From nobody@FreeBSD.org  Mon Jan 28 10:01:29 2013
Return-Path: <nobody@FreeBSD.org>
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1])
	by hub.freebsd.org (Postfix) with ESMTP id 1ABC2E68
	for <freebsd-gnats-submit@FreeBSD.org>; Mon, 28 Jan 2013 10:01:29 +0000 (UTC)
	(envelope-from nobody@FreeBSD.org)
Received: from red.freebsd.org (red.freebsd.org [IPv6:2001:4f8:fff6::22])
	by mx1.freebsd.org (Postfix) with ESMTP id EAF64808
	for <freebsd-gnats-submit@FreeBSD.org>; Mon, 28 Jan 2013 10:01:28 +0000 (UTC)
Received: from red.freebsd.org (localhost [127.0.0.1])
	by red.freebsd.org (8.14.5/8.14.5) with ESMTP id r0SA1SlL091728
	for <freebsd-gnats-submit@FreeBSD.org>; Mon, 28 Jan 2013 10:01:28 GMT
	(envelope-from nobody@red.freebsd.org)
Received: (from nobody@localhost)
	by red.freebsd.org (8.14.5/8.14.5/Submit) id r0SA1Sl2091719;
	Mon, 28 Jan 2013 10:01:28 GMT
	(envelope-from nobody)
Message-Id: <201301281001.r0SA1Sl2091719@red.freebsd.org>
Date: Mon, 28 Jan 2013 10:01:28 GMT
From: Yuri <yuri@tsoft.com>
To: freebsd-gnats-submit@FreeBSD.org
Subject: [PATCH] Fix for buffer corruption in libproc
X-Send-Pr-Version: www-3.1
X-GNATS-Notify:

>Number:         175648
>Category:       kern
>Synopsis:       [libproc] [patch] Fix for buffer corruption in libproc
>Confidential:   no
>Severity:       non-critical
>Priority:       low
>Responsible:    freebsd-bugs
>State:          closed
>Quarter:        
>Keywords:       
>Date-Required:  
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Mon Jan 28 10:10:00 UTC 2013
>Closed-Date:    Fri Mar 01 19:02:23 UTC 2013
>Last-Modified:  Fri Mar 01 19:02:23 UTC 2013
>Originator:     Yuri
>Release:        9.1-STABLE
>Organization:
n/a
>Environment:
>Description:
Please check in the attached patch.
Please MFC to 9.X.

Patch fixes the buffer corruption caused by the wrong size passed to realloc.
Bug can be experienced by calling ustack() from some dtrace script when the number of entries in /proc/PID/map is greater than 64.

>How-To-Repeat:

>Fix:


Patch attached with submission follows:

Index: lib/libproc/proc_rtld.c
===================================================================
--- lib/libproc/proc_rtld.c	(revision 245708)
+++ lib/libproc/proc_rtld.c	(working copy)
@@ -44,7 +44,7 @@
 
 	if (phdl->nobjs >= phdl->rdobjsz) {
 		phdl->rdobjsz *= 2;
-		phdl->rdobjs = realloc(phdl->rdobjs, phdl->rdobjsz);
+		phdl->rdobjs = realloc(phdl->rdobjs, sizeof(*phdl->rdobjs) * phdl->rdobjsz);
 		if (phdl->rdobjs == NULL)
 			return (-1);
 	}


>Release-Note:
>Audit-Trail:
State-Changed-From-To: open->patched 
State-Changed-By: jhb 
State-Changed-When: Mon Jan 28 15:48:45 UTC 2013 
State-Changed-Why:  
I've committed the fix to HEAD along with a memory leak fix. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=175648 

From: dfilter@FreeBSD.ORG (dfilter service)
To: bug-followup@FreeBSD.org
Cc:  
Subject: Re: kern/175648: commit references a PR
Date: Mon, 28 Jan 2013 15:48:45 +0000 (UTC)

 Author: jhb
 Date: Mon Jan 28 15:48:31 2013
 New Revision: 246035
 URL: http://svnweb.freebsd.org/changeset/base/246035
 
 Log:
   - Compute the correct size to reallocate when doubling the size of the
     array of loaded objects to avoid a buffer overrun.
   - Use reallocf() to avoid leaking memory if the realloc() fails.
   
   PR:		kern/175648
   Submitted by:	yuri@rawbw.com (1)
   MFC after:	1 week
 
 Modified:
   head/lib/libproc/proc_rtld.c
 
 Modified: head/lib/libproc/proc_rtld.c
 ==============================================================================
 --- head/lib/libproc/proc_rtld.c	Mon Jan 28 12:58:37 2013	(r246034)
 +++ head/lib/libproc/proc_rtld.c	Mon Jan 28 15:48:31 2013	(r246035)
 @@ -44,7 +44,8 @@ map_iter(const rd_loadobj_t *lop, void *
  
  	if (phdl->nobjs >= phdl->rdobjsz) {
  		phdl->rdobjsz *= 2;
 -		phdl->rdobjs = realloc(phdl->rdobjs, phdl->rdobjsz);
 +		phdl->rdobjs = reallocf(phdl->rdobjs, sizeof(*phdl->rdobjs) *
 +		    phdl->rdobjsz);
  		if (phdl->rdobjs == NULL)
  			return (-1);
  	}
 _______________________________________________
 svn-src-all@freebsd.org mailing list
 http://lists.freebsd.org/mailman/listinfo/svn-src-all
 To unsubscribe, send any mail to "svn-src-all-unsubscribe@freebsd.org"
 

From: dfilter@FreeBSD.ORG (dfilter service)
To: bug-followup@FreeBSD.org
Cc:  
Subject: Re: kern/175648: commit references a PR
Date: Fri,  1 Mar 2013 16:19:27 +0000 (UTC)

 Author: jhb
 Date: Fri Mar  1 16:19:09 2013
 New Revision: 247554
 URL: http://svnweb.freebsd.org/changeset/base/247554
 
 Log:
   MFC 246035:
   - Compute the correct size to reallocate when doubling the size of the
     array of loaded objects to avoid a buffer overrun.
   - Use reallocf() to avoid leaking memory if the realloc() fails.
   
   PR:		kern/175648
 
 Modified:
   stable/8/lib/libproc/proc_rtld.c
 Directory Properties:
   stable/8/lib/libproc/   (props changed)
 
 Modified: stable/8/lib/libproc/proc_rtld.c
 ==============================================================================
 --- stable/8/lib/libproc/proc_rtld.c	Fri Mar  1 16:18:40 2013	(r247553)
 +++ stable/8/lib/libproc/proc_rtld.c	Fri Mar  1 16:19:09 2013	(r247554)
 @@ -44,7 +44,8 @@ map_iter(const rd_loadobj_t *lop, void *
  
  	if (phdl->nobjs >= phdl->rdobjsz) {
  		phdl->rdobjsz *= 2;
 -		phdl->rdobjs = realloc(phdl->rdobjs, phdl->rdobjsz);
 +		phdl->rdobjs = reallocf(phdl->rdobjs, sizeof(*phdl->rdobjs) *
 +		    phdl->rdobjsz);
  		if (phdl->rdobjs == NULL)
  			return (-1);
  	}
 _______________________________________________
 svn-src-all@freebsd.org mailing list
 http://lists.freebsd.org/mailman/listinfo/svn-src-all
 To unsubscribe, send any mail to "svn-src-all-unsubscribe@freebsd.org"
 

From: dfilter@FreeBSD.ORG (dfilter service)
To: bug-followup@FreeBSD.org
Cc:  
Subject: Re: kern/175648: commit references a PR
Date: Fri,  1 Mar 2013 16:18:59 +0000 (UTC)

 Author: jhb
 Date: Fri Mar  1 16:18:40 2013
 New Revision: 247553
 URL: http://svnweb.freebsd.org/changeset/base/247553
 
 Log:
   MFC 246035:
   - Compute the correct size to reallocate when doubling the size of the
     array of loaded objects to avoid a buffer overrun.
   - Use reallocf() to avoid leaking memory if the realloc() fails.
   
   PR:		kern/175648
 
 Modified:
   stable/9/lib/libproc/proc_rtld.c
 Directory Properties:
   stable/9/lib/libproc/   (props changed)
 
 Modified: stable/9/lib/libproc/proc_rtld.c
 ==============================================================================
 --- stable/9/lib/libproc/proc_rtld.c	Fri Mar  1 15:59:14 2013	(r247552)
 +++ stable/9/lib/libproc/proc_rtld.c	Fri Mar  1 16:18:40 2013	(r247553)
 @@ -44,7 +44,8 @@ map_iter(const rd_loadobj_t *lop, void *
  
  	if (phdl->nobjs >= phdl->rdobjsz) {
  		phdl->rdobjsz *= 2;
 -		phdl->rdobjs = realloc(phdl->rdobjs, phdl->rdobjsz);
 +		phdl->rdobjs = reallocf(phdl->rdobjs, sizeof(*phdl->rdobjs) *
 +		    phdl->rdobjsz);
  		if (phdl->rdobjs == NULL)
  			return (-1);
  	}
 _______________________________________________
 svn-src-all@freebsd.org mailing list
 http://lists.freebsd.org/mailman/listinfo/svn-src-all
 To unsubscribe, send any mail to "svn-src-all-unsubscribe@freebsd.org"
 
State-Changed-From-To: patched->closed 
State-Changed-By: jhb 
State-Changed-When: Fri Mar 1 19:02:04 UTC 2013 
State-Changed-Why:  
Fix merged to 8 and 9. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=175648 
>Unformatted:
