Date: Wed, 25 Feb 2009 21:40:03 GMT From: Dylan Cochran <a134qaed@gmail.com> To: freebsd-bugs@FreeBSD.org Subject: Re: kern/132104: kenv buffer overflow Message-ID: <200902252140.n1PLe38Z096563@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help
The following reply was made to PR kern/132104; it has been noted by GNATS.
From: Dylan Cochran <a134qaed@gmail.com>
To: Jaakko Heinonen <jh@saunalahti.fi>
Cc: bug-followup@freebsd.org
Subject: Re: kern/132104: kenv buffer overflow
Date: Wed, 25 Feb 2009 16:36:32 -0500
On Wed, Feb 25, 2009 at 1:56 PM, Jaakko Heinonen <jh@saunalahti.fi> wrote:
>
> Hi,
>
> On 2009-02-25, Dylan Cochran wrote:
>> This prevents the panic condition, but also increases the amount of
>> time the mutex is held. Comments?
>>
>> =A0 =A0 =A0 =A0 =A0 =A0 =A0 mtx_lock(&kenv_lock);
>> =A0 =A0 =A0 =A0 =A0 =A0 =A0 cp =3D _getenv_dynamic(name, NULL);
>> =A0 =A0 =A0 =A0 =A0 =A0 =A0 if (cp !=3D NULL) {
>> - =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 strcpy(buf, cp);
>> - =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 mtx_unlock(&kenv_lock);
>> - =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 len =3D strlen(buf) + 1;
>> + =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 len =3D strlen(cp) + 1;
>> =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 ret =3D malloc(len, M_KENV, =
M_WAITOK);
>> - =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 strcpy(ret, buf);
>> + =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 strcpy(ret, cp);
>> + =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 mtx_unlock(&kenv_lock);
>
> malloc(9) with M_WAITOK flag could sleep. You are not allowed to sleep
> while holding a mutex.
So if I modify it to use M_NOWAIT, I should unlock if it returns null,
then sleep, then relock, and repeat? I'd rather not just bump up the
*LEN values, or truncate it by adding a trailing 0 byte to the end.
Not in 2009 anyway.
>
> --
> Jaakko
>
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200902252140.n1PLe38Z096563>