kern/132104: kenv buffer overflow
Dylan Cochran
a134qaed at gmail.com
Wed Feb 25 13:40:04 PST 2009
The following reply was made to PR kern/132104; it has been noted by GNATS.
From: Dylan Cochran <a134qaed at gmail.com>
To: Jaakko Heinonen <jh at saunalahti.fi>
Cc: bug-followup at freebsd.org
Subject: Re: kern/132104: kenv buffer overflow
Date: Wed, 25 Feb 2009 16:36:32 -0500
On Wed, Feb 25, 2009 at 1:56 PM, Jaakko Heinonen <jh at saunalahti.fi> wrote:
>
> Hi,
>
> On 2009-02-25, Dylan Cochran wrote:
>> This prevents the panic condition, but also increases the amount of
>> time the mutex is held. Comments?
>>
>> =A0 =A0 =A0 =A0 =A0 =A0 =A0 mtx_lock(&kenv_lock);
>> =A0 =A0 =A0 =A0 =A0 =A0 =A0 cp =3D _getenv_dynamic(name, NULL);
>> =A0 =A0 =A0 =A0 =A0 =A0 =A0 if (cp !=3D NULL) {
>> - =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 strcpy(buf, cp);
>> - =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 mtx_unlock(&kenv_lock);
>> - =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 len =3D strlen(buf) + 1;
>> + =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 len =3D strlen(cp) + 1;
>> =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 ret =3D malloc(len, M_KENV, =
M_WAITOK);
>> - =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 strcpy(ret, buf);
>> + =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 strcpy(ret, cp);
>> + =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 mtx_unlock(&kenv_lock);
>
> malloc(9) with M_WAITOK flag could sleep. You are not allowed to sleep
> while holding a mutex.
So if I modify it to use M_NOWAIT, I should unlock if it returns null,
then sleep, then relock, and repeat? I'd rather not just bump up the
*LEN values, or truncate it by adding a trailing 0 byte to the end.
Not in 2009 anyway.
>
> --
> Jaakko
>
More information about the freebsd-bugs
mailing list