Skip site navigation (1)Skip section navigation (2) 
Date:      Sat, 14 Sep 2019 00:28:30 +0000
From:      bugzilla-noreply@freebsd.org
To:        bugs@FreeBSD.org
Subject:   [Bug 240573] sysctl() does not return ENOMEM but silently truncate return data
Message-ID:  <bug-240573-227@https.bugs.freebsd.org/bugzilla/>
next in thread | raw e-mail | index | archive | help 
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D240573

            Bug ID: 240573
           Summary: sysctl() does not return ENOMEM but silently truncate
                    return data
           Product: Base System
           Version: CURRENT
          Hardware: Any
                OS: Any
            Status: New
          Severity: Affects Some People
          Priority: ---
         Component: kern
          Assignee: bugs@FreeBSD.org
          Reporter: rozhuk.im@gmail.com

int mib[4] =3D { CTL_KERN, KERN_PROC, KERN_PROC_FILEDESC, getpid() };

if (0 !=3D sysctl(mib, 4, NULL, &buf_size, NULL, 0))
        return (errno);
buf =3D malloc(buf, buf_size);
newfd =3D open("/dev/null", O_RDONLY); /* !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!=
!! */
if (0 !=3D sysctl(mib, 4, buf, &buf_size, NULL, 0)) {
        if (ENOMEM !=3D errno) {
                free(buf)
                return (errno);
        }
}

This code should fail, but it fill buf with struct kinfo_file, and there is=
 no
newfd.
No fail, no error code set, silent data truncation.


Probably sys/kern/kern_descrip.c: export_kinfo_to_sb()
...
                if (efbuf->remainder < kif->kf_structsize) {
                        /* Terminate export. */
                        efbuf->remainder =3D 0;
                        return (0);
                }
...
should return here ENOMEM!?

I see hack to avoid missing fd for that in
lib/libutil/kinfo_getfile.c: kinfo_getfile():
...
len =3D len * 4 / 3;
...


Same for kern.ipc.posix_shm_list.

sys/kern/uipc_shm.c: sysctl_posix_shm_list()
                        if (req->oldptr !=3D NULL &&
                            kif.kf_structsize + curlen > req->oldlen)
                                break;
error =3D ENOMEM; - before break missed.

hack:
usr.bin/posixshmcontrol/posixshmcontrol.c: list_shm()


sys/kern/kern_proc.c: kern_proc_vmmap_out()
...
                /* Halt filling and truncate rather than exceeding maxlen */
                if (maxlen !=3D -1 && maxlen < kve->kve_structsize) {
                        error =3D 0;
                        vm_map_lock_read(map);
                        break;
...
error =3D ENOMEM;?


And probably other places where exist buf size check and exit from loop bef=
ore
call sbuf_bcat().

--=20
You are receiving this mail because:
You are the assignee for the bug.=

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?bug-240573-227>