Bug 199518
| Summary: | [patch] use uninitialized field td_sel of struct thread | ||||||
|---|---|---|---|---|---|---|---|
| Product: | Base System | Reporter: | luke.tw | ||||
| Component: | kern | Assignee: | freebsd-bugs (Nobody) <bugs> | ||||
| Status: | Closed FIXED | ||||||
| Severity: | Affects Only Me | CC: | kib, op | ||||
| Priority: | --- | Keywords: | patch | ||||
| Version: | CURRENT | Flags: | op:
mfc-stable10+
|
||||
| Hardware: | Any | ||||||
| OS: | Any | ||||||
| Attachments: |
|
||||||
A commit references this bug: Author: kib Date: Sat Apr 18 17:21:13 UTC 2015 New revision: 281696 URL: https://svnweb.freebsd.org/changeset/base/281696 Log: Initialize td_sel in the thread_init(). Struct thread is not zeroed on the initial allocation, but seltdinit() assumes that td_sel is NULL or a valid pointer. Note that thread_fini()/seltdfini() also relies on this, but correctly resets td_sel to NULL. Submitted by: luke.tw@gmail.com PR: 199518 MFC after: 1 week Changes: head/sys/kern/kern_thread.c A commit references this bug: Author: kib Date: Sat Apr 25 08:06:22 UTC 2015 New revision: 281979 URL: https://svnweb.freebsd.org/changeset/base/281979 Log: MFC r281696: Initialize td_sel in the thread_init(). PR: 199518 Changes: _U stable/10/ stable/10/sys/kern/kern_thread.c A commit references this bug: Author: kib Date: Sat Apr 25 08:09:16 UTC 2015 New revision: 281980 URL: https://svnweb.freebsd.org/changeset/base/281980 Log: MFC r281696: Initialize td_sel in the thread_init(). PR: 199518 Changes: _U stable/9/sys/ stable/9/sys/kern/kern_thread.c |
Created attachment 155694 [details] patch for thread_init() When thread_alloc() allocates struct thread from thread_zone, the field td_sel is not initialized. Later in seltdinit(), if td_sel is not NULL, then this field will not allocate memory. While not easy to run into the bug in normal configuration, it is easy to panic when memguard deliberately overwrites the freed memory with 'M'.