From owner-freebsd-current  Fri Sep 15  8:11:39 2000
Delivered-To: freebsd-current@freebsd.org
Received: from dt051n37.san.rr.com (dt051n37.san.rr.com [204.210.32.55])
	by hub.freebsd.org (Postfix) with ESMTP id DFDD037B424
	for <freebsd-current@freebsd.org>; Fri, 15 Sep 2000 08:11:30 -0700 (PDT)
Received: from gorean.org (doug@master [10.0.0.2])
	by dt051n37.san.rr.com (8.9.3/8.9.3) with ESMTP id IAA30280;
	Fri, 15 Sep 2000 08:11:24 -0700 (PDT)
	(envelope-from DougB@gorean.org)
Message-ID: <39C23C1B.6B925D4E@gorean.org>
Date: Fri, 15 Sep 2000 08:11:23 -0700
From: Doug Barton <DougB@gorean.org>
Organization: Triborough Bridge & Tunnel Authority
X-Mailer: Mozilla 4.75 [en] (X11; U; FreeBSD 5.0-CURRENT-071 i386)
X-Accept-Language: en
MIME-Version: 1.0
To: freebsd-current@freebsd.org
Cc: Mitja Horvat <mitja.horvat@hermes.si>
Subject: [Fwd: Re: panic: kmem_malloc(-1077936128): kmem_map too small]
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Sender: owner-freebsd-current@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.ORG

	Excellent detective work, thanks. :)

Doug

-------- Original Message --------
Subject: Re: panic: kmem_malloc(-1077936128): kmem_map too small
Date: Fri, 15 Sep 2000 12:29:01 +0200
From: Mitja Horvat <mitja.horvat@hermes.si>
To: Doug Barton <DougB@gorean.org>
References: <20000914145450.A337@lamu.hermes.si>
<Pine.BSF.4.21.0009141355440.23393-100000@dt051n37.san.rr.com>

Hi Doug,

since I'm not subscribed to freebsd-current, I would prefer that you
forward this email. I will try to describe the panic in more detail
below:

Filesystem specific mount structure is copied from userspace in
ffs_mount()
in vfs_subr.c at line 178:

        /* copy in user arguments*/
        err = copyin(data, (caddr_t)&args, sizeof (struct ufs_args));
        if (err)
                goto error_1;           /* can't get arguments*/

This structure is never checked for garbled data, and its args.export 
field  is passed as is to vfs_export() and later to vfs_hang_addrlist().
We have the following two lines in vfs_hang_addrlist() at line 2252 in
vfs_subr.c:

	i = sizeof(struct netcred) + argp->ex_addrlen + argp->ex_masklen;
        np = (struct netcred *) malloc(i, M_NETADDR, M_WAITOK);

(argp in this case is the pointer to argc.export)
argp->ex_addrlen is copied directly from userspace. If the structures in 
the kernel, and the userspace utility mismatch, ex_addrlen will have a 
different value than it was supposed to(-1077936128 on my machine, which
paniced the kernel on every boot) and problems like memory leaks or
panics
may occur.

Some sanity checking would be appropriate for the export_args structure.

Regards,
Mitja


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-current" in the body of the message