Re: Fix a kernelpanic when playing with rdomain(4) and enc(4)

Sun, 08 Jul 2018 05:20:59 -0700 

OK denis@

On Sun, Jul 08, 2018 at 02:04:56PM +0200, Jeremie Courreges-Anglas wrote:
> On Sun, Jul 08 2018, Jeremie Courreges-Anglas <[email protected]> wrote:
> > On Sun, Jun 24 2018, Denis Fondras <[email protected]> wrote:
> >> When removing enc(4) interface from rdomain, the kernel panics randomly
> >> (memcpy() seems to copy outside of the mallocarray() boundaries) with 
> >> something
> >> like :
> >>
> >> Data modified on freelist: word -35183699295756 of object 
> >> 0xffff80000059da80 size 0x8 previous type free (invalid addr 
> >> 0x7b44962aa448c22a)
> >> kernel: protection fault trap, code=0
> >> Stopped at      malloc+0x4d3:   movq    0x8(%r14),%rbx
> >
> > [...]
> >
> >> Here is a fix :
> >>
> >> Index: if_enc.c
> >> ===================================================================
> >> RCS file: /cvs/src/sys/net/if_enc.c,v
> >> retrieving revision 1.70
> >> diff -u -p -r1.70 if_enc.c
> >> --- if_enc.c       16 Oct 2017 08:22:25 -0000      1.70
> >> +++ if_enc.c       24 Jun 2018 17:15:32 -0000
> >> @@ -271,7 +271,7 @@ enc_setif(struct ifnet *ifp, u_int id)
> >>    if (id > RT_TABLEID_MAX)
> >>            return (EINVAL);
> >>  
> >> -  if (id == 0 || id > enc_max_id) {
> >> +  if (enc_ifps == NULL || id > enc_max_id) {
> >>            if ((new = mallocarray(id + 1, sizeof(struct ifnet *),
> >>                M_DEVBUF, M_NOWAIT|M_ZERO)) == NULL)
> >>                    return (ENOBUFS);
> >
> > This pattern is also used in enc_clone_create(), even if right now we
> > can't call this function twice for enc0 I think the code should be made
> > consistent.  ok?
> 
> Better send the correct diff, thanks Denis for the heads-up.
> 
> 
> Index: net/if_enc.c
> ===================================================================
> --- net/if_enc.c.orig
> +++ net/if_enc.c
> @@ -120,7 +120,7 @@ enc_clone_create(struct if_clone *ifc, i
>               return (error);
>       }
>  
> -     if (unit == 0 || unit > enc_max_unit) {
> +     if (enc_allifps == NULL || unit > enc_max_unit) {
>               if ((new = mallocarray(unit + 1, sizeof(struct ifnet *),
>                   M_DEVBUF, M_NOWAIT|M_ZERO)) == NULL) {
>                       NET_UNLOCK();
> 
> 
> -- 
> jca | PGP : 0x1524E7EE / 5135 92C1 AD36 5293 2BDF  DDCC 0DFA 74AE 1524 E7EE
>

Reply via email to