Date: Mon, 26 Feb 2001 18:12:25 -0500 (EST) From: "Alexander N. Kabaev" <ak03@gte.com> To: FreeBSD-gnats-submit@freebsd.org Subject: kern/25393: PATCH: Panic in poll(2) Message-ID: <200102262312.f1QNCP624854@h132-197-97-45.gte.com>
next in thread | raw e-mail | index | archive | help
>Number: 25393
>Category: kern
>Synopsis: System panics, when user calls poll with parameters in wrong order
>Confidential: no
>Severity: critical
>Priority: high
>Responsible: freebsd-bugs
>State: open
>Quarter:
>Keywords:
>Date-Required:
>Class: sw-bug
>Submitter-Id: current-users
>Arrival-Date: Mon Feb 26 15:20:01 PST 2001
>Closed-Date:
>Last-Modified:
>Originator: Alexander N. Kabaev
>Release: FreeBSD 5.0-CURRENT i386
>Organization:
Verizon Laboratories Inc.
>Environment:
System: FreeBSD kanpc.gte.com 5.0-CURRENT FreeBSD 5.0-CURRENT #1: Mon Feb 26 17:25:41 EST 2001 root@kanpc.gte.com:/usr/src/sys/compile/KANPC i386
>Description:
While trying to compile the new ksh93 updated recently by Steve Price, I've
discovered that this port in its current form causes -CURRENT to panic. The
problem is with one of the tests ksh93 build system is running to determine
target system capabilities. Namely, it tries to check if poll functions takes
a pointer to the array of file descriptors as second parameter, i.e. it does
something like:
poll(1, &fd, 0)
Kernel then tries to allocate memory for what it thinks is a very large array
of fd's and malloc panics machine because of insufficient kernel address space.
There are checks in the kernel which are supposed to prevent exactly this
problem, but they are not catching bogus 'nfds' value because 'nfds' variable
is defined as int and is treated as negative for huge values like pointer value.
Attached patch fixes the problem by defining nfds variable as u_int.
>How-To-Repeat:
main() {
poll(1, &fd, 0);
}
>Fix:
Index: sys_generic.c
===================================================================
RCS file: /usr/ncvs/src/sys/kern/sys_generic.c,v
retrieving revision 1.73
diff -u -r1.73 sys_generic.c
--- sys_generic.c 2001/02/09 08:10:22 1.73
+++ sys_generic.c 2001/02/26 22:49:37
@@ -73,7 +73,7 @@
static MALLOC_DEFINE(M_SELECT, "select", "select() buffer");
MALLOC_DEFINE(M_IOV, "iov", "large iov's");
-static int pollscan __P((struct proc *, struct pollfd *, int));
+static int pollscan __P((struct proc *, struct pollfd *, u_int));
static int selscan __P((struct proc *, fd_mask **, fd_mask **, int));
static int dofileread __P((struct proc *, struct file *, int, void *,
size_t, off_t, int));
@@ -858,7 +858,8 @@
caddr_t bits;
char smallbits[32 * sizeof(struct pollfd)];
struct timeval atv, rtv, ttv;
- int s, ncoll, error = 0, timo, nfds;
+ int s, ncoll, error = 0, timo;
+ u_int nfds;
size_t ni;
nfds = SCARG(uap, nfds);
@@ -945,10 +946,10 @@
pollscan(p, fds, nfd)
struct proc *p;
struct pollfd *fds;
- int nfd;
+ u_int nfd;
{
register struct filedesc *fdp = p->p_fd;
- int i;
+ u_int i;
struct file *fp;
int n = 0;
>Release-Note:
>Audit-Trail:
>Unformatted:
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-bugs" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200102262312.f1QNCP624854>