Bug#474931: grub-common: update-grub segfaults
Sami Liedes
sliedes at cc.hut.fi
Mon Apr 7 23:20:25 UTC 2008
Package: grub-common
Version: 1.96+20080228-1
Severity: normal
I thought at first this would be the same as #474343 (very similar
backtrace), but refiling per request (and Robert probably was right,
it's not quite identical). So I'm sorry if this is the third time you
get some of this info (there's something new there too, search for
**NEW**):
On Mon, Apr 07, 2008 at 11:04:35PM +0200, Robert Millan wrote:
> On Mon, Apr 07, 2008 at 08:20:31PM +0300, Sami Liedes wrote:
> > This is #474343, also analyzed there (although with little less
> > depth). I'll forward the relevant parts of my original report to that
> > bug.
>
> Please don't assume it is. File it separately and if it's the same bug we'll
> merge. Otherwise it gets very confusing.
-----
The command "grub-probe -t device fd0", as run by update-grub without
the `floppy' module installed, segfaults (I assume it would if I
waited long enough for the floppy probe to finish with the module
installed, but it takes ages that way).
I rebuilt grub-common with debug syms and -O0 and got a backtrace. The
crash occurs in the LVM code. The crash happens when calling
grub_lvm_scan_device("hd0,3").
------------------------------------------------------------
# gdb --args grub-probe -t device fd0
GNU gdb 6.8-debian
Copyright (C) 2008 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law. Type "show copying"
and "show warranty" for details.
This GDB was configured as "x86_64-linux-gnu"...
(gdb) r
Starting program: /usr/sbin/grub-probe -t device fd0
Program received signal SIGSEGV, Segmentation fault.
0x000000000040589d in grub_memmove (dest=0x7fff8774e2c0, src=0x6, n=37) at /home/sliedes/rec/grub2-1.96+20080228/kern/misc.c:43
43 *--d = *--s;
(gdb) bt
#0 0x000000000040589d in grub_memmove (dest=0x7fff8774e2c0, src=0x6, n=37) at /home/sliedes/rec/grub2-1.96+20080228/kern/misc.c:43
#1 0x000000000041f3d0 in grub_lvm_scan_device (name=0x6350c0 "hd0,3") at /home/sliedes/rec/grub2-1.96+20080228/disk/lvm.c:310
#2 0x00000000004044a1 in iterate_partition (disk=0x635010, partition=0x7fff8774e9d0) at /home/sliedes/rec/grub2-1.96+20080228/kern/device.c:132
#3 0x000000000041c551 in pc_partition_map_iterate (disk=0x635010, hook=0x7fff8774eb8f) at /home/sliedes/rec/grub2-1.96+20080228/partmap/pc.c:153
#4 0x000000000040808f in grub_partition_iterate (hook=0x7fff8774eb8f) at /home/sliedes/rec/grub2-1.96+20080228/kern/partition.c:126
#5 0x0000000000404535 in iterate_disk (disk_name=0x7fff8774eae0 "hd0") at /home/sliedes/rec/grub2-1.96+20080228/kern/device.c:101
#6 0x0000000000401e37 in call_hook (hook=0x7fff8774eb78, drive=128) at /home/sliedes/rec/grub2-1.96+20080228/util/biosdisk.c:131
#7 0x0000000000401e6c in grub_util_biosdisk_iterate (hook=0x7fff8774eb78) at /home/sliedes/rec/grub2-1.96+20080228/util/biosdisk.c:140
#8 0x0000000000404985 in grub_disk_dev_iterate (hook=0x7fff8774eb78) at /home/sliedes/rec/grub2-1.96+20080228/kern/disk.c:205
#9 0x00000000004043f4 in grub_device_iterate (hook=0x41f080 <grub_lvm_scan_device>) at /home/sliedes/rec/grub2-1.96+20080228/kern/device.c:138
#10 0x000000000041faeb in grub_mod_init (mod=0x0) at /home/sliedes/rec/grub2-1.96+20080228/disk/lvm.c:511
#11 0x000000000041fad3 in grub_lvm_init () at /home/sliedes/rec/grub2-1.96+20080228/disk/lvm.c:509
#12 0x0000000000420ca0 in grub_init_all () at grub_probe_init.c:44
#13 0x0000000000401cc1 in main (argc=4, argv=0x7fff8774ed38) at /home/sliedes/rec/grub2-1.96+20080228/util/grub-probe.c:355
------------------------------------------------------------
There's something hairy going on with the metadata buffer, and at
least it seems the grub_strstr() return value should be checked:
------------------------------------------------------------
(gdb) up
#1 0x000000000041f3d0 in grub_lvm_scan_device (name=0x6350c0 "hd0,3") at /home/sliedes/rec/grub2-1.96+20080228/disk/lvm.c:310
310 grub_memcpy (vg_id, p, GRUB_LVM_ID_STRLEN);
(gdb) print p
$1 = 0x6 <Address 0x6 out of bounds>
(gdb) l
305
306 grub_memcpy (vgname, p, vgname_len);
307 vgname[vgname_len] = '\0';
308
309 p = grub_strstr (q, "id = \"") + sizeof ("id = \"") - 1;
310 grub_memcpy (vg_id, p, GRUB_LVM_ID_STRLEN);
311 vg_id[GRUB_LVM_ID_STRLEN] = '\0';
312
313 for (vg = vg_list; vg; vg = vg->next)
314 {
(gdb) print q
$2 = 0x66b5b4 " LVM2 x[5A%r0N*>\001"
(gdb) print metadatabuf
$3 = 0x66b5b0 "\033�5` LVM2 x[5A%r0N*>\001"
(gdb) info locals
err = GRUB_ERR_NONE
disk = (grub_disk_t) 0x6350e0
da_offset = 196608
da_size = 0
mda_offset = 4096
mda_size = 192512
buf = "LABELONE\001\000\000\000\000\000\000\000\226��� \000\000\000LVM2 001Tuf1htoXt6rUT4rRoUEhfsX0hI0vYetY\000\000��\r\000\000\000\000\000\003", '\0' <repeats 30 times>, "\020\000\000\000\000\000\000\000�\002", '\0' <repeats 396 times>
vg_id = "\214f@\000\000\000\000\000��t\207�\177\000\000��t\207�\177\000\000y1-FszJ-0�t\207�\177"
pv_id = "Tuf1ht-oXt6-rUT4-rRoU-Ehfs-X0hI-0vYetY"
metadatabuf = 0x66b5b0 "\033�5` LVM2 x[5A%r0N*>\001"
p = 0x6 <Address 0x6 out of bounds>
q = 0x66b5b4 " LVM2 x[5A%r0N*>\001"
vgname = 0x6387d0 "\033�5`"
lh = (struct grub_lvm_label_header *) 0x7fff8774e2f0
pvh = (struct grub_lvm_pv_header *) 0x7fff8774e310
dlocn = (struct grub_lvm_disk_locn *) 0x7fff8774e368
mdah = (struct grub_lvm_mda_header *) 0x66b5b0
rlocn = (struct grub_lvm_raw_locn *) 0x66b5d8
i = 32
j = 38
vgname_len = 4
vg = (struct grub_lvm_vg *) 0x0
pv = (struct grub_lvm_pv *) 0x2b62235e6d26
(gdb)
------------------------------------------------------------
(**NEW**) Some more digging. Here's first call to
grub_lvm_scan_device("hd0,2") that doesn't crash:
------------------------------------------------------------
# gdb --args grub-probe -t device fd0
GNU gdb 6.8-debian
Copyright (C) 2008 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law. Type "show copying"
and "show warranty" for details.
This GDB was configured as "x86_64-linux-gnu"...
(gdb) b lvm.c:281
Breakpoint 1 at 0x41f294: file /home/sliedes/rec/grub2-1.96+20080228/disk/lvm.c, line 281.
(gdb) r
Starting program: /usr/sbin/grub-probe -t device fd0
Breakpoint 1, grub_lvm_scan_device (name=0x1e410a0 "hd0,2") at /home/sliedes/rec/grub2-1.96+20080228/disk/lvm.c:281
281 err = grub_disk_read (disk, 0, mda_offset, mda_size, metadatabuf);
(gdb) n
282 if (err)
(gdb) print metadatabuf
$1 = 0x7fc7ecc5a010 "D\031(� LVM2 x[5A%r0N*>\001"
(gdb) n
285 mdah = (struct grub_lvm_mda_header *) metadatabuf;
(gdb)
286 if ((grub_strncmp ((char *)mdah->magic, GRUB_LVM_FMTT_MAGIC,
(gdb) print mdah
$2 = (struct grub_lvm_mda_header *) 0x7fc7ecc5a010
(gdb) print *mdah
$3 = {checksum_xl = 3928496452, magic = " LVM2 x[5A%r0N*>", version = 1, start = 4096, size = 192512,
raw_locns = 0x7fc7ecc5a038}
(gdb) n
295 rlocn = mdah->raw_locns;
(gdb)
296 p = q = metadatabuf + grub_le_to_cpu64 (rlocn->offset);
(gdb) n
298 while (*q != ' ')
(gdb) print p
$4 = 0x7fc7ecc5c210 "my_container {\nid = \"kj0mGB-qIaB-FIhq-lRSW-B8y1-FszJ-hoOTpS\"\nseqno = 8\nstatus = [\"RESIZEABLE\", \"READ\", \"WRITE\"]\nextent_size = 65536\nmax_lv = 0\nmax_pv = 0\nphysical_volumes {\npv0 {\nid = \"IW0HmE-V7Iz-q3I"...
------------------------------------------------------------
Then (hd0,3). rlocn->offset turns out to be 0, which I gather it
shouldn't be:
------------------------------------------------------------
(gdb) c
Continuing.
Breakpoint 1, grub_lvm_scan_device (name=0x1e410c0 "hd0,3") at /home/sliedes/rec/grub2-1.96+20080228/disk/lvm.c:281
281 err = grub_disk_read (disk, 0, mda_offset, mda_size, metadatabuf);
(gdb) n
282 if (err)
(gdb) print mda_size
$5 = 192512
(gdb) print mda_offset
$6 = 4096
(gdb) n
285 mdah = (struct grub_lvm_mda_header *) metadatabuf;
(gdb)
286 if ((grub_strncmp ((char *)mdah->magic, GRUB_LVM_FMTT_MAGIC,
(gdb)
295 rlocn = mdah->raw_locns;
(gdb) print *mdah
$7 = {checksum_xl = 1614137115, magic = " LVM2 x[5A%r0N*>", version = 1, start = 4096, size = 192512, raw_locns = 0x1e46898}
(gdb) n
296 p = q = metadatabuf + grub_le_to_cpu64 (rlocn->offset);
(gdb) n
298 while (*q != ' ')
(gdb) n
299 q++;
(gdb) print p
$8 = 0x1e46870 "\033�5` LVM2 x[5A%r0N*>\001"
(gdb) info locals
err = GRUB_ERR_NONE
disk = (grub_disk_t) 0x1e410e0
da_offset = 196608
da_size = 0
mda_offset = 4096
mda_size = 192512
buf = "LABELONE\001\000\000\000\000\000\000\000\226��� \000\000\000LVM2 001Tuf1htoXt6rUT4rRoUEhfsX0hI0vYetY\000\000��\r\000\000\000\000\000\003", '\0' <repeats 30 times>, "\020\000\000\000\000\000\000\000�\002", '\0' <repeats 396 times>
vg_id = "\214f@\000\000\000\000\000\020\231���\177\000\000\020\231���\177\000\000y1-FszJ-\220\230���\177"
pv_id = "Tuf1ht-oXt6-rUT4-rRoU-Ehfs-X0hI-0vYetY"
metadatabuf = 0x1e46870 "\033�5` LVM2 x[5A%r0N*>\001"
p = 0x1e46870 "\033�5` LVM2 x[5A%r0N*>\001"
q = 0x1e46870 "\033�5` LVM2 x[5A%r0N*>\001"
vgname = 0x0
lh = (struct grub_lvm_label_header *) 0x7ffff4cb9850
pvh = (struct grub_lvm_pv_header *) 0x7ffff4cb9870
dlocn = (struct grub_lvm_disk_locn *) 0x7ffff4cb98c8
mdah = (struct grub_lvm_mda_header *) 0x1e46870
rlocn = (struct grub_lvm_raw_locn *) 0x1e46898
i = 32
j = 38
vgname_len = 0
vg = (struct grub_lvm_vg *) 0x0
pv = (struct grub_lvm_pv *) 0x7fc7ec7c9d26
gdb) print rlocn->offset
$9 = 0
(gdb) print *rlocn
$10 = {offset = 0, size = 0, checksum = 0, filler = 0}
------------------------------------------------------------
hd0 is /dev/sda in devices.map, and this is what /dev/sda looks like:
------------------------------------------------------------
$ sudo fdisk -l /dev/sda
Disk /dev/sda: 80.0 GB, 80054059008 bytes
255 heads, 63 sectors/track, 9732 cylinders
Units = cylinders of 16065 * 512 = 8225280 bytes
Disk identifier: 0x2514e14e
Device Boot Start End Blocks Id System
/dev/sda1 1 20 160618+ 83 Linux
/dev/sda2 21 212 1542240 8e Linux LVM
/dev/sda3 213 7508 58605120 8e Linux LVM
/dev/sda4 * 7509 9732 17864280 c W95 FAT32 (LBA)
------------------------------------------------------------
The computer is an amd64 box with lvm2. /dev/sda1 is an ext2 /boot
partition, root is crypted and initramfs is used to set things up in
the boot.
------------------------------------------------------------
$ mount
/dev/mapper/root-decrypted on / type ext3 (rw,errors=remount-ro,commit=120)
tmpfs on /lib/init/rw type tmpfs (rw,nosuid,mode=0755)
proc on /proc type proc (rw,noexec,nosuid,nodev)
sysfs on /sys type sysfs (rw,noexec,nosuid,nodev)
procbususb on /proc/bus/usb type usbfs (rw)
udev on /dev type tmpfs (rw,mode=0755)
tmpfs on /dev/shm type tmpfs (rw,nosuid,nodev)
devpts on /dev/pts type devpts (rw,noexec,nosuid,gid=5,mode=620)
/dev/mapper/sda1 on /boot type ext2 (rw)
/home on /var/chroot/ia32/home type none (rw,bind)
/tmp on /var/chroot/ia32/tmp type none (rw,bind)
proc on /var/chroot/ia32/proc type proc (rw)
nfsd on /proc/fs/nfsd type nfsd (rw)
binfmt_misc on /proc/sys/fs/binfmt_misc type binfmt_misc (rw,noexec,nosuid,nodev)
rpc_pipefs on /var/lib/nfs/rpc_pipefs type rpc_pipefs (rw)
------------------------------------------------------------
Relevant packages:
------------------------------------------------------------
ii grub 0.97-35 GRand Unified Bootloader (Legacy version)
ii grub-common 1.96+20080228-1 GRand Unified Bootloader, version 2 (common files)
ii grub-doc 0.97-35 Documentation for GRand Unified Bootloader (dummy package)
un grub-efi <none> (no description available)
un grub-ieee1275 <none> (no description available)
ii grub-legacy-doc 0.97-35 Documentation for GRUB Legacy
un grub-linuxbios <none> (no description available)
un grub-pc <none> (no description available)
un grub2 <none> (no description available)
------------------------------------------------------------
Sami
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: Digital signature
Url : http://lists.alioth.debian.org/pipermail/pkg-grub-devel/attachments/20080408/4ea454ed/attachment.pgp
More information about the Pkg-grub-devel
mailing list