalid write of size 1 + at 0x483CCFE: strcpy (vg_replace_strmem.c:511) + by 0x47202B: extract_hex (tools.c:1152) + by 0x5104ED: search_for_switch_to (x86_64.c:6342) + by 0x51D6EE: x86_64_thread_return_init (x86_64.c:6368) + by 0x51D6EE: x86_64_init (x86_64.c:721) + by 0x464A2D: main_loop (main.c:770) + by 0x6BF1B2: captured_command_loop (main.c:258) + by 0x6BD7B9: catch_errors (exceptions.c:557) + by 0x6C0235: captured_main (main.c:1064) + by 0x6BD7B9: catch_errors (exceptions.c:557) + by 0x6C04E6: gdb_main (main.c:1079) + by 0x6C04E6: gdb_main_entry (main.c:1099) + by 0x46316F: main (main.c:708) + Address 0x2b439eb8 is 0 bytes after a block of size 40 alloc'd + at 0x483BAE9: calloc (vg_replace_malloc.c:760) + by 0x471794: getbuf (tools.c:6036) + by 0x47201D: extract_hex (tools.c:1151) + by 0x5104ED: search_for_switch_to (x86_64.c:6342) + by 0x51D6EE: x86_64_thread_return_init (x86_64.c:6368) + by 0x51D6EE: x86_64_init (x86_64.c:721) + by 0x464A2D: main_loop (main.c:770) + by 0x6BF1B2: captured_command_loop (main.c:258) + by 0x6BD7B9: catch_errors (exceptions.c:557) + by 0x6C0235: captured_main (main.c:1064) + by 0x6BD7B9: catch_errors (exceptions.c:557) + by 0x6C04E6: gdb_main (main.c:1079) + by 0x6C04E6: gdb_main_entry (main.c:1099) + by 0x46316F: main (main.c:708) + +This is due to strcpy() receives empty string in its 1st argument +because the size of the buffer associated with buf variable then is of +size 0 due to lack of consideration of the terminal '\0' byte. + +Fix this by +1 to the buffer size for the terminal '\0' byte. + +Signed-off-by: HATAYAMA Daisuke +--- + tools.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/tools.c b/tools.c +index e6978ae44ead..a26b101f6481 100644 +--- a/tools.c ++++ b/tools.c +@@ -1150,7 +1150,7 @@ extract_hex(char *s, ulong *result, char stripchar, ulong first_instance) + ulong value; + char *buf; + +- buf = GETBUF(strlen(s)); ++ buf = GETBUF(strlen(s) + 1); + strcpy(buf, s); + argc = parse_line(buf, arglist); + +-- +2.29.2 + diff --git a/crash.spec b/crash.spec index 8252b7b..85ece6c 100644 --- a/crash.spec +++ b/crash.spec @@ -4,36 +4,41 @@ Summary: Kernel analysis utility for live systems, netdump, diskdump, kdump, LKCD or mcore dumpfiles Name: crash Version: 7.2.9 -Release: 4%{?dist} +Release: 5%{?dist} License: GPLv3 Source0: https://github.com/crash-utility/crash/archive/crash-%{version}.tar.gz Source1: http://ftp.gnu.org/gnu/gdb/gdb-7.6.tar.gz URL: https://crash-utility.github.io ExclusiveOS: Linux ExclusiveArch: %{ix86} ia64 x86_64 ppc ppc64 s390 s390x %{arm} aarch64 ppc64le -BuildRequires: ncurses-devel zlib-devel lzo-devel snappy-devel bison readline-devel +BuildRequires: ncurses-devel zlib-devel lzo-devel snappy-devel bison BuildRequires: gcc gcc-c++ BuildRequires: make Requires: binutils Provides: bundled(libiberty) Provides: bundled(gdb) = 7.6 Patch0: lzo_snappy.patch -Patch1: use_system_readline_v3.patch -Patch2: printk-add-support-for-lockless-ringbuffer.patch -Patch3: printk-use-committed-finalized-state-values.patch -Patch4: 0001-x86_64-VC-exception-stack-support.patch -Patch5: 0002-netdump-fix-regression-for-raw-RAM-dumpfiles.patch -Patch6: 0003-arm64-update-mapping-symbol-filter-in-arm64_verify_s.patch -Patch7: 0004-extensions-eppic.mk-move-ping-check-to-recipe-script.patch -Patch8: 0005-Fix-segmentation-fault-when-ikconfig-passed-nonstand.patch -Patch9: 0006-netdump-fix-illegal-read-from-already-freed-buffer.patch -Patch10: 0007-tools-fix-potential-source-and-destination-overlap-w.patch -Patch11: 0008-set-add-ability-to-un-set-scope.patch -Patch12: 0009-Fix-sys-t-mod-S-after-mod-t-when-crash-runs-with-s-o.patch -Patch13: 0010-Fix-dev-d-option-on-Linux-5.11-rc1-and-later-kernels.patch -Patch14: 0011-Fix-kmem-v-option-on-Linux-5.11-rc1-and-later-kernel.patch -Patch15: 0012-mod-Show-the-base-address-of-module.patch -Patch16: 0013-xen-increase-__PHYSICAL_MASK_SHIFT_XEN-to-52.patch +Patch1: printk-add-support-for-lockless-ringbuffer.patch +Patch2: printk-use-committed-finalized-state-values.patch +Patch3: 0001-x86_64-VC-exception-stack-support.patch +Patch4: 0002-netdump-fix-regression-for-raw-RAM-dumpfiles.patch +Patch5: 0003-arm64-update-mapping-symbol-filter-in-arm64_verify_s.patch +Patch6: 0004-extensions-eppic.mk-move-ping-check-to-recipe-script.patch +Patch7: 0005-Fix-segmentation-fault-when-ikconfig-passed-nonstand.patch +Patch8: 0006-netdump-fix-illegal-read-from-already-freed-buffer.patch +Patch9: 0007-tools-fix-potential-source-and-destination-overlap-w.patch +Patch10: 0008-set-add-ability-to-un-set-scope.patch +Patch11: 0009-Fix-sys-t-mod-S-after-mod-t-when-crash-runs-with-s-o.patch +Patch12: 0010-Fix-dev-d-option-on-Linux-5.11-rc1-and-later-kernels.patch +Patch13: 0011-Fix-kmem-v-option-on-Linux-5.11-rc1-and-later-kernel.patch +Patch14: 0012-mod-Show-the-base-address-of-module.patch +Patch15: 0013-xen-increase-__PHYSICAL_MASK_SHIFT_XEN-to-52.patch +Patch16: 0014-log-change-log-level-print-in-older-kernels.patch +Patch17: 0015-Makefile-reduce-crash-build-log.patch +Patch18: 0016-x86_64-fix-bt-command-on-5.12-rc1-and-later-kernels.patch +Patch19: 0017-Add-valgrind-support-for-the-crash-s-custom-memory-a.patch +Patch20: 0018-symbols-Fix-potential-read-to-already-freed-object.patch +Patch21: 0019-tools-Fix-potential-write-to-object-of-0-size.patch %description The core analysis suite is a self-contained tool that can be used to @@ -54,9 +59,9 @@ offered by Mission Critical Linux, or the LKCD kernel patch. %prep %setup -n %{name}-%{version} -q %patch0 -p1 -b lzo_snappy.patch -%patch1 -p1 -b use_system_readline_v3.patch -%patch2 -p1 -b printk-add-support-for-lockless-ringbuffer.patch -%patch3 -p1 -b printk-use-committed-finalized-state-values.patch +%patch1 -p1 -b printk-add-support-for-lockless-ringbuffer.patch +%patch2 -p1 -b printk-use-committed-finalized-state-values.patch +%patch3 -p1 %patch4 -p1 %patch5 -p1 %patch6 -p1 @@ -70,6 +75,11 @@ offered by Mission Critical Linux, or the LKCD kernel patch. %patch14 -p1 %patch15 -p1 %patch16 -p1 +%patch17 -p1 +%patch18 -p1 +%patch19 -p1 +%patch20 -p1 +%patch21 -p1 %build # This package has an internal copy of GDB which has broken configure code for @@ -101,6 +111,10 @@ cp -p defs.h %{buildroot}%{_includedir}/crash %{_includedir}/* %changelog +* Mon Mar 08 2021 Lianbo Jiang - 7.2.9-5 +- Fix Segmentation fault +- Update to the latest upstream: commit <9c0c6c1b3750> + * Fri Feb 05 2021 Lianbo Jiang - 7.2.9-4 - Update to the latest upstream: commit