Excellent detective work, thanks. :)
Doug
-------- Original Message --------
Subject: Re: panic: kmem_malloc(-1077936128): kmem_map too small
Date: Fri, 15 Sep 2000 12:29:01 +0200
From: Mitja Horvat <[EMAIL PROTECTED]>
To: Doug Barton <[EMAIL PROTECTED]>
References: <[EMAIL PROTECTED]>
<[EMAIL PROTECTED]>
Hi Doug,
since I'm not subscribed to freebsd-current, I would prefer that you
forward this email. I will try to describe the panic in more detail
below:
Filesystem specific mount structure is copied from userspace in
ffs_mount()
in vfs_subr.c at line 178:
/* copy in user arguments*/
err = copyin(data, (caddr_t)&args, sizeof (struct ufs_args));
if (err)
goto error_1; /* can't get arguments*/
This structure is never checked for garbled data, and its args.export
field is passed as is to vfs_export() and later to vfs_hang_addrlist().
We have the following two lines in vfs_hang_addrlist() at line 2252 in
vfs_subr.c:
i = sizeof(struct netcred) + argp->ex_addrlen + argp->ex_masklen;
np = (struct netcred *) malloc(i, M_NETADDR, M_WAITOK);
(argp in this case is the pointer to argc.export)
argp->ex_addrlen is copied directly from userspace. If the structures in
the kernel, and the userspace utility mismatch, ex_addrlen will have a
different value than it was supposed to(-1077936128 on my machine, which
paniced the kernel on every boot) and problems like memory leaks or
panics
may occur.
Some sanity checking would be appropriate for the export_args structure.
Regards,
Mitja
To Unsubscribe: send mail to [EMAIL PROTECTED]
with "unsubscribe freebsd-current" in the body of the message
