I was just examining the kernel sources for the development plans I have and stumbled upon lib/libufs/block.c rev 1.10. The following code is incorrect : if (((intptr_t)data) & 0x3f) { p2 = malloc(size); if (p2 == NULL) ERROR(disk, "allocate bounce buffer"); } cnt = pread(disk->d_fd, p2, size, (off_t)(blockno * disk->d_bsize)); If the malloc fails, pread will be called with the NULL pointer p2 with serious consequences. Same problem with the bwrite function: if (((intptr_t)data) & 0x3f) { p2 = malloc(size); if (p2 == NULL) ERROR(disk, "allocate bounce buffer"); memcpy(p2, data, size); data = p2; } cnt = pwrite(disk->d_fd, data, size, (off_t)(blockno * disk->d_bsize)); Fix: if (((intptr_t)data) & 0x3f) { p2 = malloc(size); if (p2 == NULL) { ERROR(disk, "allocate bounce buffer"); goto fail; } } cnt = pread(disk->d_fd, p2, size, (off_t)(blockno * disk->d_bsize)); .. if (((intptr_t)data) & 0x3f) { p2 = malloc(size); if (p2 == NULL) { ERROR(disk, "allocate bounce buffer"); return (-1); } memcpy(p2, data, size); data = p2; } cnt = pwrite(disk->d_fd, data, size, (off_t)(blockno * disk->d_bsize)); How-To-Repeat: call bread, bwrite with a very large unaligned buffer ...
Responsible Changed From-To: freebsd-bugs->freebsd-fs Over to maintainer(s).
Author: delphij Date: Thu Apr 2 17:16:39 2009 New Revision: 190646 URL: http://svn.freebsd.org/changeset/base/190646 Log: Bail out when memory allocation is failed, rather than referencing a NULL pointer. PR: kern/94480 Submitted by: Michiel Pelt <m.pelt xs4all nl> Modified: head/lib/libufs/block.c Modified: head/lib/libufs/block.c ============================================================================== --- head/lib/libufs/block.c Thu Apr 2 17:15:49 2009 (r190645) +++ head/lib/libufs/block.c Thu Apr 2 17:16:39 2009 (r190646) @@ -64,8 +64,10 @@ bread(struct uufsd *disk, ufs2_daddr_t b */ if (((intptr_t)data) & 0x3f) { p2 = malloc(size); - if (p2 == NULL) + if (p2 == NULL) { ERROR(disk, "allocate bounce buffer"); + goto fail; + } } cnt = pread(disk->d_fd, p2, size, (off_t)(blockno * disk->d_bsize)); if (cnt == -1) { @@ -115,8 +117,10 @@ bwrite(struct uufsd *disk, ufs2_daddr_t */ if (((intptr_t)data) & 0x3f) { p2 = malloc(size); - if (p2 == NULL) + if (p2 == NULL) { ERROR(disk, "allocate bounce buffer"); + return (-1); + } memcpy(p2, data, size); data = p2; } _______________________________________________ svn-src-all@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/svn-src-all To unsubscribe, send any mail to "svn-src-all-unsubscribe@freebsd.org"
State Changed From-To: open->patched A fix has been applied against -HEAD, MFC reminder.
Responsible Changed From-To: freebsd-fs->delphij Take.
Author: delphij Date: Thu May 28 21:17:27 2009 New Revision: 192995 URL: http://svn.freebsd.org/changeset/base/192995 Log: Merge r190646: Bail out when memory allocation is failed, rather than referencing a NULL pointer. PR: kern/94480 Submitted by: Michiel Pelt <m.pelt xs4all nl> Modified: stable/7/lib/libufs/ (props changed) stable/7/lib/libufs/block.c Modified: stable/7/lib/libufs/block.c ============================================================================== --- stable/7/lib/libufs/block.c Thu May 28 21:12:43 2009 (r192994) +++ stable/7/lib/libufs/block.c Thu May 28 21:17:27 2009 (r192995) @@ -63,8 +63,10 @@ bread(struct uufsd *disk, ufs2_daddr_t b */ if (((intptr_t)data) & 0x3f) { p2 = malloc(size); - if (p2 == NULL) + if (p2 == NULL) { ERROR(disk, "allocate bounce buffer"); + goto fail; + } } cnt = pread(disk->d_fd, p2, size, (off_t)(blockno * disk->d_bsize)); if (cnt == -1) { @@ -114,8 +116,10 @@ bwrite(struct uufsd *disk, ufs2_daddr_t */ if (((intptr_t)data) & 0x3f) { p2 = malloc(size); - if (p2 == NULL) + if (p2 == NULL) { ERROR(disk, "allocate bounce buffer"); + return (-1); + } memcpy(p2, data, size); data = p2; } _______________________________________________ svn-src-all@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/svn-src-all To unsubscribe, send any mail to "svn-src-all-unsubscribe@freebsd.org"
State Changed From-To: patched->closed Patch applied against -CURRENT, stable/7 and stable/6, thanks for your submission!
Author: delphij Date: Thu May 28 21:19:21 2009 New Revision: 192996 URL: http://svn.freebsd.org/changeset/base/192996 Log: Merge r190646: Bail out when memory allocation is failed, rather than referencing a NULL pointer. PR: kern/94480 Submitted by: Michiel Pelt <m.pelt xs4all nl> Modified: stable/6/lib/libufs/ (props changed) stable/6/lib/libufs/block.c Modified: stable/6/lib/libufs/block.c ============================================================================== --- stable/6/lib/libufs/block.c Thu May 28 21:17:27 2009 (r192995) +++ stable/6/lib/libufs/block.c Thu May 28 21:19:21 2009 (r192996) @@ -63,8 +63,10 @@ bread(struct uufsd *disk, ufs2_daddr_t b */ if (((intptr_t)data) & 0x3f) { p2 = malloc(size); - if (p2 == NULL) + if (p2 == NULL) { ERROR(disk, "allocate bounce buffer"); + goto fail; + } } cnt = pread(disk->d_fd, p2, size, (off_t)(blockno * disk->d_bsize)); if (cnt == -1) { @@ -114,8 +116,10 @@ bwrite(struct uufsd *disk, ufs2_daddr_t */ if (((intptr_t)data) & 0x3f) { p2 = malloc(size); - if (p2 == NULL) + if (p2 == NULL) { ERROR(disk, "allocate bounce buffer"); + return (-1); + } memcpy(p2, data, size); data = p2; } _______________________________________________ svn-src-all@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/svn-src-all To unsubscribe, send any mail to "svn-src-all-unsubscribe@freebsd.org"