kern/81943: [patch] _assert_sbuf_integrity causes panic for zero
length buffer
Andrey Simonenko
simon at comsys.ntu-kpi.kiev.ua
Mon Jun 6 09:50:02 GMT 2005
>Number: 81943
>Category: kern
>Synopsis: _assert_sbuf_integrity causes panic for zero length buffer
>Confidential: no
>Severity: critical
>Priority: high
>Responsible: freebsd-bugs
>State: open
>Quarter:
>Keywords:
>Date-Required:
>Class: change-request
>Submitter-Id: current-users
>Arrival-Date: Mon Jun 06 09:50:01 GMT 2005
>Closed-Date:
>Last-Modified:
>Originator: Andrey Simonenko <simon at comsys.ntu-kpi.kiev.ua>
>Release: FreeBSD 5.4-RELEASE-p1 i386
>Organization:
>Environment:
FreeBSD >= 4.4
>Description:
If INVARIANTS is enabled, then _assert_sbuf_integrity panics if
s_len == 0 and s_size == 0. Really this is not a problem, since
nothing was written in zero length buffer.
On FreeBSD 5.4 if INVARIANTS are enabled and procfs is mounted,
then anybody can read zero bytes from /proc/<pid>/map and the
system will panic.
Solution:
* apply the patch given below, to allow s_len == 0 and s_size == 0
in sbuf
* don't allocate zero length sbuf at all, but currently malloc(9)
accepts zero length allocations, there is relevant #if 0 in
source of malloc(9), this will require revision of all /sys
files.
>How-To-Repeat:
Enable INVARIANTS, mount procfs and read zero bytes from /proc/<pid>/map
and see panic
>Fix:
--- subr_sbuf.c.orig Fri Jul 9 11:37:44 2004
+++ subr_sbuf.c Sat Jun 4 21:42:33 2005
@@ -91,7 +91,7 @@
("%s called with a NULL sbuf pointer", fun));
KASSERT(s->s_buf != NULL,
("%s called with uninitialized or corrupt sbuf", fun));
- KASSERT(s->s_len < s->s_size,
+ KASSERT(s->s_len < s->s_size || s->s_len == 0,
("wrote past end of sbuf (%d >= %d)", s->s_len, s->s_size));
}
>Release-Note:
>Audit-Trail:
>Unformatted:
More information about the freebsd-bugs
mailing list