From nobody@FreeBSD.org  Wed Dec 17 06:30:14 2008
Return-Path: <nobody@FreeBSD.org>
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id CC28F106567D
	for <freebsd-gnats-submit@FreeBSD.org>; Wed, 17 Dec 2008 06:30:14 +0000 (UTC)
	(envelope-from nobody@FreeBSD.org)
Received: from www.freebsd.org (www.freebsd.org [IPv6:2001:4f8:fff6::21])
	by mx1.freebsd.org (Postfix) with ESMTP id BD7D48FC16
	for <freebsd-gnats-submit@FreeBSD.org>; Wed, 17 Dec 2008 06:30:14 +0000 (UTC)
	(envelope-from nobody@FreeBSD.org)
Received: from www.freebsd.org (localhost [127.0.0.1])
	by www.freebsd.org (8.14.3/8.14.3) with ESMTP id mBH6UEZL015753
	for <freebsd-gnats-submit@FreeBSD.org>; Wed, 17 Dec 2008 06:30:14 GMT
	(envelope-from nobody@www.freebsd.org)
Received: (from nobody@localhost)
	by www.freebsd.org (8.14.3/8.14.3/Submit) id mBH6UEhX015752;
	Wed, 17 Dec 2008 06:30:14 GMT
	(envelope-from nobody)
Message-Id: <200812170630.mBH6UEhX015752@www.freebsd.org>
Date: Wed, 17 Dec 2008 06:30:14 GMT
From: Bruce Cran <bruce@cran.org.uk>
To: freebsd-gnats-submit@FreeBSD.org
Subject: top(1) corrupts SIZE field when a process allocates 2048GB memory
X-Send-Pr-Version: www-3.1
X-GNATS-Notify:

>Number:         129706
>Category:       bin
>Synopsis:       top(1) corrupts SIZE field when a process allocates 2048GB memory
>Confidential:   no
>Severity:       non-critical
>Priority:       low
>Responsible:    brucec
>State:          closed
>Quarter:        
>Keywords:       
>Date-Required:  
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Wed Dec 17 06:40:01 UTC 2008
>Closed-Date:    Tue Apr 20 20:27:41 UTC 2010
>Last-Modified:  Tue Apr 20 20:30:01 UTC 2010
>Originator:     Bruce Cran
>Release:        7.1-RC1
>Organization:
>Environment:
FreeBSD 7.1-RC1 amd64
>Description:
When a process allocates over 2TB, top can corrupt the SIZE field and display a series of characters instead.  It only appears to happen on TB boundaries - i.e 2048GB, 3072GB etc.  7.1-RC1 and 8-CURRENT (from 2008-12-15) both show the problem.
>How-To-Repeat:
Compile the following code and once running run top to see the process listed.

#include <stdlib.h>
int main(void)
{
  char *c = malloc(2048LL*1024*1024*1024);
  getchar();
  return 0;
}
>Fix:


>Release-Note:
>Audit-Trail:

From: "Garrett Cooper" <yanefbsd@gmail.com>
To: "Bruce Cran" <bruce@cran.org.uk>
Cc: freebsd-gnats-submit@freebsd.org
Subject: Re: bin/129706: top(1) corrupts SIZE field when a process allocates 2048GB memory
Date: Tue, 16 Dec 2008 22:51:42 -0800

 On Tue, Dec 16, 2008 at 10:30 PM, Bruce Cran <bruce@cran.org.uk> wrote:
 >
 >>Number:         129706
 >>Category:       bin
 >>Synopsis:       top(1) corrupts SIZE field when a process allocates 2048GB memory
 >>Confidential:   no
 >>Severity:       non-critical
 >>Priority:       low
 >>Responsible:    freebsd-bugs
 >>State:          open
 >>Quarter:
 >>Keywords:
 >>Date-Required:
 >>Class:          sw-bug
 >>Submitter-Id:   current-users
 >>Arrival-Date:   Wed Dec 17 06:40:01 UTC 2008
 >>Closed-Date:
 >>Last-Modified:
 >>Originator:     Bruce Cran
 >>Release:        7.1-RC1
 >>Organization:
 >>Environment:
 > FreeBSD 7.1-RC1 amd64
 >>Description:
 > When a process allocates over 2TB, top can corrupt the SIZE field and display a series of characters instead.  It only appears to happen on TB boundaries - i.e 2048GB, 3072GB etc.  7.1-RC1 and 8-CURRENT (from 2008-12-15) both show the problem.
 >>How-To-Repeat:
 > Compile the following code and once running run top to see the process listed.
 >
 > #include <stdlib.h>
 > int main(void)
 > {
 >  char *c = malloc(2048LL*1024*1024*1024);
 >  getchar();
 >  return 0;
 > }
 
 Although I'd love to say it's top, it sounds more like a weird corner
 case dealing with overflow / underflow and vmem allocation.
 -Garrett

From: Bruce Cran <bruce@cran.org.uk>
To: Garrett Cooper <yanefbsd@gmail.com>
Cc: Bruce Cran <bruce@cran.org.uk>, freebsd-gnats-submit@freebsd.org
Subject: Re: bin/129706: top(1) corrupts SIZE field when a process
	allocates 2048GB memory
Date: Thu, 18 Dec 2008 01:13:28 -0500

 On Tue, Dec 16, 2008 at 10:51:42PM -0800, Garrett Cooper wrote:
 > Although I'd love to say it's top, it sounds more like a weird corner
 > case dealing with overflow / underflow and vmem allocation.
 
 It looks like it's an overflow bug in contrib/top/utils.c because
 format_2k uses a signed 'int' to represent the amount of memory:
 changing it to 'unsigned int' appears to fix it.
 top-3.8beta1 has removed the format_2k function but also changed the
 other format functions to take a 'long' parameter instead of 'int'.
 
 -- 
 Bruce Cran
Responsible-Changed-From-To: freebsd-bugs->brucec  
Responsible-Changed-By: brucec 
Responsible-Changed-When: Sun Feb 28 14:36:55 UTC 2010 
Responsible-Changed-Why:  
Take. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=129706 

From: dfilter@FreeBSD.ORG (dfilter service)
To: bug-followup@FreeBSD.org
Cc:  
Subject: Re: bin/129706: commit references a PR
Date: Sat, 13 Mar 2010 11:17:54 +0000 (UTC)

 Author: brucec
 Date: Sat Mar 13 11:17:39 2010
 New Revision: 205119
 URL: http://svn.freebsd.org/changeset/base/205119
 
 Log:
   Change the 'amt' parameter in format_k2 from int to unsigned long long
   to match the values passed in and prevent the SIZE field being corrupted
   when more than 2TB is allocated.
   
   PR:		bin/129706
   Approved by:	rrs (mentor)
   MFC after:	1 week
 
 Modified:
   head/contrib/top/utils.c
 
 Modified: head/contrib/top/utils.c
 ==============================================================================
 --- head/contrib/top/utils.c	Sat Mar 13 11:08:57 2010	(r205118)
 +++ head/contrib/top/utils.c	Sat Mar 13 11:17:39 2010	(r205119)
 @@ -476,7 +476,7 @@ int amt;
  
  char *format_k2(amt)
  
 -int amt;
 +unsigned long long amt;
  
  {
      static char retarray[NUM_STRINGS][16];
 _______________________________________________
 svn-src-all@freebsd.org mailing list
 http://lists.freebsd.org/mailman/listinfo/svn-src-all
 To unsubscribe, send any mail to "svn-src-all-unsubscribe@freebsd.org"
 
State-Changed-From-To: open->patched  
State-Changed-By: brucec 
State-Changed-When: Sat Mar 13 11:22:24 UTC 2010 
State-Changed-Why:  
Fixed in HEAD. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=129706 

From: dfilter@FreeBSD.ORG (dfilter service)
To: bug-followup@FreeBSD.org
Cc:  
Subject: Re: bin/129706: commit references a PR
Date: Tue, 20 Apr 2010 20:19:29 +0000 (UTC)

 Author: brucec
 Date: Tue Apr 20 20:19:19 2010
 New Revision: 206911
 URL: http://svn.freebsd.org/changeset/base/206911
 
 Log:
   MFC r205119 and r206056:
   
   Prevent the SIZE field being corrupted when a process allocates more than
   2TB.
   
   PR:	bin/129706
   Submitted by:	brucec
   Approved by: 	rrs (mentor)
 
 Modified:
   stable/8/contrib/top/utils.c
   stable/8/contrib/top/utils.h
 Directory Properties:
   stable/8/contrib/top/   (props changed)
   stable/8/contrib/top/install-sh   (props changed)
 
 Modified: stable/8/contrib/top/utils.c
 ==============================================================================
 --- stable/8/contrib/top/utils.c	Tue Apr 20 20:09:45 2010	(r206910)
 +++ stable/8/contrib/top/utils.c	Tue Apr 20 20:19:19 2010	(r206911)
 @@ -476,7 +476,7 @@ int amt;
  
  char *format_k2(amt)
  
 -int amt;
 +unsigned long long amt;
  
  {
      static char retarray[NUM_STRINGS][16];
 
 Modified: stable/8/contrib/top/utils.h
 ==============================================================================
 --- stable/8/contrib/top/utils.h	Tue Apr 20 20:09:45 2010	(r206910)
 +++ stable/8/contrib/top/utils.h	Tue Apr 20 20:19:19 2010	(r206911)
 @@ -21,4 +21,4 @@ long percentages();
  char *errmsg();
  char *format_time();
  char *format_k();
 -char *format_k2();
 +char *format_k2(unsigned long long);
 _______________________________________________
 svn-src-all@freebsd.org mailing list
 http://lists.freebsd.org/mailman/listinfo/svn-src-all
 To unsubscribe, send any mail to "svn-src-all-unsubscribe@freebsd.org"
 
State-Changed-From-To: patched->closed 
State-Changed-By: brucec 
State-Changed-When: Tue Apr 20 20:27:24 UTC 2010 
State-Changed-Why:  
Fix has been committed to stable/7 and stable/8. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=129706 

From: dfilter@FreeBSD.ORG (dfilter service)
To: bug-followup@FreeBSD.org
Cc:  
Subject: Re: bin/129706: commit references a PR
Date: Tue, 20 Apr 2010 20:21:15 +0000 (UTC)

 Author: brucec
 Date: Tue Apr 20 20:21:01 2010
 New Revision: 206912
 URL: http://svn.freebsd.org/changeset/base/206912
 
 Log:
   MFC r205119 and r206056:
   
   Prevent the SIZE field being corrupted when a process allocates more than
   2TB.
   
   PR:	bin/129706
   Submitted by:	brucec
   Approved by:	rrs (mentor)
 
 Modified:
   stable/7/contrib/top/utils.c
   stable/7/contrib/top/utils.h
 Directory Properties:
   stable/7/contrib/top/   (props changed)
 
 Modified: stable/7/contrib/top/utils.c
 ==============================================================================
 --- stable/7/contrib/top/utils.c	Tue Apr 20 20:19:19 2010	(r206911)
 +++ stable/7/contrib/top/utils.c	Tue Apr 20 20:21:01 2010	(r206912)
 @@ -476,7 +476,7 @@ int amt;
  
  char *format_k2(amt)
  
 -int amt;
 +unsigned long long amt;
  
  {
      static char retarray[NUM_STRINGS][16];
 
 Modified: stable/7/contrib/top/utils.h
 ==============================================================================
 --- stable/7/contrib/top/utils.h	Tue Apr 20 20:19:19 2010	(r206911)
 +++ stable/7/contrib/top/utils.h	Tue Apr 20 20:21:01 2010	(r206912)
 @@ -21,4 +21,4 @@ long percentages();
  char *errmsg();
  char *format_time();
  char *format_k();
 -char *format_k2();
 +char *format_k2(unsigned long long);
 _______________________________________________
 svn-src-all@freebsd.org mailing list
 http://lists.freebsd.org/mailman/listinfo/svn-src-all
 To unsubscribe, send any mail to "svn-src-all-unsubscribe@freebsd.org"
 
>Unformatted:
