NetBSD Problem Report #50757

From www@NetBSD.org  Wed Feb  3 10:04:26 2016
Return-Path: <www@NetBSD.org>
Received: from mail.netbsd.org (mail.NetBSD.org [199.233.217.200])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(Client CN "mail.netbsd.org", Issuer "Postmaster NetBSD.org" (verified OK))
	by mollari.NetBSD.org (Postfix) with ESMTPS id 7C1E27ABF4
	for <gnats-bugs@gnats.NetBSD.org>; Wed,  3 Feb 2016 10:04:26 +0000 (UTC)
Message-Id: <20160203100425.5CDFF7ACB3@mollari.NetBSD.org>
Date: Wed,  3 Feb 2016 10:04:25 +0000 (UTC)
From: dcb314@hotmail.com
Reply-To: dcb314@hotmail.com
To: gnats-bugs@NetBSD.org
Subject: src/usr.sbin/sysinst/arch/mac68k/md.c: 2 * array index out of range ?
X-Send-Pr-Version: www-1.0

>Number:         50757
>Category:       bin
>Synopsis:       src/usr.sbin/sysinst/arch/mac68k/md.c: 2 * array index out of range ?
>Confidential:   no
>Severity:       non-critical
>Priority:       low
>Responsible:    martin
>State:          open
>Class:          sw-bug
>Submitter-Id:   net
>Arrival-Date:   Wed Feb 03 10:05:00 +0000 2016
>Last-Modified:  Wed Jun 20 10:45:00 +0000 2018
>Originator:     David Binderman
>Release:        cvs dated 20160203
>Organization:
>Environment:
>Description:

[src/usr.sbin/sysinst/arch/mac68k/md.c:180]: (error) Array 'new_map[6]' accessed at index 14, which is out of bounds.

Source code is

   for (i=0;i<NEW_MAP_SIZE;i++) {
       if (i > 0)
        new_map[i].pmPyPartStart = new_map[i-1].pmPyPartStart +
            new_map[i-1].pmPartBlkCnt;
       new_map[i].pmDataCnt = new_map[i].pmPartBlkCnt;

but

src/usr.sbin/sysinst/arch/mac68k/md.h:#define NEW_MAP_SIZE 15

and new_map only seems to have six elements in it.

I make the observation that this kind of array index problem
would normally be caught by gcc compiler flag -D_FORTIFY_SOURCE=2.

Maybe this flag doesn't get used in the normal builds ?

>How-To-Repeat:

>Fix:

>Release-Note:

>Audit-Trail:
From: "David A. Holland" <dholland@netbsd.org>
To: gnats-bugs@gnats.NetBSD.org
Cc: 
Subject: PR/50757 CVS commit: src/usr.sbin/sysinst/arch/mac68k
Date: Tue, 31 May 2016 02:49:50 +0000

 Module Name:	src
 Committed By:	dholland
 Date:		Tue May 31 02:49:50 UTC 2016

 Modified Files:
 	src/usr.sbin/sysinst/arch/mac68k: md.c

 Log Message:
 Disable the code that tries to prepare a new partition table (but doesn't
 do anything with it...) because it's zooming off the end of the array it's
 trying to use.

 It looks to me as if NEW_MAP_SIZE has been accidentally used as both
 the number of blocks occupied by the new partition table and also the
 number of entries in it. Or something. This needs platform knowledge
 to sort out. XXX.

 Workaround for PR 50757.


 To generate a diff of this commit:
 cvs rdiff -u -r1.4 -r1.5 src/usr.sbin/sysinst/arch/mac68k/md.c

 Please note that diffs are not public domain; they are subject to the
 copyright notices on the relevant files.

From: David Holland <dholland-bugs@netbsd.org>
To: gnats-bugs@NetBSD.org
Cc: 
Subject: Re: bin/50757: src/usr.sbin/sysinst/arch/mac68k/md.c: 2 * array
 index out of range ?
Date: Tue, 31 May 2016 02:50:37 +0000

 On Wed, Feb 03, 2016 at 10:05:00AM +0000, dcb314@hotmail.com wrote:
  > Source code is
  > 
  >    for (i=0;i<NEW_MAP_SIZE;i++) {
  >        if (i > 0)
  >         new_map[i].pmPyPartStart = new_map[i-1].pmPyPartStart +
  >             new_map[i-1].pmPartBlkCnt;
  >        new_map[i].pmDataCnt = new_map[i].pmPartBlkCnt;
  > 
  > but
  > 
  > src/usr.sbin/sysinst/arch/mac68k/md.h:#define NEW_MAP_SIZE 15
  > 
  > and new_map only seems to have six elements in it.

 I have disabled the offending code (which computes information that is
 not subsequently used) but someone with platform knowledge is needed
 to fix it properly.

 -- 
 David A. Holland
 dholland@netbsd.org

Responsible-Changed-From-To: bin-bug-people->martin
Responsible-Changed-By: martin@NetBSD.org
Responsible-Changed-When: Wed, 01 Jun 2016 09:17:14 +0000
Responsible-Changed-Why:
Take (can test easily, have used the code very recentish)


From: coypu@sdf.org
To: gnats-bugs@NetBSD.org
Cc: martin@netbsd.org
Subject: Re: bin/50757: src/usr.sbin/sysinst/arch/mac68k/md.c: 2 * array
Date: Wed, 20 Jun 2018 00:22:20 +0000

 Hi Martin,

 Have you tested the code? or do you intend to?
 Thanks.

From: Martin Husemann <martin@duskware.de>
To: coypu@sdf.org
Cc: gnats-bugs@NetBSD.org, martin@netbsd.org
Subject: Re: bin/50757: src/usr.sbin/sysinst/arch/mac68k/md.c: 2 * array
Date: Wed, 20 Jun 2018 12:42:34 +0200

 On Wed, Jun 20, 2018 at 12:22:20AM +0000, coypu@sdf.org wrote:
 > Hi Martin,
 > 
 > Have you tested the code? or do you intend to?

 I have it on my short term list (and likely will rework it anyway).

 Martin

>Unformatted:

Home	PR Database Search