Re: A bunch of memory allocation bugs in CGD

From: ALeine (aleine_at_austrosearch.net)
Date: 03/30/05

Next message: Florent Thoumie: "Re: the best form to wait the finish of execution of a child..."

Previous message: Florent Thoumie: "Re: the best form to wait the finish of execution of a child..."
Maybe in reply to: ALeine: "A bunch of memory allocation bugs in CGD"
Next in thread: Roland Dowdeswell: "Re: A bunch of memory allocation bugs in CGD"
Reply: Roland Dowdeswell: "Re: A bunch of memory allocation bugs in CGD"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Date: Wed, 30 Mar 2005 10:29:53 -0800 (PST)
To: elric@imrryr.org

elric@imrryr.org wrote:

> Thanks for having a look at that. I have checked in a fix.

Thanks for responding so quickly.

> I presume that you have addressed the cases in GBDE where
> malloc's return code has not been checked? If so, perhaps
> cvsweb is a little behind. It looks to me like 2 or 4 mallocs
> can use a buffer without checking the return code.

There are two malloc bugs in GBDE, but both are minor and have
no security implications. Both bugs are in src/sbin/gbde/gbde.c:

- the first bug is in cmd_nuke() and could not be seen as much
  of a bug because cmd_nuke() is used to destroy lock sectors.
  If this fails due to memory starvation no sensitive information
  is leaked, only a write(2) call fails and gbde terminates
  correctly upon catching and reporting the write error.

- the second bug is in cmd_write(), where a buffer is allocated
  and checked, but not immediately, so there is a case where it
  can be used before it gets checked. However, even if this happens,
  only a read(2) call fails and gbde terminates correctly upon
  catching and reporting the read error.

In src/sys/geom/bde/g_bde.c there is also a g_malloc() allocated buffer
which is unchecked, but since the allocation is done with the M_WAITOK
flag it's safe. This means there are no malloc bugs in GBDE which could
cause a segmentation violation.

I have sent the patch for the minor malloc bugs I described above to
Poul-Henning, so I expect him to review it and commit the appropriate
fix in the near future.

ALeine
___________________________________________________________________
WebMail FREE http://mail.austrosearch.net
_______________________________________________
freebsd-hackers@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-hackers
To unsubscribe, send any mail to "freebsd-hackers-unsubscribe@freebsd.org"

Next message: Florent Thoumie: "Re: the best form to wait the finish of execution of a child..."

Previous message: Florent Thoumie: "Re: the best form to wait the finish of execution of a child..."
Maybe in reply to: ALeine: "A bunch of memory allocation bugs in CGD"
Next in thread: Roland Dowdeswell: "Re: A bunch of memory allocation bugs in CGD"
Reply: Roland Dowdeswell: "Re: A bunch of memory allocation bugs in CGD"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]