[Bug 231116] Out of bounds memory access in blist_create()

bugzilla-noreply at freebsd.org bugzilla-noreply at freebsd.org
Mon Sep 3 11:05:37 UTC 2018


            Bug ID: 231116
           Summary: Out of bounds memory access in blist_create()
           Product: Base System
           Version: CURRENT
          Hardware: Any
                OS: Any
            Status: New
          Severity: Affects Many People
          Priority: ---
         Component: kern
          Assignee: bugs at FreeBSD.org
          Reporter: sebastian.huber at embedded-brains.de

The memory allocation size in blist_create() is insufficient.  For example
blist_create(256, 1) calculates nodes == 5 which is used to for the

bl = malloc(offsetof(struct blist, bl_root[nodes + 1]), M_SWAP, flags |

and then later there is an access here


with i == 4 and skip == 1;

You are receiving this mail because:
You are the assignee for the bug.

More information about the freebsd-bugs mailing list