From simon@comsys.ntu-kpi.kiev.ua  Mon Jun  6 09:42:55 2005
Return-Path: <simon@comsys.ntu-kpi.kiev.ua>
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id AC7B516A41C
	for <FreeBSD-gnats-submit@freebsd.org>; Mon,  6 Jun 2005 09:42:55 +0000 (GMT)
	(envelope-from simon@comsys.ntu-kpi.kiev.ua)
Received: from comsys.ntu-kpi.kiev.ua (comsys.ntu-kpi.kiev.ua [195.245.194.142])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 0E91843D53
	for <FreeBSD-gnats-submit@freebsd.org>; Mon,  6 Jun 2005 09:42:50 +0000 (GMT)
	(envelope-from simon@comsys.ntu-kpi.kiev.ua)
Received: from pm514-9.comsys.ntu-kpi.kiev.ua (pm514-9.comsys.ntu-kpi.kiev.ua [10.18.54.109])
	(authenticated bits=0)
	by comsys.ntu-kpi.kiev.ua (8.12.10/8.12.10) with ESMTP id j569mPQk061353
	(version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO)
	for <FreeBSD-gnats-submit@freebsd.org>; Mon, 6 Jun 2005 12:48:27 +0300 (EEST)
Received: by pm514-9.comsys.ntu-kpi.kiev.ua (Postfix, from userid 1000)
	id 9EA6FD9; Mon,  6 Jun 2005 12:41:32 +0300 (EEST)
Message-Id: <20050606094132.GA374@pm514-9.comsys.ntu-kpi.kiev.ua>
Date: Mon, 6 Jun 2005 12:41:32 +0300
From: Andrey Simonenko <simon@comsys.ntu-kpi.kiev.ua>
To: FreeBSD-gnats-submit@freebsd.org
Subject: [patch] _assert_sbuf_integrity causes panic for zero length buffer

>Number:         81943
>Category:       kern
>Synopsis:       [kernel] [patch] _assert_sbuf_integrity causes panic for zero length buffer
>Confidential:   no
>Severity:       serious
>Priority:       high
>Responsible:    des
>State:          closed
>Quarter:        
>Keywords:       
>Date-Required:  
>Class:          change-request
>Submitter-Id:   current-users
>Arrival-Date:   Mon Jun 06 09:50:01 GMT 2005
>Closed-Date:    Fri Nov 10 23:32:12 GMT 2006
>Last-Modified:  Fri Nov 10 23:32:12 GMT 2006
>Originator:     Andrey Simonenko <simon@comsys.ntu-kpi.kiev.ua>
>Release:        FreeBSD 5.4-RELEASE-p1 i386
>Organization:
>Environment:

FreeBSD >= 4.4

>Description:

If INVARIANTS is enabled, then _assert_sbuf_integrity panics if
s_len == 0 and s_size == 0.  Really this is not a problem, since
nothing was written in zero length buffer.

On FreeBSD 5.4 if INVARIANTS are enabled and procfs is mounted,
then anybody can read zero bytes from /proc/<pid>/map and the
system will panic.

Solution:

*	apply the patch given below, to allow s_len == 0 and s_size == 0
	in sbuf

*	don't allocate zero length sbuf at all, but currently malloc(9)
	accepts zero length allocations, there is relevant #if 0 in
	source of malloc(9), this will require revision of all /sys
	files.

>How-To-Repeat:

Enable INVARIANTS, mount procfs and read zero bytes from /proc/<pid>/map
and see panic

>Fix:
--- subr_sbuf.c.orig	Fri Jul  9 11:37:44 2004
+++ subr_sbuf.c	Sat Jun  4 21:42:33 2005
@@ -91,7 +91,7 @@
 	    ("%s called with a NULL sbuf pointer", fun));
 	KASSERT(s->s_buf != NULL,
 	    ("%s called with uninitialized or corrupt sbuf", fun));
-	KASSERT(s->s_len < s->s_size,
+	KASSERT(s->s_len < s->s_size || s->s_len == 0,
 	    ("wrote past end of sbuf (%d >= %d)", s->s_len, s->s_size));
 }
 
>Release-Note:
>Audit-Trail:
Responsible-Changed-From-To: freebsd-bugs->des 
Responsible-Changed-By: arved 
Responsible-Changed-When: Mon Jun 6 16:00:58 GMT 2005 
Responsible-Changed-Why:  
Over to des, as he made the most commits to subr_sbuf.c and is also 
involved into procfs. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=81943 

From: des@des.no (Dag-Erling =?iso-8859-1?Q?Sm=F8rgrav?=)
To: freebsd-gnats-submit@freebsd.org
Cc:  
Subject: Re: kern/81943
Date: Sat, 11 Nov 2006 00:12:05 +0100

 The current behaviour is correct, because an sbuf with s_size =3D=3D 0
 can't be finished (no space for terminating '\0')
 
 DES
 --=20
 Dag-Erling Sm=F8rgrav - des@des.no
State-Changed-From-To: open->closed 
State-Changed-By: des 
State-Changed-When: Fri Nov 10 23:32:08 UTC 2006 
State-Changed-Why:  
Not a bug. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=81943 
>Unformatted:
