From owner-svn-src-head@freebsd.org Fri May 25 18:34:25 2018 Return-Path: Delivered-To: svn-src-head@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id A167EEF065A for ; Fri, 25 May 2018 18:34:25 +0000 (UTC) (envelope-from shawn.webb@hardenedbsd.org) Received: from mail-io0-x243.google.com (mail-io0-x243.google.com [IPv6:2607:f8b0:4001:c06::243]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 2B4646DC10 for ; Fri, 25 May 2018 18:34:24 +0000 (UTC) (envelope-from shawn.webb@hardenedbsd.org) Received: by mail-io0-x243.google.com with SMTP id d73-v6so7428881iog.3 for ; Fri, 25 May 2018 11:34:24 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=hardenedbsd-org.20150623.gappssmtp.com; s=20150623; h=date:from:to:cc:subject:message-id:references:mime-version :content-disposition:in-reply-to:user-agent; bh=GxncxAjKUaJa7BSqiHH3BfzwfTQX9TJpTQvyMX8BXGQ=; b=a3jstU8SExBvAb/VI5iW3GYWAqi2Bqm8hVbX9sxzltAl4RZSdDOrd8qJrvH8PSeBVn bLXs4uQwdUBSUbkItSbdT2HOLJQjBj76zmJssRsL+iAyptZCVCgVOjJVhzOq+THoZtmW XZca7oO+N4FofI9C/yXg1QCZIjMoB44Lptb4d7iaWyWOpK5zG5kWYHVHaUFgPCp9JJtS er6OfXUxkJHyOUItHSzfTfWa65srJvPbmaBPvHBaN9zfh2XACxjAKGxHWUl28/heaAkg UYmux33+EKUTL6TwBp2fYXyit2L5VcVN9ebJFrwYracDkhwzoloyCT6LrgEMvf3wRuDs ikQg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:date:from:to:cc:subject:message-id:references :mime-version:content-disposition:in-reply-to:user-agent; bh=GxncxAjKUaJa7BSqiHH3BfzwfTQX9TJpTQvyMX8BXGQ=; b=LvHjCeGivBf/E/USnlvTT5QI/jaru9dTeY2ADonKZxtXSqMmrziFsk1kAbBukuYNye zNthHMJLmVn4WLK4m5yYFW9X6O5Bw3bBkcyCz9RlPzM5IemZKTZ9xjy5RpP8tCnnywW9 CdhSgxtArb8GzLx10b7NdhKswu8yPY4CovQET183APeGG3rKaPDzsYsa2hO8K/LFQ2p9 9jXFgrhYx24PUyVkQNz6EZFMqJKoz2pLbD/8NNth/bKCb//L7YKcRWqgkpQGlKR6wTdy dZ0f8CChbfvBZE6DAjbN1O3JE3ucsCDNSvViBw5zdX9UvxN0rksqxdfjGP10PUgTAW/O ErEw== X-Gm-Message-State: ALKqPwehsCXcSSJm3X6X/s7795Nw7i/cAMb/11/NbkJiqbyui/O0GIkk yHYPczaOXT5LyO/kIfVMQeDd+A== X-Google-Smtp-Source: ADUXVKLt94aZvtIPfmagZiVBHCEi2G6Xpktw/mwHy9w+qvZggjrB1AHeoTSG1m65lmKbRr52dqWA5Q== X-Received: by 2002:a6b:b3d6:: with SMTP id c205-v6mr3293030iof.93.1527273263886; Fri, 25 May 2018 11:34:23 -0700 (PDT) Received: from mutt-hbsd ([62.102.148.67]) by smtp.gmail.com with ESMTPSA id e189-v6sm12919451ioe.0.2018.05.25.11.34.18 (version=TLS1_2 cipher=ECDHE-RSA-CHACHA20-POLY1305 bits=256/256); Fri, 25 May 2018 11:34:23 -0700 (PDT) Date: Fri, 25 May 2018 14:34:03 -0400 From: Shawn Webb To: araujo@freebsd.org Cc: Brooks Davis , svn-src-head@freebsd.org, Eitan Adler , svn-src-all@freebsd.org, src-committers Subject: Re: svn commit: r334199 - head/usr.sbin/bhyve Message-ID: <20180525183403.i3bt2npfc3fq2cgf@mutt-hbsd> References: <201805250207.w4P275Pf060725@repo.freebsd.org> <20180525151134.GB99063@spindle.one-eyed-alien.net> <20180525174424.GD99063@spindle.one-eyed-alien.net> <20180525182139.GE99063@spindle.one-eyed-alien.net> MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha256; protocol="application/pgp-signature"; boundary="liawnm4m4jguetdk" Content-Disposition: inline In-Reply-To: X-Operating-System: FreeBSD mutt-hbsd 12.0-CURRENT FreeBSD 12.0-CURRENT X-PGP-Key: http://pgp.mit.edu/pks/lookup?op=vindex&search=0x6A84658F52456EEE User-Agent: NeoMutt/20180323 X-BeenThere: svn-src-head@freebsd.org X-Mailman-Version: 2.1.26 Precedence: list List-Id: SVN commit messages for the src tree for head/-current List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 25 May 2018 18:34:25 -0000 --liawnm4m4jguetdk Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Sat, May 26, 2018 at 02:26:33AM +0800, Marcelo Araujo wrote: > 2018-05-26 2:21 GMT+08:00 Brooks Davis : >=20 > > On Sat, May 26, 2018 at 01:56:28AM +0800, Marcelo Araujo wrote: > > > 2018-05-26 1:44 GMT+08:00 Brooks Davis : > > > > > > > On Sat, May 26, 2018 at 01:21:33AM +0800, Marcelo Araujo wrote: > > > > > On Sat, May 26, 2018, 1:11 AM Eitan Adler > > wrote: > > > > > > > > > > > On 25 May 2018 at 08:23, Marcelo Araujo > > > > wrote: > > > > > > > > > > > > > > > > > > > > > On Fri, May 25, 2018, 11:11 PM Brooks Davis > > > > wrote: > > > > > > >> > > > > > > >> On Fri, May 25, 2018 at 02:07:05AM +0000, Marcelo Araujo wro= te: > > > > > > >> > Author: araujo > > > > > > >> > Date: Fri May 25 02:07:05 2018 > > > > > > >> > New Revision: 334199 > > > > > > >> > URL: https://svnweb.freebsd.org/changeset/base/334199 > > > > > > >> > > > > > > > >> > Log: > > > > > > >> > Fix a memory leak on topology_parse(). > > > > > > >> > > > > > > > >> > strdup(3) allocates memory for a copy of the string, does > > the > > > > copy > > > > > > and > > > > > > >> > returns a pointer to it. If there is no sufficient memory > > NULL > > > > is > > > > > > >> > returned > > > > > > >> > and the global errno is set to ENOMEM. > > > > > > >> > We do a sanity check to see if it was possible to alloca= te > > > > enough > > > > > > >> > memory. > > > > > > >> > > > > > > > >> > Also as we allocate memory, we need to free this memory > > used. > > > > Or it > > > > > > >> > will > > > > > > >> > going out of scope leaks the storage it points to. > > > > > > >> > > > > > > > >> > Reviewed by: rgrimes > > > > > > >> > MFC after: 3 weeks. > > > > > > >> > X-MFC: r332298 > > > > > > >> > Sponsored by: iXsystems Inc. > > > > > > >> > Differential Revision: https://reviews.freebsd.org/ > > D15550 > > > > > > >> > > > > > > > >> > Modified: > > > > > > >> > head/usr.sbin/bhyve/bhyverun.c > > > > > > >> > > > > > > > >> > Modified: head/usr.sbin/bhyve/bhyverun.c > > > > > > >> > > > > > > > >> > > > > > > > =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D > > > > =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D > > > > > > >> > --- head/usr.sbin/bhyve/bhyverun.c Fri May 25 01:38:59 = 2018 > > > > > > >> > (r334198) > > > > > > >> > +++ head/usr.sbin/bhyve/bhyverun.c Fri May 25 02:07:05 = 2018 > > > > > > >> > (r334199) > > > > > > >> > @@ -193,6 +193,7 @@ topology_parse(const char *opt) > > > > > > >> > c =3D 1, n =3D 1, s =3D 1, t =3D 1; > > > > > > >> > ns =3D false, scts =3D false; > > > > > > >> > str =3D strdup(opt); > > > > > > >> > + assert(str !=3D NULL); > > > > > > >> > > > > > > >> Using assert seems like an odd choice when you've already ad= ded > > a > > > > > > >> failure path and the strsep will crash immediately if assert= is > > > > elided. > > > > > > > > > > > > > > > > > > > > > Just to make a better point, I had the same discussion about > > > > assert(3) in > > > > > > > another review, we don't do NDEBUG even for RELEASE. > > > > > > > > > > > > IMHO we only use assert for asserting things ought to never be > > false > > > > > > except in buggy code. Using assert for handling is poor practic= e. > > > > > > > > > > > > > > > > Again, in this case we are using it all over the place and we must > > > > replace > > > > > it. Also we should document it in somewhere perhaps in the assert= (3) > > > > > otherwise myself and others will keep using it. If you use find, = not > > only > > > > > myself is using it to check strdup! So what is the suggestion to > > handle > > > > > assert(3)? Deprecated it? > > > > > > > > Code that uses assert() in place of error handling is wrong and sho= uld > > > > be fixed. assert(condition) means that condition must never happen > > > > and if it does a bug has occurred (or the programmers assumptions a= re > > > > wrong). In this case failure would not be due to a bug, but do to > > > > resource exhaustion which is expected to be handled. > > > > > > > > > > I agree with you! We have plenty of place that use strdup(3) without > > check > > > the errno ENOMEN return; so do you think would be better bypass a err= no > > > ENOMEN without check it and have a crash, or better abort(3) using > > > assert(3) in case we have no memory available to allocated the memory > > for a > > > copy of a string? > > > > The correct code here would be one of: > > > > str =3D strdup(opt); > > if (str =3D=3D NULL) > > goto out; > > >=20 > No, it is not the correct code! If we go out and free(str) we have nothing > to free, because we even didn't allocated memory for str. Hey Marcelo, I've authored this commit, which fixes the issues Brooks brought up (and with which I agree): https://github.com/HardenedBSD/hardenedBSD/commit/9c05b8def2c33e3889430cc2f= 54be0402a257366 Thanks, --=20 Shawn Webb Cofounder and Security Engineer HardenedBSD Tor-ified Signal: +1 443-546-8752 Tor+XMPP+OTR: lattera@is.a.hacker.sx GPG Key ID: 0x6A84658F52456EEE GPG Key Fingerprint: 2ABA B6BD EF6A F486 BE89 3D9E 6A84 658F 5245 6EEE --liawnm4m4jguetdk Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQIzBAEBCAAdFiEEKrq2ve9q9Ia+iT2eaoRlj1JFbu4FAlsIVw8ACgkQaoRlj1JF bu62mA/+PF/4L/jGX+cNQsaJ4rU/nW3wFTiKreIgoIOLEOKzQXzB1h1LlXFtK+P5 rgfYjbfnY7C+ose9TJkQhwtsJiq5OWZLACrzZ63P4SH5xlUw77QiH+GdbW9/6Hr9 kLzsMkBnujdGUBQ4S0/ThDzWxQg3LVAQdCAdq2R561E37Pbqiu9AqvAYc0AmkvAB SUFtRqK6H2t+x1+dWtG5RPKdiAxibjry1tjUc5ceAHRa40BouOsNJcAV3UmWCtGB tCaJHbaCu4vO5oeaH+G6lcnM0uSS5P780bWszOxAv2YyZQtbT/zhXLgSxaLnvIqn w/PotRN6mXNxHjCF3jMT3ufQDxi9RUXQ5uNAQphZX9dZPEq36jts+Eab/GxTkQ0P IMq5L+IFrCVzRS5JZ/pYQBM+JKsdT4V7uaglAdi2tGT0zdHvTMnkBdUtOGknTeOV LVmDmaaCzHqHhwR8jvlDnp7G+VLXo1iivtfudNCH5+WZirBjw4Pnt9LOaW83+wPF bN/S+1ZVrDlQGOKbEaisug6d5SRaXOgfTMV5jZ+I0kJ11K7S0hgd1sSkr5zV6slz JBnD+XqgQCE51CHCyqcFHLOz1LZXAeiy2jUmB9UXedoGL/G91O3A2K5NvPmtwJwf Fskq13Mj7EEZGWG3clhjXVazrHnDtJhkaI5sw8r946xCuBVjlcU= =Hl2A -----END PGP SIGNATURE----- --liawnm4m4jguetdk--