tech-kern archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

Re: [PATCH] netbsd32 swapctl, round 4



   Date: Mon, 03 Feb 2014 00:37:34 +1100
   from: matthew green <mrg%eterna.com.au@localhost>

   > > +        sep = kmem_alloc(sizeof(*sep) * count, KM_SLEEP);
   > > +        sep32 = kmem_alloc(sizeof(*sep32) * count, KM_SLEEP);
   > 
   > You can overflow "sizeof(*sep) * count", make the kmem_alloc(...) 
   > succeed (the overflow will result in a small size_t if "count" is 
   > properly chosen which is the size kmem_alloc() expects), then corrupt 
   > adjacent kernel memory through the loop when writing into sep32 array.

   it would require having about 4 million swap devices to trigger this.

   ... nothing to see here, move right along.  :-)

Nevertheless, it wouldn't hurt to add

if (count > (SIZE_MAX / sizeof(*sep))) fail;
if (count > (SIZE_MAX / sizeof(*sep32))) fail;

or perhaps to introduce a kmem_calloc which would do this check for
us, and that way you could eyeball the code locally to verify its
safety without having to reason about the context.


Home | Main Index | Thread Index | Old Index