Re: kern/41494

To: gnats-admin%netbsd.org@localhost,netbsd-bugs%netbsd.org@localhost,a%zhtw.org.ru@localhost
Subject: Re: kern/41494
From: Nicolas Joly <njoly%pasteur.fr@localhost>
Date: Wed, 27 May 2009 17:05:03 +0000 (UTC)

The following reply was made to PR bin/41494; it has been noted by GNATS.

From: Nicolas Joly <njoly%pasteur.fr@localhost>
To: Antti Kantee <pooka%NetBSD.org@localhost>
Cc: netbsd-bugs%netbsd.org@localhost, a%zhtw.org.ru@localhost
Subject: Re: kern/41494
Date: Wed, 27 May 2009 18:50:17 +0200

 On Wed, May 27, 2009 at 04:15:04PM +0000, Antti Kantee wrote:
 >  On Wed, May 27, 2009 at 05:23:01PM +0200, Nicolas Joly wrote:
 >  > For some reason the offset value in sysctlfs_node_read() exceed the
 >  > localbuf buffer size, leading to an out-of-bound access with
 >  > memcopy...
 >  > 
 >  > 635             memcpy(buf, localbuf + offset, xfer);
 >  > (gdb) p localbuf
 >  > $1 = "NetBSD", '\0' <repeats 8185 times>
 >  > (gdb) p offset
 >  > $2 = 8199
 >  > (gdb) p sizeof(localbuf)
 >  > $3 = 8192
 >  > (gdb) p xfer
 >  > $4 = 4096
 >  
 >  Uh oh ... ok, I think this is what happening:
 >  
 >          int xfer;
 >          xfer = MIN(*resid, strlen(localbuf) - offset);
 >  
 >  On i386 size_t (from strlen) is smaller than off_t (offset), hence
 >  it is widened to signed and the result the calculation is
 >  signed (64) - signed(64) ==> signed.  On amd64 where size_t is the
 >  same size as off_t, the calculation is unsigned - signed (converted
 >  to unsigned) ==> unsigned and hence *resid is always smaller when
 >  offset is larger than the file size without the trailing \n.
 >  
 >  .... *blink blink*.  I must confess I didn't see that one coming
 >  when I wrote the code.
 >  
 >  Try if this helps this:
 
 No luck ... But this slightly modified version make the following
 command successful.
 
        find /mnt -type f | xargs cat
 
 Index: sysctlfs.c
 ===================================================================
 RCS file: /cvsroot/src/usr.sbin/puffs/mount_sysctlfs/sysctlfs.c,v
 retrieving revision 1.10
 diff -u -p -r1.10 sysctlfs.c
 --- sysctlfs.c 18 Jan 2009 10:10:47 -0000      1.10
 +++ sysctlfs.c 27 May 2009 16:41:29 -0000
 @@ -627,7 +627,10 @@ sysctlfs_node_read(struct puffs_usermoun
                return EISDIR;
  
        doprint(sfs, &pn->pn_po, localbuf, sizeof(localbuf));
 -      xfer = MIN(*resid, strlen(localbuf) - offset);
 +      if (strlen(localbuf) < offset)
 +              xfer = 0;
 +      else
 +              xfer = MIN(*resid, strlen(localbuf) - offset);
  
        if (xfer <= 0)
                return 0;
 
 
 -- 
 Nicolas Joly
 
 Biological Software and Databanks.
 Institut Pasteur, Paris.

Prev by Date: Re: kern/41494
Next by Date: NetBSD Nightly Trouble Ticket Report
Previous by Thread: Re: kern/41494
Next by Thread: PR/38260 CVS commit: src/sys/netinet
Indexes:

Home | Main Index | Thread Index | Old Index