NetBSD Problem Report #51554
From www@NetBSD.org Wed Oct 12 15:39:45 2016
Return-Path: <www@NetBSD.org>
Received: from mail.netbsd.org (mail.netbsd.org [199.233.217.200])
(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
(Client CN "mail.netbsd.org", Issuer "Postmaster NetBSD.org" (verified OK))
by mollari.NetBSD.org (Postfix) with ESMTPS id 211117A28E
for <gnats-bugs@gnats.NetBSD.org>; Wed, 12 Oct 2016 15:39:45 +0000 (UTC)
Message-Id: <20161012153943.B4DFD7A2AE@mollari.NetBSD.org>
Date: Wed, 12 Oct 2016 15:39:43 +0000 (UTC)
From: coypu@sdf.org
Reply-To: coypu@sdf.org
To: gnats-bugs@NetBSD.org
Subject: Avoid unsafe allocation in ldc/vdsk
X-Send-Pr-Version: www-1.0
>Number: 51554
>Category: port-sparc64
>Synopsis: Avoid unsafe allocation in ldc/vdsk
>Confidential: no
>Severity: serious
>Priority: medium
>Responsible: palle
>State: closed
>Class: sw-bug
>Submitter-Id: net
>Arrival-Date: Wed Oct 12 15:40:00 +0000 2016
>Closed-Date: Tue Mar 07 04:50:49 +0000 2017
>Last-Modified: Tue Mar 07 04:50:49 +0000 2017
>Originator: coypu
>Release: NetBSD 7.99.39
>Organization:
>Environment:
no sparc hardware here!
>Description:
In vdsk.c and ldc.c are some memory allocation issues.
If memory is allocation kmem_zalloc is called with KM_NOSLEEP, but failure
is not checked. If it was checked and NULL returns, it will leak memory
upon failure, so create a label for freeing previously allocated memory.
I've mentioned the memory leak to OpenBSD, but unsure if loudly enough.
sidenote: unsure whether kmem_zalloc is needed as opposed to kmem_alloc,
because I don't think OpenBSD zeroes here, but perhaps their malloc is that weird.
>How-To-Repeat:
>Fix:
Something like this may do (not even compile tested, slow machine, sorry)
Index: ldc.c
===================================================================
RCS file: /cvsroot/src/sys/arch/sparc64/dev/ldc.c,v
retrieving revision 1.2
diff -u -r1.2 ldc.c
--- ldc.c 20 Aug 2016 18:21:18 -0000 1.2
+++ ldc.c 12 Oct 2016 15:28:31 -0000
@@ -553,7 +553,8 @@
BUS_DMA_NOWAIT) != 0)
goto unmap;
#else
- va = (vaddr_t)kmem_zalloc(size, KM_NOSLEEP);
+ if ((va = (vaddr_t)kmem_zalloc(size, KM_NOSLEEP)) == NULL)
+ goto free;
#endif
lq->lq_va = (vaddr_t)va;
lq->lq_nentries = nentries;
@@ -566,6 +567,8 @@
destroy:
bus_dmamap_destroy(t, lq->lq_map);
#endif
+free:
+ kmem_free(lq, sizeof(struct ldc_queue));
return (NULL);
}
@@ -636,7 +639,8 @@
goto unmap;
}
#else
- va = (vaddr_t)kmem_zalloc(size, KM_NOSLEEP);
+ if ((va = (vaddr_t)kmem_zalloc(size, KM_NOSLEEP)) == NULL)
+ goto free;
#endif
lm->lm_slot = (struct ldc_map_slot *)va;
lm->lm_nentries = nentries;
@@ -651,6 +655,8 @@
destroy:
bus_dmamap_destroy(t, lm->lm_map);
#endif
+free:
+ kmem_free(lm, sizeof(struct ldc_map));
return (NULL);
}
Index: vdsk.c
===================================================================
RCS file: /cvsroot/src/sys/arch/sparc64/dev/vdsk.c,v
retrieving revision 1.2
diff -u -r1.2 vdsk.c
--- vdsk.c 20 Aug 2016 18:21:18 -0000 1.2
+++ vdsk.c 12 Oct 2016 15:28:32 -0000
@@ -968,7 +968,8 @@
BUS_DMA_NOWAIT) != 0)
goto unmap;
#else
- va = (vaddr_t)kmem_zalloc(size, KM_NOSLEEP);
+ if ((va = (vaddr_t)kmem_zalloc(size, KM_NOSLEEP)) == NULL)
+ goto free;
#endif
vd->vd_desc = (struct vd_desc *)va;
vd->vd_nentries = nentries;
@@ -985,6 +986,8 @@
destroy:
bus_dmamap_destroy(t, vd->vd_map);
#endif
+free:
+ kmem_free(vd, sizeof(struct vdsk_dring));
return (NULL);
}
>Release-Note:
>Audit-Trail:
State-Changed-From-To: open->closed
State-Changed-By: maya@NetBSD.org
State-Changed-When: Sun, 26 Feb 2017 16:06:55 +0000
State-Changed-Why:
Responsible-Changed-From-To: port-sparc64-maintainer->palle
Responsible-Changed-By: martin@NetBSD.org
Responsible-Changed-When: Sun, 26 Feb 2017 21:16:59 +0000
Responsible-Changed-Why:
Could you please review and deal?
State-Changed-From-To: closed->open
State-Changed-By: martin@NetBSD.org
State-Changed-When: Sun, 26 Feb 2017 21:16:59 +0000
State-Changed-Why:
Needs review and test
From: "Palle Lyckegaard" <palle@netbsd.org>
To: gnats-bugs@gnats.NetBSD.org
Cc:
Subject: PR/51554 CVS commit: src/sys/arch/sparc64/dev
Date: Fri, 3 Mar 2017 21:09:25 +0000
Module Name: src
Committed By: palle
Date: Fri Mar 3 21:09:25 UTC 2017
Modified Files:
src/sys/arch/sparc64/dev: ldc.c vdsk.c
Log Message:
sun4v: Fixed PR 51554 - Avoid unsafe allocation in ldc/vdsk
To generate a diff of this commit:
cvs rdiff -u -r1.2 -r1.3 src/sys/arch/sparc64/dev/ldc.c \
src/sys/arch/sparc64/dev/vdsk.c
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
State-Changed-From-To: open->closed
State-Changed-By: palle@NetBSD.org
State-Changed-When: Tue, 07 Mar 2017 04:50:49 +0000
State-Changed-Why:
Fixed issue
>Unformatted:
(Contact us)
$NetBSD: query-full-pr,v 1.39 2013/11/01 18:47:49 spz Exp $
$NetBSD: gnats_config.sh,v 1.8 2006/05/07 09:23:38 tsutsui Exp $
Copyright © 1994-2014
The NetBSD Foundation, Inc. ALL RIGHTS RESERVED.