[Bug 231116] Out of bounds memory access in blist_create()
bugzilla-noreply at freebsd.org
bugzilla-noreply at freebsd.org
Mon Sep 3 11:05:37 UTC 2018
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=231116
Bug ID: 231116
Summary: Out of bounds memory access in blist_create()
Product: Base System
Version: CURRENT
Hardware: Any
OS: Any
Status: New
Severity: Affects Many People
Priority: ---
Component: kern
Assignee: bugs at FreeBSD.org
Reporter: sebastian.huber at embedded-brains.de
The memory allocation size in blist_create() is insufficient. For example
blist_create(256, 1) calculates nodes == 5 which is used to for the
bl = malloc(offsetof(struct blist, bl_root[nodes + 1]), M_SWAP, flags |
M_ZERO);
and then later there is an access here
bl->bl_root[i_+_skip].bm_bighint_=_(daddr_t)-1;
with i == 4 and skip == 1;
--
You are receiving this mail because:
You are the assignee for the bug.
More information about the freebsd-bugs
mailing list