From owner-svn-src-all@freebsd.org Thu Oct 6 05:16:45 2016 Return-Path: Delivered-To: svn-src-all@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 73D60BD339F; Thu, 6 Oct 2016 05:16:45 +0000 (UTC) (envelope-from cem@FreeBSD.org) Received: from repo.freebsd.org (repo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:0]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 29461FE1; Thu, 6 Oct 2016 05:16:45 +0000 (UTC) (envelope-from cem@FreeBSD.org) Received: from repo.freebsd.org ([127.0.1.37]) by repo.freebsd.org (8.15.2/8.15.2) with ESMTP id u965GifP099818; Thu, 6 Oct 2016 05:16:44 GMT (envelope-from cem@FreeBSD.org) Received: (from cem@localhost) by repo.freebsd.org (8.15.2/8.15.2/Submit) id u965GiwY099817; Thu, 6 Oct 2016 05:16:44 GMT (envelope-from cem@FreeBSD.org) Message-Id: <201610060516.u965GiwY099817@repo.freebsd.org> X-Authentication-Warning: repo.freebsd.org: cem set sender to cem@FreeBSD.org using -f From: "Conrad E. Meyer" Date: Thu, 6 Oct 2016 05:16:44 +0000 (UTC) To: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-head@freebsd.org Subject: svn commit: r306752 - head/sbin/savecore X-SVN-Group: head MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-BeenThere: svn-src-all@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: "SVN commit messages for the entire src tree \(except for " user" and " projects" \)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 06 Oct 2016 05:16:45 -0000 Author: cem Date: Thu Oct 6 05:16:44 2016 New Revision: 306752 URL: https://svnweb.freebsd.org/changeset/base/306752 Log: savecore(8): Fix buffer overrun inspecting disks with varying sector size A premature optimization lead to caching a native-sector sized memory allocation. If the program examined a 512 byte sector disk, then a 4096 byte sector disk, the program would overrun the cached 512 byte buffer. Just remove the optimization to fix the bug. This was introduced with the 4Kn dump support in r298076. Reported by: markj Reviewed by: markj, rpokala Sponsored by: Dell EMC Isilon Differential Revision: https://reviews.freebsd.org/D8162 Modified: head/sbin/savecore/savecore.c Modified: head/sbin/savecore/savecore.c ============================================================================== --- head/sbin/savecore/savecore.c Thu Oct 6 03:32:30 2016 (r306751) +++ head/sbin/savecore/savecore.c Thu Oct 6 05:16:44 2016 (r306752) @@ -436,7 +436,8 @@ DoFile(const char *savedir, const char * { xo_handle_t *xostdout, *xoinfo; static char infoname[PATH_MAX], corename[PATH_MAX], linkname[PATH_MAX]; - static char *buf = NULL, *temp = NULL; + static char *buf = NULL; + char *temp = NULL; struct kerneldumpheader kdhf, kdhl; off_t mediasize, dumpsize, firsthd, lasthd; FILE *info, *fp; @@ -498,12 +499,10 @@ DoFile(const char *savedir, const char * } lasthd = mediasize - sectorsize; + temp = malloc(sectorsize); if (temp == NULL) { - temp = malloc(sectorsize); - if (temp == NULL) { - syslog(LOG_ERR, "%m"); - goto closefd; - } + syslog(LOG_ERR, "%m"); + goto closefd; } if (lseek(fd, lasthd, SEEK_SET) != lasthd || read(fd, temp, sectorsize) != (ssize_t)sectorsize) { @@ -749,6 +748,7 @@ nuke: } xo_close_container_h(xostdout, "crashdump"); xo_finish_h(xostdout); + free(temp); close(fd); return; @@ -756,6 +756,7 @@ closeall: fclose(fp); closefd: + free(temp); close(fd); }