Date: Wed, 24 Jul 2013 16:52:30 +0200 From: Ulrich =?utf-8?B?U3DDtnJsZWlu?= <uqs@FreeBSD.org> To: "Andrey V. Elsukov" <ae@FreeBSD.org> Cc: svn-src-head@freebsd.org, svn-src-all@freebsd.org, src-committers@freebsd.org Subject: Re: svn commit: r253351 - in head: sys/arm/arm sys/i386/i386 sys/kern sys/mips/mips sys/powerpc/aim sys/powerpc/booke sys/sparc64/sparc64 sys/sys usr.bin/netstat Message-ID: <20130724145230.GE9092@acme.spoerlein.net> In-Reply-To: <201307150616.r6F6GvOV066908@svn.freebsd.org> References: <201307150616.r6F6GvOV066908@svn.freebsd.org>
next in thread | previous in thread | raw e-mail | index | archive | help
On Mon, 2013-07-15 at 06:16:57 +0000, Andrey V. Elsukov wrote: > Author: ae > Date: Mon Jul 15 06:16:57 2013 > New Revision: 253351 > URL: http://svnweb.freebsd.org/changeset/base/253351 > > Log: > Introduce new structure sfstat for collecting sendfile's statistics > and remove corresponding fields from struct mbstat. Use PCPU counters > and SFSTAT_INC() macro for update these statistics. > > Discussed with: glebius > > Modified: > head/sys/arm/arm/vm_machdep.c > head/sys/i386/i386/vm_machdep.c > head/sys/kern/kern_mbuf.c > head/sys/kern/uipc_syscalls.c > head/sys/mips/mips/vm_machdep.c > head/sys/powerpc/aim/vm_machdep.c > head/sys/powerpc/booke/vm_machdep.c > head/sys/sparc64/sparc64/vm_machdep.c > head/sys/sys/mbuf.h > head/sys/sys/sf_buf.h > head/usr.bin/netstat/main.c > head/usr.bin/netstat/mbuf.c > > Modified: head/usr.bin/netstat/mbuf.c > ============================================================================== > --- head/usr.bin/netstat/mbuf.c Mon Jul 15 05:09:13 2013 (r253350) > +++ head/usr.bin/netstat/mbuf.c Mon Jul 15 06:16:57 2013 (r253351) > @@ -308,20 +309,21 @@ mbpr(void *kvmd, u_long mbaddr) > &mlen, NULL, 0)) > printf("%d/%d/%d sfbufs in use (current/peak/max)\n", > nsfbufsused, nsfbufspeak, nsfbufs); > - mlen = sizeof(mbstat); > - if (sysctlbyname("kern.ipc.mbstat", &mbstat, &mlen, NULL, 0)) { > - warn("kern.ipc.mbstat"); > + mlen = sizeof(sfstat); > + if (sysctlbyname("kern.ipc.sfstat", &sfstat, &mlen, NULL, 0)) { > + warn("kern.ipc.sfstat"); > goto out; > } > } else { Hmm, Coverity flags the sysctlbyname() as an OVERRUN, claiming: overrun-buffer-val: Overrunning struct type sfstat of 24 bytes by passing it to a function which accesses it at byte offset 37. So sysctlbyname.c basically calls sysctl(3) and Coverity thinks that name[1] is USER_CS_PATH in this case, entering the case statement on line 69, which then clobbers oldlenp with sizeof(_PATH_STDPATH) at line 74 in lib/libc/gen/sysctl.c, which is 37 bytes (sizeof("/rescue:/usr/bin:/bin:/usr/sbin:/sbin")). Then it calls memmove(oldp, _PATH_STDPATH, sizeof(_PATH_STDPATH)); where the oldp only has space for the aforementioned 24 bytes of struct sfstat. Any thoughts on this? It's CID 1054778 at scan.coverity.com, if you wanna have a look yourself. Cheers, Uli
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20130724145230.GE9092>