Fix a "Bus error" issue caused by 'crash --osrelease' or crash loading

Sometimes, in production environment, there are still some vmcores that are incomplete, such as partial header or the data is corrupted. When crash tool attempts to parse such vmcores, it may fail as below: $ ./crash --osrelease vmcore Bus error (core dumped) or $ crash vmlinux vmcore ... Bus error (core dumped) $ Gdb calltrace: $ gdb /home/lijiang/src/crash/crash /tmp/core.126301 Core was generated by `./crash --osrelease /home/lijiang/src/39317/vmcore'. Program terminated with signal SIGBUS, Bus error. #0 __memcpy_evex_unaligned_erms () at ../sysdeps/x86_64/multiarch/memmove-vec-unaligned-erms.S:831 831 LOAD_ONE_SET((%rsi), PAGE_SIZE, %VMM(4), %VMM(5), %VMM(6), %VMM(7)) (gdb) bt #0 __memcpy_evex_unaligned_erms () at ../sysdeps/x86_64/multiarch/memmove-vec-unaligned-erms.S:831 crash-utility#1 0x0000000000651096 in read_dump_header (file=0x7ffc59ddff5f "/home/lijiang/src/39317/vmcore") at diskdump.c:820 crash-utility#2 0x0000000000651cf3 in is_diskdump (file=0x7ffc59ddff5f "/home/lijiang/src/39317/vmcore") at diskdump.c:1042 crash-utility#3 0x0000000000502ac9 in get_osrelease (dumpfile=0x7ffc59ddff5f "/home/lijiang/src/39317/vmcore") at main.c:1938 crash-utility#4 0x00000000004fb2e8 in main (argc=3, argv=0x7ffc59dde3a8) at main.c:271 (gdb) frame 1 crash-utility#1 0x0000000000651096 in read_dump_header (file=0x7ffc59ddff5f "/home/lijiang/src/39317/vmcore") at diskdump.c:820 820 memcpy(dd->dumpable_bitmap, dd->bitmap + bitmap_len/2, This may happen on attempting access to a page of the buffer that lies beyond the end of the mapped file(see the mmap() man page). Let's add a check to avoid such issues as much as possible, but still not guarantee that it can work well in any extreme situation. Fixes: a334423 ("diskdump: use mmap/madvise to improve the start-up") Reported-by: Buland Kumar Singh <[email protected]> Signed-off-by: Lianbo Jiang <[email protected]>
liutgnu · Dec 1, 2024 · f79e068 · f79e068
1 parent 7b5cd7f
commit f79e068
Showing 1 changed file with 16 additions and 0 deletions.
diff --git a/diskdump.c b/diskdump.c
@@ -805,6 +805,22 @@ read_dump_header(char *file)
 			goto err;
 		}
 	} else {
+		struct stat sbuf;
+		if (fstat(dd->dfd, &sbuf) != 0) {
+			error(INFO, "Cannot fstat the dump file\n");
+			goto err;
+		}
+
+		/*
+		 * For memory regions mapped with the mmap(), attempts access to
+		 * a page of the buffer that lies beyond the end of the mapped file,
+		 * which may cause SIGBUS(see the mmap() man page).
+		 */
+		if (bitmap_len + offset > sbuf.st_size) {
+			error(INFO, "Mmap: Beyond the end of mapped file, corrupted?\n");
+			goto err;
+		}
+
 		dd->bitmap = mmap(NULL, bitmap_len, PROT_READ,
 					MAP_SHARED, dd->dfd, offset);
 		if (dd->bitmap == MAP_FAILED)