A bunch of memory allocation bugs in CGD  
    ALeine 
    aleine at austrosearch.net
       
    Wed Mar 30 10:29:52 PST 2005
    
    
  
elric at imrryr.org wrote: 
> Thanks for having a look at that.  I have checked in a fix.
Thanks for responding so quickly.
 
> I presume that you have addressed the cases in GBDE where
> malloc's return code has not been checked?  If so, perhaps
> cvsweb is a little behind.  It looks to me like 2 or 4 mallocs
> can use a buffer without checking the return code.
There are two malloc bugs in GBDE, but both are minor and have
no security implications. Both bugs are in src/sbin/gbde/gbde.c:
- the first bug is in cmd_nuke() and could not be seen as much
  of a bug because cmd_nuke() is used to destroy lock sectors.
  If this fails due to memory starvation no sensitive information
  is leaked, only a write(2) call fails and gbde terminates
  correctly upon catching and reporting the write error.
- the second bug is in cmd_write(), where a buffer is allocated
  and checked, but not immediately, so there is a case where it
  can be used before it gets checked. However, even if this happens,
  only a read(2) call fails and gbde terminates correctly upon
  catching and reporting the read error.
In src/sys/geom/bde/g_bde.c there is also a g_malloc() allocated buffer
which is unchecked, but since the allocation is done with the M_WAITOK
flag it's safe. This means there are no malloc bugs in GBDE which could
cause a segmentation violation.
I have sent the patch for the minor malloc bugs I described above to
Poul-Henning, so I expect him to review it and commit the appropriate
fix in the near future.
ALeine
___________________________________________________________________
WebMail FREE http://mail.austrosearch.net 
    
    
More information about the freebsd-hackers
mailing list