NetBSD-Bugs archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

kern/43930: namecache corruption in release build when namelen greater than 31 characters

>Number:         43930
>Category:       kern
>Synopsis:       namecache corruption in release build when namelen greater 
>than 31 characters
>Confidential:   no
>Severity:       serious
>Priority:       high
>Responsible:    kern-bug-people
>State:          open
>Class:          sw-bug
>Submitter-Id:   net
>Arrival-Date:   Thu Sep 30 14:50:00 +0000 2010
>Originator:     Sai Krishnamurthy
>Release:        NetBSD 5.0.1
NetBSD saibsd 5.0.1 NetBSD 5.0.1 (GENERIC) #7: Fri May 28 11:37:06 EDT 2010 
sai@bsd:/buildarea/BSD501/usr/i386/obj/sys/arch/i386/compile/GENERIC i386
cache_enter() in sys/kern/vfs_cache.c has a diagnostic check to verify 
cn_namelen is less than or equal to NCHNAMLEN. On optimized build this check 
will be ignored and a memcpy() is done based on the passed cn_namelen. This 
will cause corruption of the namecache if cache_enter() is called with a 
namelen greater than NCHNAMLEN.

Using the NetBSD 5.0.1 release build, add a name of length 46 characters into 
the name cache by calling cache_enter(). Call cache_disassociate() to remove 
the namecache entry from the global LRU list. This will likely cause a crash 
because nc_lru.tqe_prev is corrupted due to buffer over-run from memcpy in 
Presently cache_enter() depends on cache_lookup() to perform a check on the 
size of name and turn off the MAKEENTRY flag if the size exceeds NCHNAMLEN. It 
would be a good idea to have a size check within cache_enter() that will work 
in release builds to prevent data corruption when cache_enter() is called 

Return an error or panic in cache_enter() on both release and debug builds 
identically if size of name exceeds the maximum allowed size of NCHNAMLEN in 
the namecache entry.

Home | Main Index | Thread Index | Old Index