NetBSD Problem Report #50757
From www@NetBSD.org Wed Feb 3 10:04:26 2016
Return-Path: <www@NetBSD.org>
Received: from mail.netbsd.org (mail.NetBSD.org [199.233.217.200])
(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
(Client CN "mail.netbsd.org", Issuer "Postmaster NetBSD.org" (verified OK))
by mollari.NetBSD.org (Postfix) with ESMTPS id 7C1E27ABF4
for <gnats-bugs@gnats.NetBSD.org>; Wed, 3 Feb 2016 10:04:26 +0000 (UTC)
Message-Id: <20160203100425.5CDFF7ACB3@mollari.NetBSD.org>
Date: Wed, 3 Feb 2016 10:04:25 +0000 (UTC)
From: dcb314@hotmail.com
Reply-To: dcb314@hotmail.com
To: gnats-bugs@NetBSD.org
Subject: src/usr.sbin/sysinst/arch/mac68k/md.c: 2 * array index out of range ?
X-Send-Pr-Version: www-1.0
>Number: 50757
>Category: bin
>Synopsis: src/usr.sbin/sysinst/arch/mac68k/md.c: 2 * array index out of range ?
>Confidential: no
>Severity: non-critical
>Priority: low
>Responsible: martin
>State: open
>Class: sw-bug
>Submitter-Id: net
>Arrival-Date: Wed Feb 03 10:05:00 +0000 2016
>Last-Modified: Wed Jun 20 10:45:00 +0000 2018
>Originator: David Binderman
>Release: cvs dated 20160203
>Organization:
>Environment:
>Description:
[src/usr.sbin/sysinst/arch/mac68k/md.c:180]: (error) Array 'new_map[6]' accessed at index 14, which is out of bounds.
Source code is
for (i=0;i<NEW_MAP_SIZE;i++) {
if (i > 0)
new_map[i].pmPyPartStart = new_map[i-1].pmPyPartStart +
new_map[i-1].pmPartBlkCnt;
new_map[i].pmDataCnt = new_map[i].pmPartBlkCnt;
but
src/usr.sbin/sysinst/arch/mac68k/md.h:#define NEW_MAP_SIZE 15
and new_map only seems to have six elements in it.
I make the observation that this kind of array index problem
would normally be caught by gcc compiler flag -D_FORTIFY_SOURCE=2.
Maybe this flag doesn't get used in the normal builds ?
>How-To-Repeat:
>Fix:
>Release-Note:
>Audit-Trail:
From: "David A. Holland" <dholland@netbsd.org>
To: gnats-bugs@gnats.NetBSD.org
Cc:
Subject: PR/50757 CVS commit: src/usr.sbin/sysinst/arch/mac68k
Date: Tue, 31 May 2016 02:49:50 +0000
Module Name: src
Committed By: dholland
Date: Tue May 31 02:49:50 UTC 2016
Modified Files:
src/usr.sbin/sysinst/arch/mac68k: md.c
Log Message:
Disable the code that tries to prepare a new partition table (but doesn't
do anything with it...) because it's zooming off the end of the array it's
trying to use.
It looks to me as if NEW_MAP_SIZE has been accidentally used as both
the number of blocks occupied by the new partition table and also the
number of entries in it. Or something. This needs platform knowledge
to sort out. XXX.
Workaround for PR 50757.
To generate a diff of this commit:
cvs rdiff -u -r1.4 -r1.5 src/usr.sbin/sysinst/arch/mac68k/md.c
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
From: David Holland <dholland-bugs@netbsd.org>
To: gnats-bugs@NetBSD.org
Cc:
Subject: Re: bin/50757: src/usr.sbin/sysinst/arch/mac68k/md.c: 2 * array
index out of range ?
Date: Tue, 31 May 2016 02:50:37 +0000
On Wed, Feb 03, 2016 at 10:05:00AM +0000, dcb314@hotmail.com wrote:
> Source code is
>
> for (i=0;i<NEW_MAP_SIZE;i++) {
> if (i > 0)
> new_map[i].pmPyPartStart = new_map[i-1].pmPyPartStart +
> new_map[i-1].pmPartBlkCnt;
> new_map[i].pmDataCnt = new_map[i].pmPartBlkCnt;
>
> but
>
> src/usr.sbin/sysinst/arch/mac68k/md.h:#define NEW_MAP_SIZE 15
>
> and new_map only seems to have six elements in it.
I have disabled the offending code (which computes information that is
not subsequently used) but someone with platform knowledge is needed
to fix it properly.
--
David A. Holland
dholland@netbsd.org
Responsible-Changed-From-To: bin-bug-people->martin
Responsible-Changed-By: martin@NetBSD.org
Responsible-Changed-When: Wed, 01 Jun 2016 09:17:14 +0000
Responsible-Changed-Why:
Take (can test easily, have used the code very recentish)
From: coypu@sdf.org
To: gnats-bugs@NetBSD.org
Cc: martin@netbsd.org
Subject: Re: bin/50757: src/usr.sbin/sysinst/arch/mac68k/md.c: 2 * array
Date: Wed, 20 Jun 2018 00:22:20 +0000
Hi Martin,
Have you tested the code? or do you intend to?
Thanks.
From: Martin Husemann <martin@duskware.de>
To: coypu@sdf.org
Cc: gnats-bugs@NetBSD.org, martin@netbsd.org
Subject: Re: bin/50757: src/usr.sbin/sysinst/arch/mac68k/md.c: 2 * array
Date: Wed, 20 Jun 2018 12:42:34 +0200
On Wed, Jun 20, 2018 at 12:22:20AM +0000, coypu@sdf.org wrote:
> Hi Martin,
>
> Have you tested the code? or do you intend to?
I have it on my short term list (and likely will rework it anyway).
Martin
>Unformatted:
(Contact us)
$NetBSD: query-full-pr,v 1.43 2018/01/16 07:36:43 maya Exp $
$NetBSD: gnats_config.sh,v 1.9 2014/08/02 14:16:04 spz Exp $
Copyright © 1994-2017
The NetBSD Foundation, Inc. ALL RIGHTS RESERVED.