netbsd-bugs: lib/11446: kvm.c's bug may produce core on many programs

Subject: lib/11446: kvm.c's bug may produce core on many programs
To: None <gnats-bugs@gnats.netbsd.org>
From: None <masanobu@iij.ad.jp>
List: netbsd-bugs
Date: 11/08/2000 04:59:17

>Number:         11446
>Category:       lib
>Synopsis:       kvm.c's bug may produce core on many programs
>Confidential:   no
>Severity:       serious
>Priority:       high
>Responsible:    lib-bug-people
>State:          open
>Class:          sw-bug
>Submitter-Id:   net
>Arrival-Date:   Wed Nov 08 04:59:00 PST 2000
>Closed-Date:
>Last-Modified:
>Originator:     SAITOH Masanobu
>Release:        latest -current
>Organization:
----------------------------------------------------------
		SAITOH Masanobu (masanobu@iij.ad.jp)
>Environment:
System: NetBSD mk7m 1.5H NetBSD 1.5H (GENERIC-$Revision: 1.306 $) #21: Thu Oct 26 11:00:46 JST 2000 masanobu@mk7m:/var/sources/current/src/sys/arch/i386/compile/MK7M i386


>Description:
	Please try following commands in -current:

	# ln -s J malloc.conf
	# w
	 9:12PM  up 13 days, 10:05, 3 users, load averages: 0.06, 0.11, 0.14
	USER    TTY FROM              LOGIN@  IDLE WHAT
	Segmentation fault - core dumped

	It's caused by kvm.c's bug.

	The reason why it occurs in -current and not occurs in netbsd-1-5
	branch is:

	[kvm_proc.c]
@@ -1001,15 +1005,16 @@
 kvm_doargv2(kd, pid, type, nchr)
 	kvm_t *kd;
 	pid_t pid;
 	int type;
 	int nchr;
 {
 	size_t bufs;
-	int narg, newarglen, mib[4];
+	int narg, mib[4];
+	size_t newarglen;	<=== newargne is changed from int to size_t
 	char **ap, *bp, *endp;
 
 	/*
 	 * Check that there aren't an unreasonable number of agruments.
 	 */
 	if (nchr > ARG_MAX)
 		return NULL;


	and,


	newarglen = MIN(nchr, ARG_MAX);
	if (kd->arglen < newarglen) {	<===	it fails if MSB of kd->arglen
						is set (garbage)
		if (kd->arglen == 0)
			kd->argspc = (char *)_kvm_malloc(kd, newarglen);
		else
			kd->argspc = (char *)_kvm_realloc(kd, kd->argspc,
			    newarglen);
		if (kd->argspc == NULL)
			return NULL;
		kd->arglen = newarglen;
	}

	But it MUST be fixed in netbsd-1-5 branch, too.


>How-To-Repeat:
	See above.
>Fix:
	Apply following patch:

*** kvm.c	2000/10/04 16:11:27	1.68
--- kvm.c	2000/11/08 11:40:00
***************
*** 242,243 ****
--- 242,244 ----
  	kd->argspc = 0;
+ 	kd->arglen = 0;
  	kd->argbuf = 0;



>Release-Note:
>Audit-Trail:
>Unformatted: