On Sun, Jul 08 2018, Jeremie Courreges-Anglas <[email protected]> wrote:
> On Sun, Jun 24 2018, Denis Fondras <[email protected]> wrote:
>> When removing enc(4) interface from rdomain, the kernel panics randomly
>> (memcpy() seems to copy outside of the mallocarray() boundaries) with
>> something
>> like :
>>
>> Data modified on freelist: word -35183699295756 of object 0xffff80000059da80
>> size 0x8 previous type free (invalid addr 0x7b44962aa448c22a)
>> kernel: protection fault trap, code=0
>> Stopped at malloc+0x4d3: movq 0x8(%r14),%rbx
>
> [...]
>
>> Here is a fix :
>>
>> Index: if_enc.c
>> ===================================================================
>> RCS file: /cvs/src/sys/net/if_enc.c,v
>> retrieving revision 1.70
>> diff -u -p -r1.70 if_enc.c
>> --- if_enc.c 16 Oct 2017 08:22:25 -0000 1.70
>> +++ if_enc.c 24 Jun 2018 17:15:32 -0000
>> @@ -271,7 +271,7 @@ enc_setif(struct ifnet *ifp, u_int id)
>> if (id > RT_TABLEID_MAX)
>> return (EINVAL);
>>
>> - if (id == 0 || id > enc_max_id) {
>> + if (enc_ifps == NULL || id > enc_max_id) {
>> if ((new = mallocarray(id + 1, sizeof(struct ifnet *),
>> M_DEVBUF, M_NOWAIT|M_ZERO)) == NULL)
>> return (ENOBUFS);
>
> This pattern is also used in enc_clone_create(), even if right now we
> can't call this function twice for enc0 I think the code should be made
> consistent. ok?
Better send the correct diff, thanks Denis for the heads-up.
Index: net/if_enc.c
===================================================================
--- net/if_enc.c.orig
+++ net/if_enc.c
@@ -120,7 +120,7 @@ enc_clone_create(struct if_clone *ifc, i
return (error);
}
- if (unit == 0 || unit > enc_max_unit) {
+ if (enc_allifps == NULL || unit > enc_max_unit) {
if ((new = mallocarray(unit + 1, sizeof(struct ifnet *),
M_DEVBUF, M_NOWAIT|M_ZERO)) == NULL) {
NET_UNLOCK();
--
jca | PGP : 0x1524E7EE / 5135 92C1 AD36 5293 2BDF DDCC 0DFA 74AE 1524 E7EE
