kern/94480: bread & bwrite can crash under low memory conditions

Michiel Pelt m.pelt at xs4all.nl
Wed Mar 15 15:40:20 UTC 2006


>Number:         94480
>Category:       kern
>Synopsis:       bread & bwrite can crash under low memory conditions
>Confidential:   no
>Severity:       non-critical
>Priority:       low
>Responsible:    freebsd-bugs
>State:          open
>Quarter:        
>Keywords:       
>Date-Required:
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Wed Mar 15 15:40:18 GMT 2006
>Closed-Date:
>Last-Modified:
>Originator:     Michiel Pelt
>Release:        6.0
>Organization:
Peltin BV
>Environment:
>Description:
I was just examining the kernel sources for the development plans I have and stumbled upon lib/libufs/block.c rev 1.10. The following code is incorrect :

	if (((intptr_t)data) & 0x3f) {
		p2 = malloc(size);
		if (p2 == NULL)
			ERROR(disk, "allocate bounce buffer");
	}
	cnt = pread(disk->d_fd, p2, size, (off_t)(blockno * disk->d_bsize));

If the malloc fails, pread will be called with the NULL pointer p2 with serious consequences. Same problem with the bwrite function:

	if (((intptr_t)data) & 0x3f) {
		p2 = malloc(size);
		if (p2 == NULL)
			ERROR(disk, "allocate bounce buffer");
		memcpy(p2, data, size);
		data = p2;
	}
	cnt = pwrite(disk->d_fd, data, size, (off_t)(blockno * disk->d_bsize));

>How-To-Repeat:
call bread, bwrite with a very large unaligned buffer ...
>Fix:
	if (((intptr_t)data) & 0x3f) {
		p2 = malloc(size);
		if (p2 == NULL) {
			ERROR(disk, "allocate bounce buffer");
                        goto fail;
                }
	}
	cnt = pread(disk->d_fd, p2, size, (off_t)(blockno * disk->d_bsize));


..


	if (((intptr_t)data) & 0x3f) {
		p2 = malloc(size);
		if (p2 == NULL) {
			ERROR(disk, "allocate bounce buffer");
                        return (-1);
                }
		memcpy(p2, data, size);
		data = p2;
	}
	cnt = pwrite(disk->d_fd, data, size, (off_t)(blockno * disk->d_bsize));
>Release-Note:
>Audit-Trail:
>Unformatted:


More information about the freebsd-bugs mailing list