From owner-freebsd-bugs@FreeBSD.ORG Fri Mar 6 18:20:04 2009 Return-Path: Delivered-To: freebsd-bugs@hub.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id CC3DD1065672 for ; Fri, 6 Mar 2009 18:20:04 +0000 (UTC) (envelope-from gnats@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:4f8:fff6::28]) by mx1.freebsd.org (Postfix) with ESMTP id 9F82F8FC18 for ; Fri, 6 Mar 2009 18:20:04 +0000 (UTC) (envelope-from gnats@FreeBSD.org) Received: from freefall.freebsd.org (gnats@localhost [127.0.0.1]) by freefall.freebsd.org (8.14.3/8.14.3) with ESMTP id n26IK37c014081 for ; Fri, 6 Mar 2009 18:20:03 GMT (envelope-from gnats@freefall.freebsd.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.14.3/8.14.3/Submit) id n26IK38Q014080; Fri, 6 Mar 2009 18:20:03 GMT (envelope-from gnats) Date: Fri, 6 Mar 2009 18:20:03 GMT Message-Id: <200903061820.n26IK38Q014080@freefall.freebsd.org> To: freebsd-bugs@FreeBSD.org From: Dylan Cochran Cc: Subject: Re: kern/132104: kenv buffer overflow X-BeenThere: freebsd-bugs@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: Dylan Cochran List-Id: Bug reports List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 06 Mar 2009 18:20:05 -0000 The following reply was made to PR kern/132104; it has been noted by GNATS. From: Dylan Cochran To: bug-followup Cc: Jaakko Heinonen Subject: Re: kern/132104: kenv buffer overflow Date: Fri, 6 Mar 2009 13:13:54 -0500 --00163616451b6c31690464773f1a Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Second patch, after a conversation with rwatson about locking on malloc, I decided to allow a race condition to occur, and bounded it with an incrementing counter. If we lose the race, we loop up to 6 times, then return null. Since the values chosen for the sleep time and count are arbitrary, I added printf's so I could view the frequencies when races were lost. So far it never happens, so I believe that to be sufficient. Please note I am not a C language expert, nor am I intimately familiar with kernel programming. I appreciate any pointers. :) --00163616451b6c31690464773f1a Content-Type: application/octet-stream; name="kenv.diff" Content-Disposition: attachment; filename="kenv.diff" Content-Transfer-Encoding: base64 X-Attachment-Id: f_frz6npga0 LS0tIHN5cy9rZXJuL2tlcm5fZW52aXJvbm1lbnQuYwkyMDA5LTAyLTIwIDEyOjMxOjM2LjAwMDAw MDAwMCAtMDUwMAorKysgc3lzL2tlcm4va2Vybl9lbnZpcm9ubWVudC5jCTIwMDktMDMtMDMgMjI6 NDU6MTkuMDAwMDAwMDAwIC0wNTAwCkBAIC0yOTMsMjIgKzI5MywzNCBAQAogY2hhciAqCiBnZXRl bnYoY29uc3QgY2hhciAqbmFtZSkKIHsKLQljaGFyIGJ1ZltLRU5WX01OQU1FTEVOICsgMSArIEtF TlZfTVZBTExFTiArIDFdOwogCWNoYXIgKnJldCwgKmNwOwotCWludCBsZW47CisJaW50IGxlbiA9 IDA7CisJaW50IGNvdW50ID0gMDsKIAogCWlmIChkeW5hbWljX2tlbnYpIHsKLQkJbXR4X2xvY2so JmtlbnZfbG9jayk7Ci0JCWNwID0gX2dldGVudl9keW5hbWljKG5hbWUsIE5VTEwpOwotCQlpZiAo Y3AgIT0gTlVMTCkgewotCQkJc3RyY3B5KGJ1ZiwgY3ApOwotCQkJbXR4X3VubG9jaygma2Vudl9s b2NrKTsKLQkJCWxlbiA9IHN0cmxlbihidWYpICsgMTsKLQkJCXJldCA9IG1hbGxvYyhsZW4sIE1f S0VOViwgTV9XQUlUT0spOwotCQkJc3RyY3B5KHJldCwgYnVmKTsKLQkJfSBlbHNlIHsKLQkJCW10 eF91bmxvY2soJmtlbnZfbG9jayk7CisJCXdoaWxlIChjb3VudCA8PSA1KSB7CiAJCQlyZXQgPSBO VUxMOworCQkJbXR4X2xvY2soJmtlbnZfbG9jayk7CisJCQljcCA9IF9nZXRlbnZfZHluYW1pYyhu YW1lLCBOVUxMKTsKKwkJCWlmIChjcCAhPSBOVUxMKSB7CisJCQkJbGVuID0gc3RybGVuKGNwKSAr IDE7CisJCQkJbXR4X3VubG9jaygma2Vudl9sb2NrKTsKKwkJCQlyZXQgPSBtYWxsb2MobGVuLCBN X0tFTlYsIE1fV0FJVE9LIHwgTV9aRVJPKTsKKwkJCQlzdHJuY3B5KHJldCwgY3AsIGxlbik7CisJ CQkJLyogSWYgdGhlIGxhc3QgYnl0ZSBvZiByZXQgaXMgemVybywgdGhlbiB3ZSB3b24gdGhlIHJh Y2UsIHNsZWVwIGFuZCB0cnkgYWdhaW4uICovCisJCQkJcHJpbnRmKCJrZW52MDogbmFtZT0lcyBs ZW5ndGg9JWQgY291bnQ9JXhcbiIsIG5hbWUsIGxlbiwgY291bnQpOworCQkJCWlmIChyZXRbbGVu XSA9PSAnXHgwMCcpIHsKKwkJCQkJcHJpbnRmKCJrZW52MDogZGF0YT0lc1xuIiwgcmV0KTsKKwkJ CQkJYnJlYWs7CisJCQkJfQorCQkJfSBlbHNlIHsKKwkJCQltdHhfdW5sb2NrKCZrZW52X2xvY2sp OworCQkJCXJldCA9IE5VTEw7CisJCQkJYnJlYWs7CisJCQl9CisJCQljb3VudCsrOworCQkJZnJl ZShyZXQsIE1fS0VOVik7CisJCQl0c2xlZXAoY3AsIDAsICJrZW52c2wiLCAxKTsKIAkJfQogCX0g ZWxzZQogCQlyZXQgPSBfZ2V0ZW52X3N0YXRpYyhuYW1lKTsK --00163616451b6c31690464773f1a--