From owner-freebsd-bugs@FreeBSD.ORG  Wed Jul 13 02:10:02 2005
Return-Path: <owner-freebsd-bugs@FreeBSD.ORG>
X-Original-To: freebsd-bugs@hub.freebsd.org
Delivered-To: freebsd-bugs@hub.freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id DAF3316A41C
	for <freebsd-bugs@hub.freebsd.org>;
	Wed, 13 Jul 2005 02:10:01 +0000 (GMT)
	(envelope-from gnats@FreeBSD.org)
Received: from freefall.freebsd.org (freefall.freebsd.org [216.136.204.21])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 5269D43D49
	for <freebsd-bugs@hub.freebsd.org>;
	Wed, 13 Jul 2005 02:10:01 +0000 (GMT)
	(envelope-from gnats@FreeBSD.org)
Received: from freefall.freebsd.org (gnats@localhost [127.0.0.1])
	by freefall.freebsd.org (8.13.3/8.13.3) with ESMTP id j6D2A1Wg024145
	for <freebsd-bugs@freefall.freebsd.org>; Wed, 13 Jul 2005 02:10:01 GMT
	(envelope-from gnats@freefall.freebsd.org)
Received: (from gnats@localhost)
	by freefall.freebsd.org (8.13.3/8.13.1/Submit) id j6D2A1XN024144;
	Wed, 13 Jul 2005 02:10:01 GMT (envelope-from gnats)
Resent-Date: Wed, 13 Jul 2005 02:10:01 GMT
Resent-Message-Id: <200507130210.j6D2A1XN024144@freefall.freebsd.org>
Resent-From: FreeBSD-gnats-submit@FreeBSD.org (GNATS Filer)
Resent-To: freebsd-bugs@FreeBSD.org
Resent-Reply-To: FreeBSD-gnats-submit@FreeBSD.org, Dan Lukes <dan@obluda.cz>
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 418E316A41C
	for <FreeBSD-gnats-submit@freebsd.org>;
	Wed, 13 Jul 2005 02:04:40 +0000 (GMT)
	(envelope-from dan@kulesh.obluda.cz)
Received: from kulesh.obluda.cz (kulesh.obluda.cz [193.179.22.243])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 6A70843D45
	for <FreeBSD-gnats-submit@freebsd.org>;
	Wed, 13 Jul 2005 02:04:37 +0000 (GMT)
	(envelope-from dan@kulesh.obluda.cz)
Received: from kulesh.obluda.cz (localhost.eunet.cz [127.0.0.1])
	by kulesh.obluda.cz (8.13.3/8.13.3) with ESMTP id j6D24aht020665
	for <FreeBSD-gnats-submit@freebsd.org>;
	Wed, 13 Jul 2005 04:04:36 +0200 (CEST)
	(envelope-from dan@kulesh.obluda.cz)
Received: (from root@localhost)
	by kulesh.obluda.cz (8.13.3/8.13.1/Submit) id j6D24aPf020664;
	Wed, 13 Jul 2005 04:04:36 +0200 (CEST) (envelope-from dan)
Message-Id: <200507130204.j6D24aPf020664@kulesh.obluda.cz>
Date: Wed, 13 Jul 2005 04:04:36 +0200 (CEST)
From: Dan Lukes <dan@obluda.cz>
To: FreeBSD-gnats-submit@FreeBSD.org
X-Send-Pr-Version: 3.113
Cc: 
Subject: bin/83364: [ PATCH ] improper handling of malloc failures,
	bad printf format
X-BeenThere: freebsd-bugs@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
Reply-To: Dan Lukes <dan@obluda.cz>
List-Id: Bug reports <freebsd-bugs.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-bugs>,
	<mailto:freebsd-bugs-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-bugs>
List-Post: <mailto:freebsd-bugs@freebsd.org>
List-Help: <mailto:freebsd-bugs-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-bugs>,
	<mailto:freebsd-bugs-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Wed, 13 Jul 2005 02:10:02 -0000


>Number:         83364
>Category:       bin
>Synopsis:       [ PATCH ] improper handling of malloc failures, bad printf format
>Confidential:   no
>Severity:       serious
>Priority:       low
>Responsible:    freebsd-bugs
>State:          open
>Quarter:        
>Keywords:       
>Date-Required:
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Wed Jul 13 02:10:00 GMT 2005
>Closed-Date:
>Last-Modified:
>Originator:     Dan Lukes
>Release:        FreeBSD 5.4-STABLE i386
>Organization:
Obludarium
>Environment:
System: FreeBSD 5.4-STABLE #8: Sat Jul 9 16:31:08 CEST 2005 i386
lib/libkvm/kvm.c,v 1.26 2004/06/08 13:08:19 stefanf
lib/libkvm/kvm_amd64.c,v 1.17 2004/05/19 18:24:13 peter
lib/libkvm/kvm_i386.c,v 1.15 2001/10/10 17:48:43 bde
lib/libkvm/kvm_proc.c,v 1.79.2.6 2005/03/01 09:30:14 obrien
lib/libkvm/Makefile,v 1.14 2003/08/18 15:25:38 obrien

>Description:
	Two insufficient checking of return from _kvm_malloc() causing
possible dereference of NULL, several improper formating string within 
error messages

>How-To-Repeat:
>Fix:

--- patch begins here ---
--- lib/libkvm/kvm_i386.c.ORIG	Wed Oct 10 19:48:43 2001
+++ lib/libkvm/kvm_i386.c	Wed Jul 13 03:45:46 2005
@@ -123,6 +123,12 @@
 		return (-1);
 	}
 	PTD = _kvm_malloc(kd, PAGE_SIZE);
+	if (PTD == NULL) {
+		_kvm_err(kd, kd->program, "cannot allocate PTD");
+		free(vm);
+		kd->vmst = NULL;
+		return(-1);
+	}
 	if (kvm_read(kd, pa, PTD, PAGE_SIZE) != PAGE_SIZE) {
 		_kvm_err(kd, kd->program, "cannot read PTD");
 		return (-1);
@@ -141,7 +147,6 @@
 	pt_entry_t pte;
 	u_long pdeindex;
 	u_long pteindex;
-	int i;
 
 	if (ISALIVE(kd)) {
 		_kvm_err(kd, 0, "vatop called in live kernel!");
@@ -197,7 +202,7 @@
 	return (PAGE_SIZE - offset);
 
 invalid:
-	_kvm_err(kd, 0, "invalid address (%x)", va);
+	_kvm_err(kd, 0, "invalid address (%lx)", va);
 	return (0);
 }
 
--- lib/libkvm/kvm_amd64.c.ORIG	Fri May 28 19:19:33 2004
+++ lib/libkvm/kvm_amd64.c	Wed Jul 13 03:53:22 2005
@@ -124,6 +124,12 @@
 		return (-1);
 	}
 	PML4 = _kvm_malloc(kd, PAGE_SIZE);
+	if (PML4 == 0) {
+		free(vm);
+		kd->vmst = NULL;
+		_kvm_err(kd, kd->program, "cannot allocate PML4");
+		return (-1);
+	}
 	if (kvm_read(kd, pa, PML4, PAGE_SIZE) != PAGE_SIZE) {
 		_kvm_err(kd, kd->program, "cannot read KPML4phys");
 		return (-1);
--- lib/libkvm/kvm_proc.c.ORIG	Tue Mar  1 20:25:03 2005
+++ lib/libkvm/kvm_proc.c	Wed Jul 13 03:50:38 2005
@@ -117,14 +117,14 @@
 	for (; cnt < maxcnt && p != NULL; p = LIST_NEXT(&proc, p_list)) {
 		memset(kp, 0, sizeof *kp);
 		if (KREAD(kd, (u_long)p, &proc)) {
-			_kvm_err(kd, kd->program, "can't read proc at %x", p);
+			_kvm_err(kd, kd->program, "can't read proc at %p", p);
 			return (-1);
 		}
 		if (proc.p_state != PRS_ZOMBIE) {
 			if (KREAD(kd, (u_long)TAILQ_FIRST(&proc.p_threads),
 			    &mtd)) {
 				_kvm_err(kd, kd->program,
-				    "can't read thread at %x",
+				    "can't read thread at %p",
 				    TAILQ_FIRST(&proc.p_threads));
 				return (-1);
 			}
@@ -133,7 +133,7 @@
 				    (u_long)TAILQ_FIRST(&proc.p_ksegrps),
 				    &mkg)) {
 					_kvm_err(kd, kd->program,
-					    "can't read ksegrp at %x",
+					    "can't read ksegrp at %p",
 					    TAILQ_FIRST(&proc.p_ksegrps));
 					return (-1);
 				}
@@ -141,7 +141,7 @@
 				if (KREAD(kd,
 				    (u_long)TAILQ_FIRST(&mkg.kg_kseq), &mke)) {
 					_kvm_err(kd, kd->program,
-					    "can't read kse at %x",
+					    "can't read kse at %p",
 					    TAILQ_FIRST(&mkg.kg_kseq));
 					return (-1);
 				}
@@ -209,7 +209,7 @@
 		if (proc.p_sigacts != NULL) {
 			if (KREAD(kd, (u_long)proc.p_sigacts, &sigacts)) {
 				_kvm_err(kd, kd->program,
-				    "can't read sigacts at %x", proc.p_sigacts);
+				    "can't read sigacts at %p", proc.p_sigacts);
 				return (-1);
 			}
 			kp->ki_sigignore = sigacts.ps_sigignore;
@@ -218,7 +218,7 @@
 		if ((proc.p_sflag & PS_INMEM) && proc.p_stats != NULL) {
 			if (KREAD(kd, (u_long)proc.p_stats, &pstats)) {
 				_kvm_err(kd, kd->program,
-				    "can't read stats at %x", proc.p_stats);
+				    "can't read stats at %p", proc.p_stats);
 				return (-1);
 			}
 			kp->ki_start = pstats.p_start;
@@ -240,7 +240,7 @@
 		else if (proc.p_pptr) {
 			if (KREAD(kd, (u_long)proc.p_pptr, &pproc)) {
 				_kvm_err(kd, kd->program,
-				    "can't read pproc at %x", proc.p_pptr);
+				    "can't read pproc at %p", proc.p_pptr);
 				return (-1);
 			}
 			kp->ki_ppid = pproc.p_pid;
@@ -249,14 +249,14 @@
 		if (proc.p_pgrp == NULL)
 			goto nopgrp;
 		if (KREAD(kd, (u_long)proc.p_pgrp, &pgrp)) {
-			_kvm_err(kd, kd->program, "can't read pgrp at %x",
+			_kvm_err(kd, kd->program, "can't read pgrp at %p",
 				 proc.p_pgrp);
 			return (-1);
 		}
 		kp->ki_pgid = pgrp.pg_id;
 		kp->ki_jobc = pgrp.pg_jobc;
 		if (KREAD(kd, (u_long)pgrp.pg_session, &sess)) {
-			_kvm_err(kd, kd->program, "can't read session at %x",
+			_kvm_err(kd, kd->program, "can't read session at %p",
 				pgrp.pg_session);
 			return (-1);
 		}
@@ -269,14 +269,14 @@
 		if ((proc.p_flag & P_CONTROLT) && sess.s_ttyp != NULL) {
 			if (KREAD(kd, (u_long)sess.s_ttyp, &tty)) {
 				_kvm_err(kd, kd->program,
-					 "can't read tty at %x", sess.s_ttyp);
+					 "can't read tty at %p", sess.s_ttyp);
 				return (-1);
 			}
 			kp->ki_tdev = (uintptr_t)tty.t_dev;	/* XXX: wrong */
 			if (tty.t_pgrp != NULL) {
 				if (KREAD(kd, (u_long)tty.t_pgrp, &pgrp)) {
 					_kvm_err(kd, kd->program,
-						 "can't read tpgrp at %x",
+						 "can't read tpgrp at %p",
 						tty.t_pgrp);
 					return (-1);
 				}
@@ -286,7 +286,7 @@
 			if (tty.t_session != NULL) {
 				if (KREAD(kd, (u_long)tty.t_session, &sess)) {
 					_kvm_err(kd, kd->program,
-					    "can't read session at %x",
+					    "can't read session at %p",
 					    tty.t_session);
 					return (-1);
 				}
@@ -970,7 +970,7 @@
 	while (len > 0) {
 		errno = 0;
 		if (lseek(fd, (off_t)uva, 0) == -1 && errno != 0) {
-			_kvm_err(kd, kd->program, "invalid address (%x) in %s",
+			_kvm_err(kd, kd->program, "invalid address (%lx) in %s",
 			    uva, procfile);
 			break;
 		}
--- lib/libkvm/kvm.c.ORIG	Wed Jun 16 12:48:38 2004
+++ lib/libkvm/kvm.c	Wed Jul 13 03:46:56 2005
@@ -356,7 +356,7 @@
 		 */
 		errno = 0;
 		if (lseek(kd->vmfd, (off_t)kva, 0) == -1 && errno != 0) {
-			_kvm_err(kd, 0, "invalid address (%x)", kva);
+			_kvm_err(kd, 0, "invalid address (%lx)", kva);
 			return (-1);
 		}
 		cc = read(kd->vmfd, buf, len);
@@ -418,7 +418,7 @@
 		 */
 		errno = 0;
 		if (lseek(kd->vmfd, (off_t)kva, 0) == -1 && errno != 0) {
-			_kvm_err(kd, 0, "invalid address (%x)", kva);
+			_kvm_err(kd, 0, "invalid address (%lx)", kva);
 			return (-1);
 		}
 		cc = write(kd->vmfd, buf, len);
--- lib/libkvm/Makefile.ORIG	Sun Aug 24 20:47:25 2003
+++ lib/libkvm/Makefile	Wed Jul 13 03:56:42 2005
@@ -15,4 +15,6 @@
 MLINKS+=kvm_open.3 kvm_close.3 kvm_open.3 kvm_openfiles.3
 MLINKS+=kvm_read.3 kvm_write.3
 
+WARNS+=2
+
 .include <bsd.lib.mk>
--- patch ends here ---
>Release-Note:
>Audit-Trail:
>Unformatted: