From owner-freebsd-bugs@FreeBSD.ORG  Mon Jan 28 10:10:00 2013
Return-Path: <owner-freebsd-bugs@FreeBSD.ORG>
Delivered-To: freebsd-bugs@smarthost.ysv.freebsd.org
Received: from mx1.freebsd.org (mx1.FreeBSD.org [8.8.178.115])
 by hub.freebsd.org (Postfix) with ESMTP id DD5B1FC7
 for <freebsd-bugs@smarthost.ysv.freebsd.org>;
 Mon, 28 Jan 2013 10:10:00 +0000 (UTC)
 (envelope-from gnats@FreeBSD.org)
Received: from freefall.freebsd.org (freefall.freebsd.org
 [IPv6:2001:1900:2254:206c::16:87])
 by mx1.freebsd.org (Postfix) with ESMTP id AC4D884F
 for <freebsd-bugs@smarthost.ysv.freebsd.org>;
 Mon, 28 Jan 2013 10:10:00 +0000 (UTC)
Received: from freefall.freebsd.org (localhost [127.0.0.1])
 by freefall.freebsd.org (8.14.6/8.14.6) with ESMTP id r0SAA006022931
 for <freebsd-bugs@freefall.freebsd.org>; Mon, 28 Jan 2013 10:10:00 GMT
 (envelope-from gnats@freefall.freebsd.org)
Received: (from gnats@localhost)
 by freefall.freebsd.org (8.14.6/8.14.6/Submit) id r0SAA05A022928;
 Mon, 28 Jan 2013 10:10:00 GMT (envelope-from gnats)
Resent-Date: Mon, 28 Jan 2013 10:10:00 GMT
Resent-Message-Id: <201301281010.r0SAA05A022928@freefall.freebsd.org>
Resent-From: FreeBSD-gnats-submit@FreeBSD.org (GNATS Filer)
Resent-To: freebsd-bugs@FreeBSD.org
Resent-Reply-To: FreeBSD-gnats-submit@FreeBSD.org, Yuri <yuri@tsoft.com>
Received: from mx1.freebsd.org (mx1.freebsd.org
 [IPv6:2001:1900:2254:206a::19:1])
 by hub.freebsd.org (Postfix) with ESMTP id 1ABC2E68
 for <freebsd-gnats-submit@FreeBSD.org>; Mon, 28 Jan 2013 10:01:29 +0000 (UTC)
 (envelope-from nobody@FreeBSD.org)
Received: from red.freebsd.org (red.freebsd.org [IPv6:2001:4f8:fff6::22])
 by mx1.freebsd.org (Postfix) with ESMTP id EAF64808
 for <freebsd-gnats-submit@FreeBSD.org>; Mon, 28 Jan 2013 10:01:28 +0000 (UTC)
Received: from red.freebsd.org (localhost [127.0.0.1])
 by red.freebsd.org (8.14.5/8.14.5) with ESMTP id r0SA1SlL091728
 for <freebsd-gnats-submit@FreeBSD.org>; Mon, 28 Jan 2013 10:01:28 GMT
 (envelope-from nobody@red.freebsd.org)
Received: (from nobody@localhost)
 by red.freebsd.org (8.14.5/8.14.5/Submit) id r0SA1Sl2091719;
 Mon, 28 Jan 2013 10:01:28 GMT (envelope-from nobody)
Message-Id: <201301281001.r0SA1Sl2091719@red.freebsd.org>
Date: Mon, 28 Jan 2013 10:01:28 GMT
From: Yuri <yuri@tsoft.com>
To: freebsd-gnats-submit@FreeBSD.org
X-Send-Pr-Version: www-3.1
Subject: misc/175648: [PATCH] Fix for buffer corruption in libproc
X-BeenThere: freebsd-bugs@freebsd.org
X-Mailman-Version: 2.1.14
Precedence: list
List-Id: Bug reports <freebsd-bugs.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/options/freebsd-bugs>,
 <mailto:freebsd-bugs-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-bugs>
List-Post: <mailto:freebsd-bugs@freebsd.org>
List-Help: <mailto:freebsd-bugs-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-bugs>,
 <mailto:freebsd-bugs-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Mon, 28 Jan 2013 10:10:00 -0000


>Number:         175648
>Category:       misc
>Synopsis:       [PATCH] Fix for buffer corruption in libproc
>Confidential:   no
>Severity:       non-critical
>Priority:       low
>Responsible:    freebsd-bugs
>State:          open
>Quarter:        
>Keywords:       
>Date-Required:
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Mon Jan 28 10:10:00 UTC 2013
>Closed-Date:
>Last-Modified:
>Originator:     Yuri
>Release:        9.1-STABLE
>Organization:
n/a
>Environment:
>Description:
Please check in the attached patch.
Please MFC to 9.X.

Patch fixes the buffer corruption caused by the wrong size passed to realloc.
Bug can be experienced by calling ustack() from some dtrace script when the number of entries in /proc/PID/map is greater than 64.

>How-To-Repeat:

>Fix:


Patch attached with submission follows:

Index: lib/libproc/proc_rtld.c
===================================================================
--- lib/libproc/proc_rtld.c	(revision 245708)
+++ lib/libproc/proc_rtld.c	(working copy)
@@ -44,7 +44,7 @@
 
 	if (phdl->nobjs >= phdl->rdobjsz) {
 		phdl->rdobjsz *= 2;
-		phdl->rdobjs = realloc(phdl->rdobjs, phdl->rdobjsz);
+		phdl->rdobjs = realloc(phdl->rdobjs, sizeof(*phdl->rdobjs) * phdl->rdobjsz);
 		if (phdl->rdobjs == NULL)
 			return (-1);
 	}


>Release-Note:
>Audit-Trail:
>Unformatted: