kern/115106: When malloc returns null, function proceeds as if pointer is valid at sigacts_alloc

M. Pasikatan magpasikat at yahoo.com
Wed Aug 1 03:40:01 UTC 2007 

>Number:         115106
>Category:       kern
>Synopsis:       When malloc returns null, function proceeds as if pointer is valid at sigacts_alloc
>Confidential:   no
>Severity:       serious
>Priority:       low
>Responsible:    freebsd-bugs
>State:          open
>Quarter:        
>Keywords:       
>Date-Required:
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Wed Aug 01 03:40:00 GMT 2007
>Closed-Date:
>Last-Modified:
>Originator:     M. Pasikatan
>Release:        6.2
>Organization:
Infoweapons, Inc.
>Environment:
FreeBSD mpasikatan.cebu.infoweapons.com 6.2-RELEASE FreeBSD 6.2-RELEASE #8: Mon Jul  9 12:52:50 PHT 2007     matt at mpasikatan.cebu.infoweapons.com:/usr/obj/usr/src/sys/GENERIC  amd64
>Description:
There is a bug in the file /usr/src/sys/kern/kern_sig.c.  The function sigacts_alloc calls malloc but does not check if null if returned.  Subsequently, when NULL is returned it sets the ps values and this causes the kernel to crash.

Please add checking at sigacts_alloc for the return of the malloc.
>How-To-Repeat:
1. Create a one2many node called pppoe0.
2. Run the following script at a FreeBSD 6.2 OS.

---------------------------------------------
#!/bin/sh

i='0'

while [ $i -le 50000 ]
do
  echo "ngctl mkpeer node$i: one2many many0 one"
  ngctl mkpeer node$i: one2many many0 one
  i2=`expr $i + 1`
  echo "ngctl name node$i:many0 node$i2"
  ngctl name node$i:many0 node$i2
  i=`expr $i + 1`
done
------------------------------------------------------

At around the 30,000 node, it will run out of memory and cause the computer to crash.

The following dump will be shown at the core file

#0  doadump () at pcpu.h:165
#1  0xc0672afe in boot (howto=260) at /usr/src/sys/kern/kern_shutdown.c:409
#2  0xc0672d94 in panic (fmt=0xc090beba "kmem_malloc(%ld): kmem_map too small: %ld total allocated")
    at /usr/src/sys/kern/kern_shutdown.c:565
#3  0xc07e247d in kmem_malloc (map=0xc104b0c0, size=4096, flags=2) at /usr/src/sys/vm/vm_kern.c:299
#4  0xc07d9dde in page_alloc (zone=0xc1055b00, bytes=4096, pflag=0x0, wait=2)
    at /usr/src/sys/vm/uma_core.c:958
#5  0xc07d9915 in slab_zalloc (zone=0xc1055b00, wait=2) at /usr/src/sys/vm/uma_core.c:823
#6  0xc07db0b4 in uma_zone_slab (zone=0xc1055b00, flags=258) at /usr/src/sys/vm/uma_core.c:2025
#7  0xc07db2d0 in uma_zalloc_bucket (zone=0xc1055b00, flags=258) at /usr/src/sys/vm/uma_core.c:2134
#8  0xc07daf45 in uma_zalloc_arg (zone=0xc1055b00, udata=0x0, flags=258)
    at /usr/src/sys/vm/uma_core.c:1942
#9  0xc06680ca in malloc (size=2768, mtp=0xc096bb20, flags=258) at uma.h:275
#10 0xc0677cd8 in sigacts_alloc () at /usr/src/sys/kern/kern_sig.c:2765
#11 0xc065bdd5 in fork1 (td=0xc345a600, flags=20, pages=0, procp=0xd9909cd4)
    at /usr/src/sys/kern/kern_fork.c:434
#12 0xc065b564 in fork (td=0xc345a600, uap=0xd9909d04) at /usr/src/sys/kern/kern_fork.c:98
#13 0xc0885d1b in syscall (frame=
      {tf_fs = 134611003, tf_es = 59, tf_ds = -1078001605, tf_edi = 0, tf_esi = 134639616, tf_ebp = -1077943176
, tf_isp = -644833948, tf_ebx = 134639616, tf_edx = 0, tf_ecx = -1077943120, tf_eax = 2, tf_trapno = 12, tf_err
 = 2, tf_eip = 672376559, tf_cs = 51, tf_eflags = 582, tf_esp = -1077943204, tf_ss = 59})
    at /usr/src/sys/i386/i386/trap.c:983
#14 0xc0873acf in Xint0x80_syscall () at /usr/src/sys/i386/i386/exception.s:200
#15 0x00000033 in ?? ()

>Fix:
Please add checking at sigacts_alloc for the return of the malloc like below.

struct sigacts *   
sigacts_alloc(void)
{
        struct sigacts *ps;
        
        ps = malloc(sizeof(struct sigacts), M_SUBPROC, M_WAITOK | M_ZERO);
+       if (ps) {
                ps->ps_refcnt = 1;
                mtx_init(&ps->ps_mtx, "sigacts", NULL, MTX_DEF);
+       }
        return (ps);
}


>Release-Note:
>Audit-Trail:
>Unformatted:

More information about the freebsd-bugs mailing list