kern/94480: bread & bwrite can crash under low memory conditions
Michiel Pelt
m.pelt at xs4all.nl
Wed Mar 15 15:40:20 UTC 2006
>Number: 94480
>Category: kern
>Synopsis: bread & bwrite can crash under low memory conditions
>Confidential: no
>Severity: non-critical
>Priority: low
>Responsible: freebsd-bugs
>State: open
>Quarter:
>Keywords:
>Date-Required:
>Class: sw-bug
>Submitter-Id: current-users
>Arrival-Date: Wed Mar 15 15:40:18 GMT 2006
>Closed-Date:
>Last-Modified:
>Originator: Michiel Pelt
>Release: 6.0
>Organization:
Peltin BV
>Environment:
>Description:
I was just examining the kernel sources for the development plans I have and stumbled upon lib/libufs/block.c rev 1.10. The following code is incorrect :
if (((intptr_t)data) & 0x3f) {
p2 = malloc(size);
if (p2 == NULL)
ERROR(disk, "allocate bounce buffer");
}
cnt = pread(disk->d_fd, p2, size, (off_t)(blockno * disk->d_bsize));
If the malloc fails, pread will be called with the NULL pointer p2 with serious consequences. Same problem with the bwrite function:
if (((intptr_t)data) & 0x3f) {
p2 = malloc(size);
if (p2 == NULL)
ERROR(disk, "allocate bounce buffer");
memcpy(p2, data, size);
data = p2;
}
cnt = pwrite(disk->d_fd, data, size, (off_t)(blockno * disk->d_bsize));
>How-To-Repeat:
call bread, bwrite with a very large unaligned buffer ...
>Fix:
if (((intptr_t)data) & 0x3f) {
p2 = malloc(size);
if (p2 == NULL) {
ERROR(disk, "allocate bounce buffer");
goto fail;
}
}
cnt = pread(disk->d_fd, p2, size, (off_t)(blockno * disk->d_bsize));
..
if (((intptr_t)data) & 0x3f) {
p2 = malloc(size);
if (p2 == NULL) {
ERROR(disk, "allocate bounce buffer");
return (-1);
}
memcpy(p2, data, size);
data = p2;
}
cnt = pwrite(disk->d_fd, data, size, (off_t)(blockno * disk->d_bsize));
>Release-Note:
>Audit-Trail:
>Unformatted:
More information about the freebsd-bugs
mailing list