Date: Sun, 31 Jan 2016 10:04:35 +0000 From: bugzilla-noreply@freebsd.org To: freebsd-bugs@FreeBSD.org Subject: [Bug 206761] Kernel stack overflow in sysctl handler for kern.binmisc.add Message-ID: <bug-206761-8-KGlKQ424Az@https.bugs.freebsd.org/bugzilla/> In-Reply-To: <bug-206761-8@https.bugs.freebsd.org/bugzilla/> References: <bug-206761-8@https.bugs.freebsd.org/bugzilla/>
next in thread | previous in thread | raw e-mail | index | archive | help
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D206761 --- Comment #6 from CTurt <cturt@hardenedbsd.org> --- I didn't even notice this before, but you're right. imgact_binmisc_add_entry: sx_xlock(&interp_list_sx); if (imgact_binmisc_find_entry(xbe->xbe_name) !=3D NULL) { sx_xunlock(&interp_list_sx); return (EEXIST); } /* Preallocate a new entry. */ ibe =3D imgact_binmisc_new_entry(xbe); if (!ibe) return (ENOMEM); SLIST_INSERT_HEAD(&interpreter_list, ibe, link); interp_list_entry_count++; sx_xunlock(&interp_list_sx); If the code ever reaches `return (ENOMEM);`, it is missing an `sx_xunlock(&interp_list_sx);` call. Unfortunately, this bug isn't triggerable, because `imgact_binmisc_add_entr= y` uses `M_WAITOK` for its allocations, and so can never return `NULL`: static imgact_binmisc_entry_t * imgact_binmisc_new_entry(ximgact_binmisc_entry_t *xbe) { ibe =3D malloc(sizeof(*ibe), M_BINMISC, M_WAITOK|M_ZERO); ... return (ibe); } My recommendation is to just remove the following check altogether: if (!ibe) return (ENOMEM); --=20 You are receiving this mail because: You are the assignee for the bug.=
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?bug-206761-8-KGlKQ424Az>