Re: svn commit: r253351 - in head: sys/arm/arm sys/i386/i386 sys/kern sys/mips/mips sys/powerpc/aim sys/powerpc/booke sys/sparc64/sparc64 sys/sys usr.bin/netstat

Wed, 24 Jul 2013 07:53:59 -0700 

On Mon, 2013-07-15 at 06:16:57 +0000, Andrey V. Elsukov wrote:
> Author: ae
> Date: Mon Jul 15 06:16:57 2013
> New Revision: 253351
> URL: http://svnweb.freebsd.org/changeset/base/253351
> 
> Log:
>   Introduce new structure sfstat for collecting sendfile's statistics
>   and remove corresponding fields from struct mbstat. Use PCPU counters
>   and SFSTAT_INC() macro for update these statistics.
>   
>   Discussed with:     glebius
> 
> Modified:
>   head/sys/arm/arm/vm_machdep.c
>   head/sys/i386/i386/vm_machdep.c
>   head/sys/kern/kern_mbuf.c
>   head/sys/kern/uipc_syscalls.c
>   head/sys/mips/mips/vm_machdep.c
>   head/sys/powerpc/aim/vm_machdep.c
>   head/sys/powerpc/booke/vm_machdep.c
>   head/sys/sparc64/sparc64/vm_machdep.c
>   head/sys/sys/mbuf.h
>   head/sys/sys/sf_buf.h
>   head/usr.bin/netstat/main.c
>   head/usr.bin/netstat/mbuf.c
> 
> Modified: head/usr.bin/netstat/mbuf.c
> ==============================================================================
> --- head/usr.bin/netstat/mbuf.c       Mon Jul 15 05:09:13 2013        
> (r253350)
> +++ head/usr.bin/netstat/mbuf.c       Mon Jul 15 06:16:57 2013        
> (r253351)
> @@ -308,20 +309,21 @@ mbpr(void *kvmd, u_long mbaddr)
>                   &mlen, NULL, 0))
>                       printf("%d/%d/%d sfbufs in use (current/peak/max)\n",
>                           nsfbufsused, nsfbufspeak, nsfbufs);
> -             mlen = sizeof(mbstat);
> -             if (sysctlbyname("kern.ipc.mbstat", &mbstat, &mlen, NULL, 0)) {
> -                     warn("kern.ipc.mbstat");
> +             mlen = sizeof(sfstat);
> +             if (sysctlbyname("kern.ipc.sfstat", &sfstat, &mlen, NULL, 0)) {
> +                     warn("kern.ipc.sfstat");
>                       goto out;
>               }
>       } else {

Hmm, Coverity flags the sysctlbyname() as an OVERRUN, claiming:

overrun-buffer-val: Overrunning struct type sfstat of 24 bytes by passing it to 
a function which accesses it at byte offset 37.

So sysctlbyname.c basically calls sysctl(3) and Coverity thinks that
name[1] is USER_CS_PATH in this case, entering the case statement on
line 69, which then clobbers oldlenp with sizeof(_PATH_STDPATH) at line
74 in lib/libc/gen/sysctl.c, which is 37 bytes 
(sizeof("/rescue:/usr/bin:/bin:/usr/sbin:/sbin")).

Then it calls
memmove(oldp, _PATH_STDPATH, sizeof(_PATH_STDPATH));
where the oldp only has space for the aforementioned 24 bytes of struct
sfstat.

Any thoughts on this? It's CID 1054778 at scan.coverity.com, if you
wanna have a look yourself.

Cheers,
Uli
_______________________________________________
svn-src-all@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/svn-src-all
To unsubscribe, send any mail to "svn-src-all-unsubscr...@freebsd.org"

Reply via email to