From owner-svn-src-all@FreeBSD.ORG Sat Apr 11 15:19:26 2009 Return-Path: Delivered-To: svn-src-all@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id CEE7B1065686; Sat, 11 Apr 2009 15:19:26 +0000 (UTC) (envelope-from delphij@FreeBSD.org) Received: from svn.freebsd.org (svn.freebsd.org [IPv6:2001:4f8:fff6::2c]) by mx1.freebsd.org (Postfix) with ESMTP id BBA6C8FC0A; Sat, 11 Apr 2009 15:19:26 +0000 (UTC) (envelope-from delphij@FreeBSD.org) Received: from svn.freebsd.org (localhost [127.0.0.1]) by svn.freebsd.org (8.14.3/8.14.3) with ESMTP id n3BFJQuT090613; Sat, 11 Apr 2009 15:19:26 GMT (envelope-from delphij@svn.freebsd.org) Received: (from delphij@localhost) by svn.freebsd.org (8.14.3/8.14.3/Submit) id n3BFJQtj090608; Sat, 11 Apr 2009 15:19:26 GMT (envelope-from delphij@svn.freebsd.org) Message-Id: <200904111519.n3BFJQtj090608@svn.freebsd.org> From: Xin LI Date: Sat, 11 Apr 2009 15:19:26 +0000 (UTC) To: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-stable@freebsd.org, svn-src-stable-7@freebsd.org X-SVN-Group: stable-7 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Cc: Subject: svn commit: r190939 - in stable/7/lib/libc: . db db/btree db/hash db/mpool string X-BeenThere: svn-src-all@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "SVN commit messages for the entire src tree \(except for " user" and " projects" \)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 11 Apr 2009 15:19:27 -0000 Author: delphij Date: Sat Apr 11 15:19:26 2009 New Revision: 190939 URL: http://svn.freebsd.org/changeset/base/190939 Log: MFC r190482: zero out memory before use and free. Approved by: re (kib) Security: Potential Information Leak Modified: stable/7/lib/libc/ (props changed) stable/7/lib/libc/db/README stable/7/lib/libc/db/btree/bt_open.c stable/7/lib/libc/db/btree/bt_split.c stable/7/lib/libc/db/hash/hash_buf.c stable/7/lib/libc/db/mpool/mpool.c stable/7/lib/libc/string/ffsll.c (props changed) stable/7/lib/libc/string/flsll.c (props changed) Modified: stable/7/lib/libc/db/README ============================================================================== --- stable/7/lib/libc/db/README Sat Apr 11 15:19:09 2009 (r190938) +++ stable/7/lib/libc/db/README Sat Apr 11 15:19:26 2009 (r190939) @@ -1,4 +1,5 @@ # @(#)README 8.27 (Berkeley) 9/1/94 +# $FreeBSD$ This is version 1.85 of the Berkeley DB code. @@ -31,10 +32,3 @@ mpool The memory pool routines. recno The fixed/variable length record routines. test Test package. -============================================ -Debugging: - -If you're running a memory checker (e.g. Purify) on DB, make sure that -you recompile it with "-DPURIFY" in the CFLAGS, first. By default, -allocated pages are not initialized by the DB code, and they will show -up as reads of uninitialized memory in the buffer write routines. Modified: stable/7/lib/libc/db/btree/bt_open.c ============================================================================== --- stable/7/lib/libc/db/btree/bt_open.c Sat Apr 11 15:19:09 2009 (r190938) +++ stable/7/lib/libc/db/btree/bt_open.c Sat Apr 11 15:19:26 2009 (r190939) @@ -159,9 +159,8 @@ __bt_open(fname, flags, mode, openinfo, goto einval; /* Allocate and initialize DB and BTREE structures. */ - if ((t = (BTREE *)malloc(sizeof(BTREE))) == NULL) + if ((t = (BTREE *)calloc(1, sizeof(BTREE))) == NULL) goto err; - memset(t, 0, sizeof(BTREE)); t->bt_fd = -1; /* Don't close unopened fd on error. */ t->bt_lorder = b.lorder; t->bt_order = NOT; @@ -169,9 +168,8 @@ __bt_open(fname, flags, mode, openinfo, t->bt_pfx = b.prefix; t->bt_rfd = -1; - if ((t->bt_dbp = dbp = (DB *)malloc(sizeof(DB))) == NULL) + if ((t->bt_dbp = dbp = (DB *)calloc(1, sizeof(DB))) == NULL) goto err; - memset(t->bt_dbp, 0, sizeof(DB)); if (t->bt_lorder != machine_lorder) F_SET(t, B_NEEDSWAP); Modified: stable/7/lib/libc/db/btree/bt_split.c ============================================================================== --- stable/7/lib/libc/db/btree/bt_split.c Sat Apr 11 15:19:09 2009 (r190938) +++ stable/7/lib/libc/db/btree/bt_split.c Sat Apr 11 15:19:26 2009 (r190939) @@ -381,13 +381,10 @@ bt_page(t, h, lp, rp, skip, ilen) } /* Put the new left page for the split into place. */ - if ((l = (PAGE *)malloc(t->bt_psize)) == NULL) { + if ((l = (PAGE *)calloc(1, t->bt_psize)) == NULL) { mpool_put(t->bt_mp, r, 0); return (NULL); } -#ifdef PURIFY - memset(l, 0xff, t->bt_psize); -#endif l->pgno = h->pgno; l->nextpg = r->pgno; l->prevpg = h->prevpg; Modified: stable/7/lib/libc/db/hash/hash_buf.c ============================================================================== --- stable/7/lib/libc/db/hash/hash_buf.c Sat Apr 11 15:19:09 2009 (r190938) +++ stable/7/lib/libc/db/hash/hash_buf.c Sat Apr 11 15:19:26 2009 (r190939) @@ -57,6 +57,7 @@ __FBSDID("$FreeBSD$"); #include #include #include +#include #ifdef DEBUG #include @@ -174,18 +175,12 @@ newbuf(hashp, addr, prev_bp) */ if (hashp->nbufs || (bp->flags & BUF_PIN)) { /* Allocate a new one */ - if ((bp = (BUFHEAD *)malloc(sizeof(BUFHEAD))) == NULL) + if ((bp = (BUFHEAD *)calloc(1, sizeof(BUFHEAD))) == NULL) return (NULL); -#ifdef PURIFY - memset(bp, 0xff, sizeof(BUFHEAD)); -#endif - if ((bp->page = (char *)malloc(hashp->BSIZE)) == NULL) { + if ((bp->page = (char *)calloc(1, hashp->BSIZE)) == NULL) { free(bp); return (NULL); } -#ifdef PURIFY - memset(bp->page, 0xff, hashp->BSIZE); -#endif if (hashp->nbufs) hashp->nbufs--; } else { @@ -328,8 +323,10 @@ __buf_free(hashp, do_free, to_disk) } /* Check if we are freeing stuff */ if (do_free) { - if (bp->page) + if (bp->page) { + (void)memset(bp->page, 0, hashp->BSIZE); free(bp->page); + } BUF_REMOVE(bp); free(bp); bp = LRU; Modified: stable/7/lib/libc/db/mpool/mpool.c ============================================================================== --- stable/7/lib/libc/db/mpool/mpool.c Sat Apr 11 15:19:09 2009 (r190938) +++ stable/7/lib/libc/db/mpool/mpool.c Sat Apr 11 15:19:26 2009 (r190939) @@ -343,14 +343,11 @@ mpool_bkt(mp) return (bp); } -new: if ((bp = (BKT *)malloc(sizeof(BKT) + mp->pagesize)) == NULL) +new: if ((bp = (BKT *)calloc(1, sizeof(BKT) + mp->pagesize)) == NULL) return (NULL); #ifdef STATISTICS ++mp->pagealloc; #endif -#if defined(DEBUG) || defined(PURIFY) - memset(bp, 0xff, sizeof(BKT) + mp->pagesize); -#endif bp->page = (char *)bp + sizeof(BKT); ++mp->curcache; return (bp);