Skip site navigation (1)Skip section navigation (2) 
Date:      Mon, 6 Jun 2005 12:41:32 +0300
From:      Andrey Simonenko <simon@comsys.ntu-kpi.kiev.ua>
To:        FreeBSD-gnats-submit@FreeBSD.org
Subject:   kern/81943: [patch] _assert_sbuf_integrity causes panic for zero length buffer
Message-ID:  <20050606094132.GA374@pm514-9.comsys.ntu-kpi.kiev.ua>
Resent-Message-ID: <200506060950.j569o14n056161@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help 

>Number:         81943
>Category:       kern
>Synopsis:       _assert_sbuf_integrity causes panic for zero length buffer
>Confidential:   no
>Severity:       critical
>Priority:       high
>Responsible:    freebsd-bugs
>State:          open
>Quarter:        
>Keywords:       
>Date-Required:
>Class:          change-request
>Submitter-Id:   current-users
>Arrival-Date:   Mon Jun 06 09:50:01 GMT 2005
>Closed-Date:
>Last-Modified:
>Originator:     Andrey Simonenko <simon@comsys.ntu-kpi.kiev.ua>
>Release:        FreeBSD 5.4-RELEASE-p1 i386
>Organization:
>Environment:

FreeBSD >= 4.4

>Description:

If INVARIANTS is enabled, then _assert_sbuf_integrity panics if
s_len == 0 and s_size == 0.  Really this is not a problem, since
nothing was written in zero length buffer.

On FreeBSD 5.4 if INVARIANTS are enabled and procfs is mounted,
then anybody can read zero bytes from /proc/<pid>/map and the
system will panic.

Solution:

*	apply the patch given below, to allow s_len == 0 and s_size == 0
	in sbuf

*	don't allocate zero length sbuf at all, but currently malloc(9)
	accepts zero length allocations, there is relevant #if 0 in
	source of malloc(9), this will require revision of all /sys
	files.

>How-To-Repeat:

Enable INVARIANTS, mount procfs and read zero bytes from /proc/<pid>/map
and see panic

>Fix:
--- subr_sbuf.c.orig	Fri Jul  9 11:37:44 2004
+++ subr_sbuf.c	Sat Jun  4 21:42:33 2005
@@ -91,7 +91,7 @@
 	    ("%s called with a NULL sbuf pointer", fun));
 	KASSERT(s->s_buf != NULL,
 	    ("%s called with uninitialized or corrupt sbuf", fun));
-	KASSERT(s->s_len < s->s_size,
+	KASSERT(s->s_len < s->s_size || s->s_len == 0,
 	    ("wrote past end of sbuf (%d >= %d)", s->s_len, s->s_size));
 }
 
>Release-Note:
>Audit-Trail:
>Unformatted:

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20050606094132.GA374>