Bug 25393
| Summary: | System panics, when user calls poll with parameters in wrong order | ||||||
|---|---|---|---|---|---|---|---|
| Product: | Base System | Reporter: | ak03 <ak03> | ||||
| Component: | kern | Assignee: | freebsd-bugs (Nobody) <bugs> | ||||
| Status: | Closed FIXED | ||||||
| Severity: | Affects Only Me | ||||||
| Priority: | Normal | ||||||
| Version: | 5.0-CURRENT | ||||||
| Hardware: | Any | ||||||
| OS: | Any | ||||||
| Attachments: |
|
||||||
State Changed From-To: open->closed Functionally similar fix applied, thanks! |
While trying to compile the new ksh93 updated recently by Steve Price, I've discovered that this port in its current form causes -CURRENT to panic. The problem is with one of the tests ksh93 build system is running to determine target system capabilities. Namely, it tries to check if poll functions takes a pointer to the array of file descriptors as second parameter, i.e. it does something like: poll(1, &fd, 0) Kernel then tries to allocate memory for what it thinks is a very large array of fd's and malloc panics machine because of insufficient kernel address space. There are checks in the kernel which are supposed to prevent exactly this problem, but they are not catching bogus 'nfds' value because 'nfds' variable is defined as int and is treated as negative for huge values like pointer value. Attached patch fixes the problem by defining nfds variable as u_int. How-To-Repeat: main() { poll(1, &fd, 0); }