REDZONE(9) | Kernel Developer's Manual | REDZONE(9) |
RedZone
— buffer
corruptions detector
options KDB
options DDB
options DEBUG_REDZONE
RedZone
detects buffer underflow and
buffer overflow bugs at runtime. Currently RedZone
only detects buffer corruptions for memory allocated with
malloc(9). When such corruption is detected two backtraces
are printed on the console. The first one shows from where memory was
allocated, the second one shows from where memory was freed. By default the
system will not panic when buffer corruption is detected. This can be
changed by setting the vm.redzone.panic
sysctl(8) variable to 1. The amount of extra memory
allocated for RedZone
's needs is stored in the
vm.redzone.extra_mem sysctl(8)
variable.
The example below shows the logs from the detection of a buffer underflow and a buffer overflow.
REDZONE: Buffer underflow detected. 2 bytes corrupted before 0xc8688580 (16 bytes allocated). Allocation backtrace: #0 0xc0583e4e at redzone_setup+0x3c #1 0xc04a23fa at malloc+0x19e #2 0xcdeb69ca at redzone_modevent+0x60 #3 0xc04a3f3c at module_register_init+0x82 #4 0xc049d96a at linker_file_sysinit+0x8e #5 0xc049dc7c at linker_load_file+0xed #6 0xc04a041f at linker_load_module+0xc4 #7 0xc049e883 at kldload+0x116 #8 0xc05d9b3d at syscall+0x325 #9 0xc05c944f at Xint0x80_syscall+0x1f Free backtrace: #0 0xc0583f92 at redzone_check+0xd4 #1 0xc04a2422 at free+0x1c #2 0xcdeb69a6 at redzone_modevent+0x3c #3 0xc04a438d at module_unload+0x61 #4 0xc049e0b3 at linker_file_unload+0x89 #5 0xc049e979 at kern_kldunload+0x96 #6 0xc049ea00 at kldunloadf+0x2c #7 0xc05d9b3d at syscall+0x325 #8 0xc05c944f at Xint0x80_syscall+0x1f REDZONE: Buffer overflow detected. 4 bytes corrupted after 0xc8688590 (16 bytes allocated). Allocation backtrace: #0 0xc0583e4e at redzone_setup+0x3c #1 0xc04a23fa at malloc+0x19e #2 0xcdeb69ca at redzone_modevent+0x60 #3 0xc04a3f3c at module_register_init+0x82 #4 0xc049d96a at linker_file_sysinit+0x8e #5 0xc049dc7c at linker_load_file+0xed #6 0xc04a041f at linker_load_module+0xc4 #7 0xc049e883 at kldload+0x116 #8 0xc05d9b3d at syscall+0x325 #9 0xc05c944f at Xint0x80_syscall+0x1f Free backtrace: #0 0xc0584020 at redzone_check+0x162 #1 0xc04a2422 at free+0x1c #2 0xcdeb69a6 at redzone_modevent+0x3c #3 0xc04a438d at module_unload+0x61 #4 0xc049e0b3 at linker_file_unload+0x89 #5 0xc049e979 at kern_kldunload+0x96 #6 0xc049ea00 at kldunloadf+0x2c #7 0xc05d9b3d at syscall+0x325 #8 0xc05c944f at Xint0x80_syscall+0x1f
RedZone
first appeared in
FreeBSD 7.0.
Pawel Jakub Dawidek <pjd@FreeBSD.org>
Currently, RedZone
does not cooperate with
memguard(9). Allocations from a memory type controlled by
memguard(9) are simply skipped, so buffer corruptions will
not be detected there.
January 9, 2009 | Debian |