Date: Mon, 03 Sep 2018 18:46:38 +0000 From: bugzilla-noreply@freebsd.org To: bugs@FreeBSD.org Subject: [Bug 231116] Out of bounds memory access in blist_create() Message-ID: <bug-231116-227-DUqmF4JYh8@https.bugs.freebsd.org/bugzilla/> In-Reply-To: <bug-231116-227@https.bugs.freebsd.org/bugzilla/> References: <bug-231116-227@https.bugs.freebsd.org/bugzilla/>
next in thread | previous in thread | raw e-mail | index | archive | help
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D231116 Mark Johnston <markj@FreeBSD.org> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |markj@FreeBSD.org --- Comment #2 from Mark Johnston <markj@FreeBSD.org> --- It happens with blist_create(128, 1) too. In that case, we need two leaf nodes, an internal parent node, and a terminator. However, we end up with nodes =3D=3D 3 since last_block < blocks. That is, we're missing a case wh= ere nodes should be initialized to 2 instead of 1. The problem is triggered wh= en "blocks" is the sum of powers of 2 >=3D BLIST_BMAP_RADIX. Index: subr_blist.c =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D --- subr_blist.c (revision 338446) +++ subr_blist.c (working copy) @@ -244,7 +244,10 @@ * Count the meta-nodes in the expanded tree, including the final * terminator, from the bottom level up to the root. */ - nodes =3D (last_block >=3D blocks) ? 2 : 1; + nodes =3D 1; + if (last_block >=3D blocks || (last_block !=3D radix - 1 && + (last_block & (radix - 1)) =3D=3D last_block)) + nodes++; last_block /=3D BLIST_BMAP_RADIX; while (last_block > 0) { nodes +=3D last_block + 1; --=20 You are receiving this mail because: You are the assignee for the bug.=
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?bug-231116-227-DUqmF4JYh8>