From owner-freebsd-current Tue Dec 3 21:53: 8 2002 Delivered-To: freebsd-current@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 6C93937B401 for ; Tue, 3 Dec 2002 21:53:04 -0800 (PST) Received: from angelica.unixdaemons.com (angelica.unixdaemons.com [209.148.64.135]) by mx1.FreeBSD.org (Postfix) with ESMTP id 5A02A43EA9 for ; Tue, 3 Dec 2002 21:53:03 -0800 (PST) (envelope-from hiten@angelica.unixdaemons.com) Received: from angelica.unixdaemons.com (hiten@localhost.unixdaemons.com [127.0.0.1]) by angelica.unixdaemons.com (8.12.5/8.12.1) with ESMTP id gB45qqSu038984 for ; Wed, 4 Dec 2002 00:52:52 -0500 (EST) X-Authentication-Warning: angelica.unixdaemons.com: Host hiten@localhost.unixdaemons.com [127.0.0.1] claimed to be angelica.unixdaemons.com Received: (from hiten@localhost) by angelica.unixdaemons.com (8.12.5/8.12.1/Submit) id gB45qqhF038983 for freebsd-current@FreeBSD.org; Wed, 4 Dec 2002 00:52:52 -0500 (EST) (envelope-from hiten) Date: Wed, 4 Dec 2002 00:52:52 -0500 From: Hiten Pandya To: freebsd-current@FreeBSD.org Subject: sysctl_sysctl_next_ls() panic in case of empty node Message-ID: <20021204055252.GB36784@angelica.unixdaemons.com> Mime-Version: 1.0 Content-Type: multipart/mixed; boundary="OgqxwSJOaUobr8KG" Content-Disposition: inline User-Agent: Mutt/1.4i X-Operating-System: FreeBSD i386 X-Public-Key: http://www.pittgoth.com/~hiten/pubkey.asc X-URL: http://www.unixdaemons.com/~hiten X-PGP: http://pgp.mit.edu:11371/pks/lookup?search=Hiten+Pandya&op=index Sender: owner-freebsd-current@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG --OgqxwSJOaUobr8KG Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Hi. A bug in sysctl_sysctl_next_ls() makes the kernel panic, if an empty node is passed to it, because the value of 'namelen' is statically assigned 1 at the end of the routine. I finally got my head around this issue, and I thought I would submit a fix. Yesterday, I found out that there is PR for this issue, since 4.4-RELEASE, which means, that the bug is old, so the fix will need to be MFC'ed. Test code: http://www.unixdaemons.com/~hiten/work/misc/sysctlbug1.c Patch: http://www.unixdaemons.com/~hiten/work/diffs/kern_sysctl.c.patch I also have a screenshot of my VMware FreeBSD-CURRENT installation, in which I wrote the test code. Compile the test code as a KLD, and then load it, after that, execute: # sysctl -a bugfoo Screenshot, http://www.unixdaemons.com/~hiten/work/misc/sysctl-bug.gif, and PR kern/31490. If you have any questions or comments regarding this bug, please do not hesitate to contact me for more information. Cheers. P.S. Patch and test code attached with this mail. -- Hiten Pandya (hiten@unixdaemons.com, hiten@uk.FreeBSD.org) http://www.unixdaemons.com/~hiten/ --OgqxwSJOaUobr8KG Content-Type: text/plain; charset=us-ascii Content-Disposition: attachment; filename="sysctlbug1.c" /* * Code for reproducing Sysctl (empty node) bug. */ #include #include #include #include #include static int bug_load(module_t, int, void *); SYSCTL_DECL(_bugfoo); SYSCTL_NODE(, 0, bugfoo, CTLFLAG_RW, 0, "Bugfoo and Family"); SYSCTL_NODE(_bugfoo, OID_AUTO, mac, CTLFLAG_RW, 0, "Bugfoo and Family"); SYSCTL_NODE(_bugfoo_mac, OID_AUTO, debug, CTLFLAG_RW, 0, "BF [1]"); SYSCTL_NODE(_bugfoo_mac_debug, OID_AUTO, counters, CTLFLAG_RW, 0, "BF [2]"); static int mac_debug_label_fallback = 0; SYSCTL_INT(_bugfoo_mac_debug, OID_AUTO, label_fallback, CTLFLAG_RW, &mac_debug_label_fallback, 0, "Filesystems should fall back to fs label" "when label is corrupted."); TUNABLE_INT("bugfoo.mac.debug_label_fallback", &mac_debug_label_fallback); /* Module initialisation stuff */ static moduledata_t bugctl_mod = { "bugctl", bug_load, 0 }; static int bug_load(module_t mod, int cmd, void *arg) { int err = 0; switch (cmd) { case MOD_LOAD: printf("Sysctl Bug Manipulation\n"); break; /* Success*/ case MOD_UNLOAD: break; /* Success */ default: err = EINVAL; break; } return(err); } /* Now declare the module to the system */ DECLARE_MODULE(bugctl, bugctl_mod, SI_SUB_DRIVERS, SI_ORDER_MIDDLE); --OgqxwSJOaUobr8KG Content-Type: text/plain; charset=us-ascii Content-Disposition: attachment; filename="kern_sysctl.c.patch" Index: kern_sysctl.c =================================================================== RCS file: /home/ncvs/src/sys/kern/kern_sysctl.c,v retrieving revision 1.135 diff -u -r1.135 kern_sysctl.c --- kern_sysctl.c 2002/10/27 07:12:34 1.135 +++ kern_sysctl.c 2002/12/03 14:51:07 @@ -538,7 +538,10 @@ int *next, int *len, int level, struct sysctl_oid **oidpp) { struct sysctl_oid *oidp; + int i_namelen; + i_namelen = namelen ? 1 : 0; + *len = level; SLIST_FOREACH(oidp, lsp, oid_link) { *next = oidp->oid_number; @@ -585,7 +588,7 @@ len, level+1, oidpp)) return (0); next: - namelen = 1; + namelen = i_namelen; *len = level; } return 1; --OgqxwSJOaUobr8KG-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-current" in the body of the message