From owner-freebsd-bugs@FreeBSD.ORG Thu Aug 2 10:10:11 2007 Return-Path: Delivered-To: freebsd-bugs@hub.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 9F06016A418 for ; Thu, 2 Aug 2007 10:10:11 +0000 (UTC) (envelope-from gnats@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:4f8:fff6::28]) by mx1.freebsd.org (Postfix) with ESMTP id 7739013C474 for ; Thu, 2 Aug 2007 10:10:11 +0000 (UTC) (envelope-from gnats@FreeBSD.org) Received: from freefall.freebsd.org (gnats@localhost [127.0.0.1]) by freefall.freebsd.org (8.14.1/8.14.1) with ESMTP id l72AABAM015603 for ; Thu, 2 Aug 2007 10:10:11 GMT (envelope-from gnats@freefall.freebsd.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.14.1/8.14.1/Submit) id l72AABxT015602; Thu, 2 Aug 2007 10:10:11 GMT (envelope-from gnats) Date: Thu, 2 Aug 2007 10:10:11 GMT Message-Id: <200708021010.l72AABxT015602@freefall.freebsd.org> To: freebsd-bugs@FreeBSD.org From: "Vasim Valejev" Cc: Subject: Re: kern/113218: [sysvipc] [patch] Overflow in shmget's memory size check X-BeenThere: freebsd-bugs@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: Vasim Valejev List-Id: Bug reports List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 02 Aug 2007 10:10:11 -0000 The following reply was made to PR kern/113218; it has been noted by GNATS. From: "Vasim Valejev" To: Cc: Subject: Re: kern/113218: [sysvipc] [patch] Overflow in shmget's memory size check Date: Thu, 2 Aug 2007 13:39:21 +0400 Hi ! Full patch (including ipcs fix): *** sys/kern/sysv_shm.c.orig Mon Mar 5 16:10:57 2007 --- sys/kern/sysv_shm.c Wed Jul 25 15:00:14 2007 *************** *** 149,155 **** #define SHMMAXPGS 8192 /* Note: sysv shared memory is swap backed. */ #endif #ifndef SHMMAX ! #define SHMMAX (SHMMAXPGS*PAGE_SIZE) #endif #ifndef SHMMIN #define SHMMIN 1 --- 149,155 ---- #define SHMMAXPGS 8192 /* Note: sysv shared memory is swap backed. */ #endif #ifndef SHMMAX ! #define SHMMAX (1L*SHMMAXPGS*PAGE_SIZE) #endif #ifndef SHMMIN #define SHMMIN 1 *************** *** 453,459 **** #if defined(__i386__) && (defined(COMPAT_FREEBSD4) || defined(COMPAT_43)) struct oshmid_ds { struct ipc_perm shm_perm; /* operation perms */ ! int shm_segsz; /* size of segment (bytes) */ u_short shm_cpid; /* pid, creator */ u_short shm_lpid; /* pid, last operation */ short shm_nattch; /* no. of current attaches */ --- 453,459 ---- #if defined(__i386__) && (defined(COMPAT_FREEBSD4) || defined(COMPAT_43)) struct oshmid_ds { struct ipc_perm shm_perm; /* operation perms */ ! size_t shm_segsz; /* size of segment (bytes) */ u_short shm_cpid; /* pid, creator */ u_short shm_lpid; /* pid, last operation */ short shm_nattch; /* no. of current attaches */ *************** *** 717,723 **** struct shmget_args *uap; int mode; { ! int i, segnum, shmid, size; struct ucred *cred = td->td_ucred; struct shmid_kernel *shmseg; vm_object_t shm_object; --- 717,724 ---- struct shmget_args *uap; int mode; { ! int i, segnum, shmid; ! size_t size; struct ucred *cred = td->td_ucred; struct shmid_kernel *shmseg; vm_object_t shm_object; *** sys/sys/shm.h.orig Sat Aug 6 11:20:17 2005 --- sys/sys/shm.h Wed Jul 25 14:47:47 2007 *************** *** 77,83 **** struct shmid_ds { struct ipc_perm shm_perm; /* operation permission structure */ ! int shm_segsz; /* size of segment in bytes */ pid_t shm_lpid; /* process ID of last shared memory op */ pid_t shm_cpid; /* process ID of creator */ short shm_nattch; /* number of current attaches */ --- 77,83 ---- struct shmid_ds { struct ipc_perm shm_perm; /* operation permission structure */ ! size_t shm_segsz; /* size of segment in bytes */ pid_t shm_lpid; /* process ID of last shared memory op */ pid_t shm_cpid; /* process ID of creator */ short shm_nattch; /* number of current attaches */ *** usr.bin/ipcs/ipcs.c.orig Mon May 15 12:20:38 2006 --- usr.bin/ipcs/ipcs.c Wed Jul 25 14:48:23 2007 *************** *** 439,445 **** kshmptr->u.shm_nattch); if (option & BIGGEST) ! printf(" %12d", kshmptr->u.shm_segsz); if (option & PID) --- 439,445 ---- kshmptr->u.shm_nattch); if (option & BIGGEST) ! printf(" %12ld", kshmptr->u.shm_segsz); if (option & PID) Vasim V.