tech-kern archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
Re: [PATCH] netbsd32 swapctl, round 4
Date: Mon, 03 Feb 2014 00:37:34 +1100
from: matthew green <mrg%eterna.com.au@localhost>
> > + sep = kmem_alloc(sizeof(*sep) * count, KM_SLEEP);
> > + sep32 = kmem_alloc(sizeof(*sep32) * count, KM_SLEEP);
>
> You can overflow "sizeof(*sep) * count", make the kmem_alloc(...)
> succeed (the overflow will result in a small size_t if "count" is
> properly chosen which is the size kmem_alloc() expects), then corrupt
> adjacent kernel memory through the loop when writing into sep32 array.
it would require having about 4 million swap devices to trigger this.
... nothing to see here, move right along. :-)
Nevertheless, it wouldn't hurt to add
if (count > (SIZE_MAX / sizeof(*sep))) fail;
if (count > (SIZE_MAX / sizeof(*sep32))) fail;
or perhaps to introduce a kmem_calloc which would do this check for
us, and that way you could eyeball the code locally to verify its
safety without having to reason about the context.
Home |
Main Index |
Thread Index |
Old Index