From owner-freebsd-bugs  Mon Dec 16 20:40:05 1996
Return-Path: <owner-bugs>
Received: (from root@localhost)
          by freefall.freebsd.org (8.8.4/8.8.4) id UAA26407
          for bugs-outgoing; Mon, 16 Dec 1996 20:40:05 -0800 (PST)
Received: (from gnats@localhost)
          by freefall.freebsd.org (8.8.4/8.8.4) id UAA26377;
          Mon, 16 Dec 1996 20:40:03 -0800 (PST)
Resent-Date: Mon, 16 Dec 1996 20:40:03 -0800 (PST)
Resent-Message-Id: <199612170440.UAA26377@freefall.freebsd.org>
Resent-From: gnats (GNATS Management)
Resent-To: freebsd-bugs
Resent-Reply-To: FreeBSD-gnats@freefall.FreeBSD.org, randy@zyzzyva.com
Received: from sierra.zyzzyva.com (ppp0.zyzzyva.com [198.183.2.50])
          by freefall.freebsd.org (8.8.4/8.8.4) with ESMTP id UAA26306
          for <FreeBSD-gnats-submit@freebsd.org>; Mon, 16 Dec 1996 20:39:34 -0800 (PST)
Received: (from randy@localhost) by sierra.zyzzyva.com (8.8.4/8.8.2) id WAA06974; Mon, 16 Dec 1996 22:39:55 -0600 (CST)
Message-Id: <199612170439.WAA06974@sierra.zyzzyva.com>
Date: Mon, 16 Dec 1996 22:39:55 -0600 (CST)
From: randy@zyzzyva.com
Reply-To: randy@zyzzyva.com
To: FreeBSD-gnats-submit@freebsd.org
X-Send-Pr-Version: 3.2
Subject: kern/2230: SEGV in sysctl for version 2.2
Sender: owner-bugs@freebsd.org
X-Loop: FreeBSD.org
Precedence: bulk


>Number:         2230
>Category:       kern
>Synopsis:       SEGV in sysctl
>Confidential:   no
>Severity:       serious
>Priority:       high
>Responsible:    freebsd-bugs
>State:          open
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Mon Dec 16 20:40:01 PST 1996
>Last-Modified:
>Originator:     Randy Terbush
>Organization:
Zyzzyva Enterprises
>Release:        FreeBSD 2.2-RELEASE i386
>Environment:

	2.2-RELEASE supped 6:00amCST 16/12/96
	P5-133
	64MB RAM

	The following kernel variables have been "tweaked".

	maxusers        256
	options         NMBCLUSTERS=4096
	options         DFLDSIZ=33554432
	options         DFLSSIZ=1048576
	options         CHILD_MAX=1536
	options         OPEN_MAX=1536
	options         "FD_SETSIZE=1024"

>Description:

	'sysctl kern' dumps core

>How-To-Repeat:

	(gdb) r kern
Starting program: /usr/obj/nfs/zwww1/var/src/usr.sbin/sysctl/sysctl kern
kern.ostype: FreeBSD
kern.osrelease: 2.2-RELEASE
kern.osrevision: 199506
kern.version: FreeBSD 2.2-RELEASE #1: Sat Dec 14 11:50:01 CST 1996
    kroot@sierra:/nfs/zwww1/var/src/sys/compile/SIERRA

kern.maxvnodes: 7881
kern.maxproc: 4116
kern.maxfiles: 8232
kern.argmax: 65536
kern.securelevel: -1
kern.hostname: sierra
kern.hostid: 0
kern.clockrate: { hz = 100, tick = 10000, profhz = 1024, stathz = 128 }

Program received signal SIGSEGV, Segmentation fault.
show_var (oid=0xefbfd750, nlen=2)
    at /nfs/zwww1/var/src/usr.sbin/sysctl/sysctl.c:349
349             i = sysctl(oid, nlen, val, &len, 0, 0);
(gdb) bt
#0  show_var (oid=0xefbfd750, nlen=2)
    at /nfs/zwww1/var/src/usr.sbin/sysctl/sysctl.c:349
#1  0x2807 in sysctl_all (oid=0xefbfdc1c, len=1)
    at /nfs/zwww1/var/src/usr.sbin/sysctl/sysctl.c:456
#2  0x1b38 in parse (string=0xefbfdd26 "kern")
    at /nfs/zwww1/var/src/usr.sbin/sysctl/sysctl.c:154
#3  0x189b in main (argc=0, argv=0xefbfdcac)
    at /nfs/zwww1/var/src/usr.sbin/sysctl/sysctl.c:107
(gdb) l
344             i = sysctl(oid, nlen, 0, &j, 0, 0);
345             j += j; /* we want to be sure :-) */
346
347             val = alloca(j);
348             len = j;
349             i = sysctl(oid, nlen, val, &len, 0, 0);
350             if (i || !len)
351                     return (1);
352
353             if (bflag) {
(gdb) 

After several calls to this piece of code, alloca() allocates a
bogus address which is not being checked for here.

Breakpoint 1, show_var (oid=0xefbfd750, nlen=2)
    at /nfs/zwww1/var/src/usr.sbin/sysctl/sysctl.c:345
345             j += j; /* we want to be sure :-) */
(gdb) s
347             val = alloca(j);
(gdb) 
348             len = j;
(gdb) p val
$20 = (
    unsigned char *) 0xefa3df98 <Error reading address 0xefa3df98: Invalid argument>
(gdb) 


>Fix:
	


>Audit-Trail:
>Unformatted: