From owner-freebsd-hackers Thu Oct 4 16:28:15 2001 Delivered-To: freebsd-hackers@freebsd.org Received: from mozone.net (mail.mozone.net [206.165.200.53]) by hub.freebsd.org (Postfix) with ESMTP id 27B1137B405 for ; Thu, 4 Oct 2001 16:28:12 -0700 (PDT) Received: (from mki@localhost) by mozone.net (8.11.2/8.11.2) id f94NS5C06684 for freebsd-hackers@FreeBSD.org; Thu, 4 Oct 2001 16:28:05 -0700 Date: Thu, 4 Oct 2001 16:28:05 -0700 From: mki To: freebsd-hackers@FreeBSD.org Subject: 4.4-stable, savecore and integer overflow in get_dumpsize() Message-ID: <20011004162805.C1671@cyclonus.mozone.net> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i Sender: owner-freebsd-hackers@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG It appears that get_dumpsize is b0rked in that the following returns a negative number for systems with large memory/swap configs: void get_dumpsize() { int kdumpsize; /* Read the dump size. */ DumpRead(dumpfd, &kdumpsize, sizeof(kdumpsize), (off_t)(dumplo + ok(dump_nl[X_DUMPSIZE].n_value)), L_SET); dumpsize = kdumpsize * getpagesize(); } the dumpsize = kdumpsize * getpagesize() produces a negative number when kdumpsize = 1032192; resulting in savecore exiting without actually performing the dump in save_core(). Here's the patch to address it: --- savecore.c.old Thu Oct 4 16:22:16 2001 +++ savecore.c Thu Oct 4 16:25:07 2001 @@ -601,7 +601,7 @@ /* Read the dump size. */ DumpRead(dumpfd, &kdumpsize, sizeof(kdumpsize), (off_t)(dumplo + ok(dump_nl[X_DUMPSIZE].n_value)), L_SET); - dumpsize = kdumpsize * getpagesize(); + dumpsize = (off_t) kdumpsize * (off_t) getpagesize(); } /* can someone please commit this fix? thanks -mohan To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-hackers" in the body of the message