From owner-svn-src-all@freebsd.org Tue Mar 14 00:41:56 2017 Return-Path: Delivered-To: svn-src-all@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 1A6CCD09493; Tue, 14 Mar 2017 00:41:56 +0000 (UTC) (envelope-from rpokala@mac.com) Received: from mr11p00im-asmtp002.me.com (mr11p00im-asmtp002.me.com [17.110.69.253]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id EA1AD15CB; Tue, 14 Mar 2017 00:41:55 +0000 (UTC) (envelope-from rpokala@mac.com) Received: from process-dkim-sign-daemon.mr11p00im-asmtp002.me.com by mr11p00im-asmtp002.me.com (Oracle Communications Messaging Server 7.0.5.38.0 64bit (built Feb 26 2016)) id <0OMS00K0049R2800@mr11p00im-asmtp002.me.com>; Tue, 14 Mar 2017 00:41:49 +0000 (GMT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=mac.com; s=4d515a; t=1489452109; bh=MfmcmhoHiX6nBVl2fAx02HVn9NR6nyRBRKRBbWlE8Rg=; h=Date:Subject:From:To:Message-id:MIME-version:Content-type; b=CsS8GRCNZiW+g3lEJ9pnC/gXKImITD86i4FqF9EXQCJPe3iDOz4TDMDffw5UOZPY+ wjvK8psUDfC22ioCvje1XnNv6DGebx9dOlQv+3UrsetLlmP84MNbz673TxwsccbAzM h1xqSKSRr3o8vQEE65WKoeSg2in3wyaXXLJBPS6qpXdjxYNEZAA+KsGhR74XAN6TXL 9BnQRFZGZ69TuBZJb2WcbB30U8xHbB8hPdg40dGvV5Zfy7kTVqNrSPTdXz+BNalMMQ oyOTTZaEESHuJEbPKEYI48Mfln3N27NUiwp7WSf2ggW0wqmM+AxdeqOpfmfhEQ9IUw rOEL5Miea5HEQ== Received: from icloud.com ([127.0.0.1]) by mr11p00im-asmtp002.me.com (Oracle Communications Messaging Server 7.0.5.38.0 64bit (built Feb 26 2016)) with ESMTPSA id <0OMS00DKF4LLV610@mr11p00im-asmtp002.me.com>; Tue, 14 Mar 2017 00:41:46 +0000 (GMT) X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10432:,, definitions=2017-03-13_18:,, signatures=0 X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 spamscore=0 clxscore=1034 suspectscore=0 malwarescore=0 phishscore=0 adultscore=0 bulkscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.0.1-1701120000 definitions=main-1703140005 User-Agent: Microsoft-MacOutlook/f.1f.0.170216 Date: Mon, 13 Mar 2017 17:41:43 -0700 Subject: Re: svn commit: r315155 - in head/sys: kern sys From: Ravi Pokala Sender: "Pokala, Ravi" To: Konstantin Belousov , src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-head@freebsd.org Message-id: <9F3E9E31-579D-460E-B1CA-389C1FE476E0@panasas.com> Thread-topic: svn commit: r315155 - in head/sys: kern sys References: <201703121348.v2CDmOpp070774@repo.freebsd.org> In-reply-to: <201703121348.v2CDmOpp070774@repo.freebsd.org> MIME-version: 1.0 Content-type: text/plain; charset=UTF-8 Content-transfer-encoding: 7bit X-BeenThere: svn-src-all@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: "SVN commit messages for the entire src tree \(except for " user" and " projects" \)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 14 Mar 2017 00:41:56 -0000 Hi Konstantin, This appears to break mips kernels: _.mips.ADM5120:cc1: warnings being treated as errors _.mips.ADM5120-/usr/home/rpokala/freebsd/clean/base/head/sys/kern/kern_event.c:892: warning: 'kev_iovlen' defined but not used _.mips.ALCHEMY:cc1: warnings being treated as errors _.mips.ALCHEMY-/usr/home/rpokala/freebsd/clean/base/head/sys/kern/kern_event.c:892: warning: 'kev_iovlen' defined but not used _.mips.AR71XX_BASE:cc1: warnings being treated as errors _.mips.AR71XX_BASE-/usr/home/rpokala/freebsd/clean/base/head/sys/kern/kern_event.c:892: warning: 'kev_iovlen' defined but not used _.mips.AR724X_BASE:cc1: warnings being treated as errors _.mips.AR724X_BASE-/usr/home/rpokala/freebsd/clean/base/head/sys/kern/kern_event.c:892: warning: 'kev_iovlen' defined but not used etc. Thanks, Ravi (rpokala@) -----Original Message----- From: on behalf of Konstantin Belousov Date: 2017-03-12, Sunday at 06:48 To: , , Subject: svn commit: r315155 - in head/sys: kern sys Author: kib Date: Sun Mar 12 13:48:24 2017 New Revision: 315155 URL: https://svnweb.freebsd.org/changeset/base/315155 Log: Ktracing kevent(2) calls with unusual arguments might leads to an overly large allocation requests. When ktrace-ing io, sys_kevent() allocates memory to copy the requested changes and reported events. Allocations are sized by the incoming syscall lengths arguments, which are user-controlled, and might cause overflow in calculations or too large allocations. Since io trace chunks are limited by ktr_geniosize, there is no sense it even trying to satisfy unbounded allocations. Export ktr_geniosize and clamp the buffers sizes in advance. PR: 217435 Reported by: Tim Newsham Sponsored by: The FreeBSD Foundation MFC after: 1 week Modified: head/sys/kern/kern_event.c head/sys/kern/kern_ktrace.c head/sys/sys/ktrace.h Modified: head/sys/kern/kern_event.c ============================================================================== --- head/sys/kern/kern_event.c Sun Mar 12 13:42:40 2017 (r315154) +++ head/sys/kern/kern_event.c Sun Mar 12 13:48:24 2017 (r315155) @@ -887,6 +887,15 @@ kern_kqueue(struct thread *td, int flags return (0); } +static size_t +kev_iovlen(int n, u_int kgio) +{ + + if (n < 0 || n >= kgio / sizeof(struct kevent)) + return (kgio); + return (n * sizeof(struct kevent)); +} + #ifndef _SYS_SYSPROTO_H_ struct kevent_args { int fd; @@ -910,6 +919,7 @@ sys_kevent(struct thread *td, struct kev struct iovec ktriov; struct uio *ktruioin = NULL; struct uio *ktruioout = NULL; + u_int kgio; #endif if (uap->timeout != NULL) { @@ -922,13 +932,15 @@ sys_kevent(struct thread *td, struct kev #ifdef KTRACE if (KTRPOINT(td, KTR_GENIO)) { + kgio = ktr_geniosize; ktriov.iov_base = uap->changelist; - ktriov.iov_len = uap->nchanges * sizeof(struct kevent); + ktriov.iov_len = kev_iovlen(uap->nchanges, kgio); ktruio = (struct uio){ .uio_iov = &ktriov, .uio_iovcnt = 1, .uio_segflg = UIO_USERSPACE, .uio_rw = UIO_READ, .uio_td = td }; ktruioin = cloneuio(&ktruio); ktriov.iov_base = uap->eventlist; + ktriov.iov_len = kev_iovlen(uap->nevents, kgio); ktriov.iov_len = uap->nevents * sizeof(struct kevent); ktruioout = cloneuio(&ktruio); } @@ -939,9 +951,9 @@ sys_kevent(struct thread *td, struct kev #ifdef KTRACE if (ktruioin != NULL) { - ktruioin->uio_resid = uap->nchanges * sizeof(struct kevent); + ktruioin->uio_resid = kev_iovlen(uap->nchanges, kgio); ktrgenio(uap->fd, UIO_WRITE, ktruioin, 0); - ktruioout->uio_resid = td->td_retval[0] * sizeof(struct kevent); + ktruioout->uio_resid = kev_iovlen(td->td_retval[0], kgio); ktrgenio(uap->fd, UIO_READ, ktruioout, error); } #endif Modified: head/sys/kern/kern_ktrace.c ============================================================================== --- head/sys/kern/kern_ktrace.c Sun Mar 12 13:42:40 2017 (r315154) +++ head/sys/kern/kern_ktrace.c Sun Mar 12 13:48:24 2017 (r315155) @@ -132,7 +132,7 @@ static SYSCTL_NODE(_kern, OID_AUTO, ktra static u_int ktr_requestpool = KTRACE_REQUEST_POOL; TUNABLE_INT("kern.ktrace.request_pool", &ktr_requestpool); -static u_int ktr_geniosize = PAGE_SIZE; +u_int ktr_geniosize = PAGE_SIZE; SYSCTL_UINT(_kern_ktrace, OID_AUTO, genio_size, CTLFLAG_RWTUN, &ktr_geniosize, 0, "Maximum size of genio event payload"); Modified: head/sys/sys/ktrace.h ============================================================================== --- head/sys/sys/ktrace.h Sun Mar 12 13:42:40 2017 (r315154) +++ head/sys/sys/ktrace.h Sun Mar 12 13:48:24 2017 (r315155) @@ -276,7 +276,7 @@ void ktrcapfail(enum ktr_cap_fail_type, ktrstruct("sockaddr", (s), ((struct sockaddr *)(s))->sa_len) #define ktrstat(s) \ ktrstruct("stat", (s), sizeof(struct stat)) - +extern u_int ktr_geniosize; #else #include