NetBSD-Bugs archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
kern/42498: kfilter_register() allocates incorrect size for user_filters
>Number: 42498
>Category: kern
>Synopsis: kfilter_register() allocates incorrect size for user_filters
>Confidential: no
>Severity: serious
>Priority: medium
>Responsible: kern-bug-people
>State: open
>Class: sw-bug
>Submitter-Id: net
>Arrival-Date: Tue Dec 22 20:15:00 +0000 2009
>Originator: Gregory Andersen
>Release: NetBSD 5.0.1
>Organization:
Cradlepoint Technology, Inc.
>Environment:
NetBSD 5.0.1 NetBSD 5.0.1 (TR) #5: Tue Dec 22 12:43:58 MST 2009 evbmips
>Description:
When registering multiple user kfilters via kfilter_register() the user_filters
structure seems to be allocated incorrectly and subsequent operations on the
filter will panic the kernel.
>How-To-Repeat:
Implement multiple user kfilters registered via kfilter_register() in the
kernel. Call 'kevent' from userland on the second custom filter (after
successfully looking up the kqueue id via the KFILTER_BYNAME ioctl) to panic
the kernel with a TLB fault.
Backtrace from DDB is corrupted.
>Fix:
--- kern_event.c.1.60.6.1 2009-12-22 13:10:49.166156959 -0700
+++ kern_event.c 2009-12-22 13:10:30.396153163 -0700
@@ -291,7 +291,7 @@
if (user_kfilterc + 1 > user_kfiltermaxc) {
/* Grow in KFILTER_EXTENT chunks. */
user_kfiltermaxc += KFILTER_EXTENT;
- len = user_kfiltermaxc * sizeof(struct filter *);
+ len = user_kfiltermaxc * sizeof(struct kfilter);
kfilter = kmem_alloc(len, KM_SLEEP);
memset((char *)kfilter + user_kfiltersz, 0, len -
user_kfiltersz);
if (user_kfilters != NULL) {
Home |
Main Index |
Thread Index |
Old Index