Skip site navigation (1)Skip section navigation (2) 
Date:      Wed, 15 Mar 2006 15:31:42 GMT
From:      Michiel Pelt <m.pelt@xs4all.nl>
To:        freebsd-gnats-submit@FreeBSD.org
Subject:   kern/94480: bread & bwrite can crash under low memory conditions
Message-ID:  <200603151531.k2FFVgYK084178@www.freebsd.org>
Resent-Message-ID: <200603151540.k2FFeJ8u088841@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help 


>Number:         94480
>Category:       kern
>Synopsis:       bread & bwrite can crash under low memory conditions
>Confidential:   no
>Severity:       non-critical
>Priority:       low
>Responsible:    freebsd-bugs
>State:          open
>Quarter:        
>Keywords:       
>Date-Required:
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Wed Mar 15 15:40:18 GMT 2006
>Closed-Date:
>Last-Modified:
>Originator:     Michiel Pelt
>Release:        6.0
>Organization:
Peltin BV
>Environment:
>Description:
I was just examining the kernel sources for the development plans I have and stumbled upon lib/libufs/block.c rev 1.10. The following code is incorrect :

	if (((intptr_t)data) & 0x3f) {
		p2 = malloc(size);
		if (p2 == NULL)
			ERROR(disk, "allocate bounce buffer");
	}
	cnt = pread(disk->d_fd, p2, size, (off_t)(blockno * disk->d_bsize));

If the malloc fails, pread will be called with the NULL pointer p2 with serious consequences. Same problem with the bwrite function:

	if (((intptr_t)data) & 0x3f) {
		p2 = malloc(size);
		if (p2 == NULL)
			ERROR(disk, "allocate bounce buffer");
		memcpy(p2, data, size);
		data = p2;
	}
	cnt = pwrite(disk->d_fd, data, size, (off_t)(blockno * disk->d_bsize));

>How-To-Repeat:
call bread, bwrite with a very large unaligned buffer ...
>Fix:
	if (((intptr_t)data) & 0x3f) {
		p2 = malloc(size);
		if (p2 == NULL) {
			ERROR(disk, "allocate bounce buffer");
                        goto fail;
                }
	}
	cnt = pread(disk->d_fd, p2, size, (off_t)(blockno * disk->d_bsize));


..


	if (((intptr_t)data) & 0x3f) {
		p2 = malloc(size);
		if (p2 == NULL) {
			ERROR(disk, "allocate bounce buffer");
                        return (-1);
                }
		memcpy(p2, data, size);
		data = p2;
	}
	cnt = pwrite(disk->d_fd, data, size, (off_t)(blockno * disk->d_bsize));
>Release-Note:
>Audit-Trail:
>Unformatted:

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200603151531.k2FFVgYK084178>