Date: Thu, 2 Aug 2007 10:10:11 GMT From: "Vasim Valejev" <vasim@resume-bank.ru> To: freebsd-bugs@FreeBSD.org Subject: Re: kern/113218: [sysvipc] [patch] Overflow in shmget's memory size check Message-ID: <200708021010.l72AABxT015602@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help
The following reply was made to PR kern/113218; it has been noted by GNATS.
From: "Vasim Valejev" <vasim@resume-bank.ru>
To: <bug-followup@FreeBSD.org>
Cc:
Subject: Re: kern/113218: [sysvipc] [patch] Overflow in shmget's memory size check
Date: Thu, 2 Aug 2007 13:39:21 +0400
Hi !
Full patch (including ipcs fix):
*** sys/kern/sysv_shm.c.orig Mon Mar 5 16:10:57 2007
--- sys/kern/sysv_shm.c Wed Jul 25 15:00:14 2007
***************
*** 149,155 ****
#define SHMMAXPGS 8192 /* Note: sysv shared memory is swap
backed. */
#endif
#ifndef SHMMAX
! #define SHMMAX (SHMMAXPGS*PAGE_SIZE)
#endif
#ifndef SHMMIN
#define SHMMIN 1
--- 149,155 ----
#define SHMMAXPGS 8192 /* Note: sysv shared memory is swap
backed. */
#endif
#ifndef SHMMAX
! #define SHMMAX (1L*SHMMAXPGS*PAGE_SIZE)
#endif
#ifndef SHMMIN
#define SHMMIN 1
***************
*** 453,459 ****
#if defined(__i386__) && (defined(COMPAT_FREEBSD4) || defined(COMPAT_43))
struct oshmid_ds {
struct ipc_perm shm_perm; /* operation perms */
! int shm_segsz; /* size of segment (bytes) */
u_short shm_cpid; /* pid, creator */
u_short shm_lpid; /* pid, last operation */
short shm_nattch; /* no. of current attaches */
--- 453,459 ----
#if defined(__i386__) && (defined(COMPAT_FREEBSD4) || defined(COMPAT_43))
struct oshmid_ds {
struct ipc_perm shm_perm; /* operation perms */
! size_t shm_segsz; /* size of segment (bytes) */
u_short shm_cpid; /* pid, creator */
u_short shm_lpid; /* pid, last operation */
short shm_nattch; /* no. of current attaches */
***************
*** 717,723 ****
struct shmget_args *uap;
int mode;
{
! int i, segnum, shmid, size;
struct ucred *cred = td->td_ucred;
struct shmid_kernel *shmseg;
vm_object_t shm_object;
--- 717,724 ----
struct shmget_args *uap;
int mode;
{
! int i, segnum, shmid;
! size_t size;
struct ucred *cred = td->td_ucred;
struct shmid_kernel *shmseg;
vm_object_t shm_object;
*** sys/sys/shm.h.orig Sat Aug 6 11:20:17 2005
--- sys/sys/shm.h Wed Jul 25 14:47:47 2007
***************
*** 77,83 ****
struct shmid_ds {
struct ipc_perm shm_perm; /* operation permission structure */
! int shm_segsz; /* size of segment in bytes */
pid_t shm_lpid; /* process ID of last shared memory op */
pid_t shm_cpid; /* process ID of creator */
short shm_nattch; /* number of current attaches */
--- 77,83 ----
struct shmid_ds {
struct ipc_perm shm_perm; /* operation permission structure */
! size_t shm_segsz; /* size of segment in bytes */
pid_t shm_lpid; /* process ID of last shared memory op */
pid_t shm_cpid; /* process ID of creator */
short shm_nattch; /* number of current attaches */
*** usr.bin/ipcs/ipcs.c.orig Mon May 15 12:20:38 2006
--- usr.bin/ipcs/ipcs.c Wed Jul 25 14:48:23 2007
***************
*** 439,445 ****
kshmptr->u.shm_nattch);
if (option & BIGGEST)
! printf(" %12d",
kshmptr->u.shm_segsz);
if (option & PID)
--- 439,445 ----
kshmptr->u.shm_nattch);
if (option & BIGGEST)
! printf(" %12ld",
kshmptr->u.shm_segsz);
if (option & PID)
Vasim V.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200708021010.l72AABxT015602>