From owner-freebsd-bugs  Mon Feb 26 15:20:14 2001
Delivered-To: freebsd-bugs@hub.freebsd.org
Received: from freefall.freebsd.org (freefall.freebsd.org [216.136.204.21])
	by hub.freebsd.org (Postfix) with ESMTP id 9D92937B65D
	for <freebsd-bugs@hub.freebsd.org>; Mon, 26 Feb 2001 15:20:01 -0800 (PST)
	(envelope-from gnats@FreeBSD.org)
Received: (from gnats@localhost)
	by freefall.freebsd.org (8.11.1/8.11.1) id f1QNK1b49218;
	Mon, 26 Feb 2001 15:20:01 -0800 (PST)
	(envelope-from gnats)
Received: from h132-197-97-45.gte.com (h132-197-97-45.gte.com [132.197.97.45])
	by hub.freebsd.org (Postfix) with ESMTP id 23E4137B491
	for <FreeBSD-gnats-submit@freebsd.org>; Mon, 26 Feb 2001 15:13:46 -0800 (PST)
	(envelope-from ak03@gte.com)
Received: (from ak03@localhost)
	by h132-197-97-45.gte.com (8.11.2/8.11.2) id f1QNCP624854;
	Mon, 26 Feb 2001 18:12:25 -0500 (EST)
	(envelope-from ak03)
Message-Id: <200102262312.f1QNCP624854@h132-197-97-45.gte.com>
Date: Mon, 26 Feb 2001 18:12:25 -0500 (EST)
From: "Alexander N. Kabaev" <ak03@gte.com>
To: FreeBSD-gnats-submit@freebsd.org
X-Send-Pr-Version: 3.113
Subject: kern/25393: PATCH: Panic in poll(2) 
Sender: owner-freebsd-bugs@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org


>Number:         25393
>Category:       kern
>Synopsis:       System panics, when user calls poll with parameters in wrong order
>Confidential:   no
>Severity:       critical
>Priority:       high
>Responsible:    freebsd-bugs
>State:          open
>Quarter:        
>Keywords:       
>Date-Required:
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Mon Feb 26 15:20:01 PST 2001
>Closed-Date:
>Last-Modified:
>Originator:     Alexander N. Kabaev
>Release:        FreeBSD 5.0-CURRENT i386
>Organization:
Verizon Laboratories Inc.
>Environment:
System: FreeBSD kanpc.gte.com 5.0-CURRENT FreeBSD 5.0-CURRENT #1: Mon Feb 26 17:25:41 EST 2001 root@kanpc.gte.com:/usr/src/sys/compile/KANPC i386

>Description:

While trying to compile the new ksh93 updated recently by  Steve Price, I've
discovered that this port in its current form causes -CURRENT to panic. The
problem is with one of the tests ksh93 build system is running to determine
target system capabilities. Namely, it tries to check if poll functions takes
a pointer to the array of file descriptors as second parameter, i.e. it does
something like:

   poll(1, &fd, 0)

Kernel then tries to allocate memory for what it thinks is a very large array
of fd's and malloc panics machine because of insufficient kernel address space.
There are checks in the kernel which are supposed to prevent exactly this
problem, but they are not catching bogus 'nfds' value because 'nfds' variable
is defined as int and is treated as negative for huge values like pointer value.

Attached patch fixes the problem by defining nfds variable as u_int.

>How-To-Repeat:
	main() {
            poll(1, &fd, 0);
        }
>Fix:

Index: sys_generic.c
===================================================================
RCS file: /usr/ncvs/src/sys/kern/sys_generic.c,v
retrieving revision 1.73
diff -u -r1.73 sys_generic.c
--- sys_generic.c	2001/02/09 08:10:22	1.73
+++ sys_generic.c	2001/02/26 22:49:37
@@ -73,7 +73,7 @@
 static MALLOC_DEFINE(M_SELECT, "select", "select() buffer");
 MALLOC_DEFINE(M_IOV, "iov", "large iov's");
 
-static int	pollscan __P((struct proc *, struct pollfd *, int));
+static int	pollscan __P((struct proc *, struct pollfd *, u_int));
 static int	selscan __P((struct proc *, fd_mask **, fd_mask **, int));
 static int	dofileread __P((struct proc *, struct file *, int, void *,
 		    size_t, off_t, int));
@@ -858,7 +858,8 @@
 	caddr_t bits;
 	char smallbits[32 * sizeof(struct pollfd)];
 	struct timeval atv, rtv, ttv;
-	int s, ncoll, error = 0, timo, nfds;
+	int s, ncoll, error = 0, timo;
+	u_int nfds;
 	size_t ni;
 
 	nfds = SCARG(uap, nfds);
@@ -945,10 +946,10 @@
 pollscan(p, fds, nfd)
 	struct proc *p;
 	struct pollfd *fds;
-	int nfd;
+	u_int nfd;
 {
 	register struct filedesc *fdp = p->p_fd;
-	int i;
+	u_int i;
 	struct file *fp;
 	int n = 0;
 
>Release-Note:
>Audit-Trail:
>Unformatted:

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-bugs" in the body of the message