Date: Sun, 21 Sep 1997 06:30:02 -0700 (PDT) From: Bruce Evans <bde@zeta.org.au> To: freebsd-bugs Subject: Re: bin/4592: kbdcontrol reboting machine Message-ID: <199709211330.GAA00888@hub.freebsd.org>
next in thread | raw e-mail | index | archive | help
The following reply was made to PR bin/4592; it has been noted by GNATS.
From: Bruce Evans <bde@zeta.org.au>
To: amb@elvisti.kiev.ua, freebsd-gnats-submit@FreeBSD.ORG
Cc: Subject: Re: bin/4592: kbdcontrol reboting machine
Date: Sun, 21 Sep 1997 23:25:14 +1000
>>Description:
>if
>cbdcontrol -h 1000000000000000000000000000000000
k
>then machine reboot
There are several bugs here.
1. -h (set console history buffer size) should be a vidcontrol option.
2. 1000000000000000000000000000000000 is misinterpreted by atoi() as
usual and overflows to 0x7fffffff.
3. syscons.c accepts the preposterous size of 0x7fffffff (lines) and
does several potentially overflowing multiplications, first by the
screen width (normally 80), then by 2. 0x7fffffff * 80 overflows
to 0xffffffb0. 0xffffffb0 * 2 overflows to 0xffffff60.
4. The old history buffer is freed before allocating the new one or
setting the old history pointers to NULL, so the system panics
if you trace through the code using ddb. More seriously, the
system would panic if a kernel printf occurred while the pointers
are invalid.
5. malloc() accepts the preposterous size of 0xffffff60 and does an
overflowing roundup() to size 0.
6. kmem_malloc() can't handle a size of 0 and panics nicely with
"kmem_malloc: entry not found or misaligned".
7. Unless a serial console is used, the panic is actually nasty because
of bug (4). Here (using ddb) the first line of the panic gets printed
OK; then then the system hangs when syscons attempts to update the
history for scrolling.
The bugs are all in syscons and its utilities except for (5) and (6).
For the less preposterous size of 12500000 which avoids overflows and
could be satisfied by a measly 2GB of kernel memory, malloc() can do no
better than panic. It prints the more appropriate message "kmem_malloc:
kmem_map too small". Syscons should avoid passing preposterous sizes.
Bruce
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199709211330.GAA00888>