Date: Mon, 03 Sep 2018 18:46:38 +0000 From: bugzilla-noreply@freebsd.org To: bugs@FreeBSD.org Subject: [Bug 231116] Out of bounds memory access in blist_create() Message-ID: <bug-231116-227-DUqmF4JYh8@https.bugs.freebsd.org/bugzilla/> In-Reply-To: <bug-231116-227@https.bugs.freebsd.org/bugzilla/> References: <bug-231116-227@https.bugs.freebsd.org/bugzilla/>
next in thread | previous in thread | raw e-mail | index | archive | help
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=231116 Mark Johnston <markj@FreeBSD.org> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |markj@FreeBSD.org --- Comment #2 from Mark Johnston <markj@FreeBSD.org> --- It happens with blist_create(128, 1) too. In that case, we need two leaf nodes, an internal parent node, and a terminator. However, we end up with nodes == 3 since last_block < blocks. That is, we're missing a case where nodes should be initialized to 2 instead of 1. The problem is triggered when "blocks" is the sum of powers of 2 >= BLIST_BMAP_RADIX. Index: subr_blist.c =================================================================== --- subr_blist.c (revision 338446) +++ subr_blist.c (working copy) @@ -244,7 +244,10 @@ * Count the meta-nodes in the expanded tree, including the final * terminator, from the bottom level up to the root. */ - nodes = (last_block >= blocks) ? 2 : 1; + nodes = 1; + if (last_block >= blocks || (last_block != radix - 1 && + (last_block & (radix - 1)) == last_block)) + nodes++; last_block /= BLIST_BMAP_RADIX; while (last_block > 0) { nodes += last_block + 1; -- You are receiving this mail because: You are the assignee for the bug.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?bug-231116-227-DUqmF4JYh8>