REDZONE(9) BSD Kernel Developer's Manual REDZONE(9)NAME
RedZone -- buffer corruptions detector
SYNOPSIS
options KDB
options DDB
options DEBUG_REDZONE
DESCRIPTION
RedZone detects buffer underflow and buffer overflow bugs at runtime. Currently RedZone only detects buffer corruptions for memory allocated
with malloc(9). When such corruption is detected two backtraces are printed on the console. The first one shows from where memory was allo-
cated, the second one shows from where memory was freed. By default the system will not panic when buffer corruption is detected. This can
be changed by setting the vm.redzone.panic sysctl(8) variable to 1. The amount of extra memory allocated for RedZone's needs is stored in
the vm.redzone.extra_mem sysctl(8) variable.
EXAMPLE
The example below shows the logs from the detection of a buffer underflow and a buffer overflow.
REDZONE: Buffer underflow detected. 2 bytes corrupted before 0xc8688580 (16 bytes allocated).
Allocation backtrace:
#0 0xc0583e4e at redzone_setup+0x3c
#1 0xc04a23fa at malloc+0x19e
#2 0xcdeb69ca at redzone_modevent+0x60
#3 0xc04a3f3c at module_register_init+0x82
#4 0xc049d96a at linker_file_sysinit+0x8e
#5 0xc049dc7c at linker_load_file+0xed
#6 0xc04a041f at linker_load_module+0xc4
#7 0xc049e883 at kldload+0x116
#8 0xc05d9b3d at syscall+0x325
#9 0xc05c944f at Xint0x80_syscall+0x1f
Free backtrace:
#0 0xc0583f92 at redzone_check+0xd4
#1 0xc04a2422 at free+0x1c
#2 0xcdeb69a6 at redzone_modevent+0x3c
#3 0xc04a438d at module_unload+0x61
#4 0xc049e0b3 at linker_file_unload+0x89
#5 0xc049e979 at kern_kldunload+0x96
#6 0xc049ea00 at kldunloadf+0x2c
#7 0xc05d9b3d at syscall+0x325
#8 0xc05c944f at Xint0x80_syscall+0x1f
REDZONE: Buffer overflow detected. 4 bytes corrupted after 0xc8688590 (16 bytes allocated).
Allocation backtrace:
#0 0xc0583e4e at redzone_setup+0x3c
#1 0xc04a23fa at malloc+0x19e
#2 0xcdeb69ca at redzone_modevent+0x60
#3 0xc04a3f3c at module_register_init+0x82
#4 0xc049d96a at linker_file_sysinit+0x8e
#5 0xc049dc7c at linker_load_file+0xed
#6 0xc04a041f at linker_load_module+0xc4
#7 0xc049e883 at kldload+0x116
#8 0xc05d9b3d at syscall+0x325
#9 0xc05c944f at Xint0x80_syscall+0x1f
Free backtrace:
#0 0xc0584020 at redzone_check+0x162
#1 0xc04a2422 at free+0x1c
#2 0xcdeb69a6 at redzone_modevent+0x3c
#3 0xc04a438d at module_unload+0x61
#4 0xc049e0b3 at linker_file_unload+0x89
#5 0xc049e979 at kern_kldunload+0x96
#6 0xc049ea00 at kldunloadf+0x2c
#7 0xc05d9b3d at syscall+0x325
#8 0xc05c944f at Xint0x80_syscall+0x1f
SEE ALSO sysctl(8), malloc(9), memguard(9)HISTORY
RedZone first appeared in FreeBSD 7.0.
AUTHORS
Pawel Jakub Dawidek <pjd@FreeBSD.org>
BUGS
Currently, RedZone does not cooperate with memguard(9). Allocations from a memory type controlled by memguard(9) are simply skipped, so buf-
fer corruptions will not be detected there.
BSD January 9, 2009 BSD
Check Out this Related Man Page
MEMGUARD(9) BSD Kernel Developer's Manual MEMGUARD(9)NAME
MemGuard -- memory allocator for debugging purposes
SYNOPSIS
options DEBUG_MEMGUARD
DESCRIPTION
MemGuard is a simple and small replacement memory allocator designed to help detect tamper-after-free scenarios. These problems are more and
more common and likely with multithreaded kernels where race conditions are more prevalent.
Currently, MemGuard can take over malloc(), realloc() and free() for a single malloc type. MemGuard can also guard all allocations larger
than PAGE_SIZE, and can guard a random fraction of all allocations. There is also a knob to prevent allocations smaller than a specified
size from being guarded, to limit memory waste.
EXAMPLES
To use MemGuard for a memory type, either add an entry to /boot/loader.conf:
vm.memguard.desc=<memory_type>
Or set the vm.memguard.desc sysctl(8) variable at run-time:
sysctl vm.memguard.desc=<memory_type>
Where memory_type is a short description of the memory type to monitor. Only allocations from that memory_type made after vm.memguard.desc
is set will potentially be guarded. If vm.memguard.desc is modified at run-time then only allocations of the new memory_type will poten-
tially be guarded once the sysctl(8) is set. Existing guarded allocations will still be properly released by free(9).
The short description of a malloc(9) type is the second argument to MALLOC_DEFINE(9), so one has to find it in the kernel source.
The vm.memguard.divisor boot-time tunable is used to scale how much of the system's physical memory MemGuard is allowed to consume. The
default is 10, so up to cnt.v_page_count/10 pages can be used. MemGuard will reserve vm_kmem_max / vm.memguard.divisor bytes of virtual
address space, limited by twice the physical memory size. The physical limit is reported as vm.memguard.phys_limit and the virtual space
reserved for MemGuard is reported as vm.memguard.mapsize.
MemGuard will not do page promotions for any allocation smaller than vm.memguard.minsize bytes. The default is 0, meaning all allocations
can potentially be guarded. MemGuard can guard sufficiently large allocations randomly, with average frequency of every one in 100000 /
vm.memguard.frequency allocations. The default is 0, meaning no allocations are randomly guarded.
MemGuard can optionally add unmapped guard pages around each allocation to detect overflow and underflow, if vm.memguard.options has the 1
bit set. This option is enabled by default. MemGuard will optionally guard all allocations of PAGE_SIZE or larger if vm.memguard.options
has the 2 bit set. This option is off by default.
SEE ALSO sysctl(8), vmstat(8), contigmalloc(9), malloc(9), redzone(9)HISTORY
MemGuard first appeared in FreeBSD 6.0.
AUTHORS
MemGuard was originally written by Bosko Milekic <bmilekic@FreeBSD.org>. This manual page was originally written by Christian Brueffer
<brueffer@FreeBSD.org>. Additions have been made by Matthew Fleming <mdf@FreeBSD.org> to both the implementation and the documentation.
BUGS
Currently, it is not possible to override UMA zone(9) allocations.
BSD August 2, 2010 BSD