Date: Thu, 14 May 2009 10:54:57 +0000 (UTC) From: Konstantin Belousov <kib@FreeBSD.org> To: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-head@freebsd.org Subject: svn commit: r192094 - head/sys/kern Message-ID: <200905141054.n4EAsvp1088977@svn.freebsd.org>
next in thread | raw e-mail | index | archive | help
Author: kib Date: Thu May 14 10:54:57 2009 New Revision: 192094 URL: http://svn.freebsd.org/changeset/base/192094 Log: Do not advance req->oldidx when sysctl_old_user returning an error due to copyout failure or short buffer. The later breaks the usermode iterators of the sysctl results that pack arbitrary number of variable-sized structures. Iterator expects that kernel filled exactly oldlen bytes, and tries to interpret half-filled or garbage structure at the end of the buffer. In particular, kinfo_getfile(3) segfaulted. Reported and tested by: pho MFC after: 3 weeks Modified: head/sys/kern/kern_sysctl.c Modified: head/sys/kern/kern_sysctl.c ============================================================================== --- head/sys/kern/kern_sysctl.c Thu May 14 10:47:11 2009 (r192093) +++ head/sys/kern/kern_sysctl.c Thu May 14 10:54:57 2009 (r192094) @@ -1221,9 +1221,9 @@ sysctl_old_kernel(struct sysctl_req *req if (i > 0) bcopy(p, (char *)req->oldptr + req->oldidx, i); } - req->oldidx += l; if (req->oldptr && i != l) return (ENOMEM); + req->oldidx += l; return (0); } @@ -1320,9 +1320,10 @@ sysctl_old_user(struct sysctl_req *req, size_t i, len, origidx; origidx = req->oldidx; - req->oldidx += l; - if (req->oldptr == NULL) + if (req->oldptr == NULL) { + req->oldidx += l; return (0); + } /* * If we have not wired the user supplied buffer and we are currently * holding locks, drop a witness warning, as it's possible that @@ -1344,6 +1345,7 @@ sysctl_old_user(struct sysctl_req *req, return (error); if (i < l) return (ENOMEM); + req->oldidx += l; return (0); }
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200905141054.n4EAsvp1088977>