NetBSD Problem Report #42498

From www@NetBSD.org  Tue Dec 22 20:12:29 2009
Return-Path: <www@NetBSD.org>
Received: from mail.netbsd.org (mail.netbsd.org [204.152.190.11])
	by www.NetBSD.org (Postfix) with ESMTP id 1683163C430
	for <gnats-bugs@gnats.NetBSD.org>; Tue, 22 Dec 2009 20:12:29 +0000 (UTC)
Message-Id: <20091222201228.CD5D463C3A9@www.NetBSD.org>
Date: Tue, 22 Dec 2009 20:12:28 +0000 (UTC)
From: gandersen@cradlepoint.com
Reply-To: gandersen@cradlepoint.com
To: gnats-bugs@NetBSD.org
Subject: kfilter_register() allocates incorrect size for user_filters
X-Send-Pr-Version: www-1.0

>Number:         42498
>Category:       kern
>Synopsis:       kfilter_register() allocates incorrect size for user_filters
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    kern-bug-people
>State:          closed
>Class:          sw-bug
>Submitter-Id:   net
>Arrival-Date:   Tue Dec 22 20:15:00 +0000 2009
>Closed-Date:    Thu Dec 24 10:50:49 +0000 2009
>Last-Modified:  Sat Jan 09 01:15:03 +0000 2010
>Originator:     Gregory Andersen
>Release:        NetBSD 5.0.1
>Organization:
Cradlepoint Technology, Inc.
>Environment:
NetBSD  5.0.1 NetBSD 5.0.1 (TR) #5: Tue Dec 22 12:43:58 MST 2009 evbmips
>Description:
When registering multiple user kfilters via kfilter_register() the user_filters structure seems to be allocated incorrectly and subsequent operations on the filter will panic the kernel.
>How-To-Repeat:
Implement multiple user kfilters registered via kfilter_register() in the kernel. Call 'kevent' from userland on the second custom filter (after successfully looking up the kqueue id via the KFILTER_BYNAME ioctl) to panic the kernel with a TLB fault.  

Backtrace from DDB is corrupted.
>Fix:
--- kern_event.c.1.60.6.1	2009-12-22 13:10:49.166156959 -0700
+++ kern_event.c	2009-12-22 13:10:30.396153163 -0700
@@ -291,7 +291,7 @@
 	if (user_kfilterc + 1 > user_kfiltermaxc) {
 		/* Grow in KFILTER_EXTENT chunks. */
 		user_kfiltermaxc += KFILTER_EXTENT;
-		len = user_kfiltermaxc * sizeof(struct filter *);
+		len = user_kfiltermaxc * sizeof(struct kfilter);
 		kfilter = kmem_alloc(len, KM_SLEEP);
 		memset((char *)kfilter + user_kfiltersz, 0, len - user_kfiltersz);
 		if (user_kfilters != NULL) {

>Release-Note:

>Audit-Trail:
From: David Laight <dsl@netbsd.org>
To: gnats-bugs@gnats.NetBSD.org
Cc: 
Subject: PR/42498 CVS commit: src/sys/kern
Date: Tue, 22 Dec 2009 20:50:47 +0000

 Module Name:	src
 Committed By:	dsl
 Date:		Tue Dec 22 20:50:47 UTC 2009

 Modified Files:
 	src/sys/kern: kern_event.c

 Log Message:
 Use sizeof correct type, not pointer to wrong type.
 Fixes PR/42498.
 This has been wrong since the initial import!


 To generate a diff of this commit:
 cvs rdiff -u -r1.68 -r1.69 src/sys/kern/kern_event.c

 Please note that diffs are not public domain; they are subject to the
 copyright notices on the relevant files.

State-Changed-From-To: open->closed
State-Changed-By: wiz@NetBSD.org
State-Changed-When: Thu, 24 Dec 2009 10:50:49 +0000
State-Changed-Why:
dsl committed it, thank you for the report!


From: Soren Jacobsen <snj@netbsd.org>
To: gnats-bugs@gnats.NetBSD.org
Cc: 
Subject: PR/42498 CVS commit: [netbsd-5] src/sys/kern
Date: Sat, 9 Jan 2010 01:08:39 +0000

 Module Name:	src
 Committed By:	snj
 Date:		Sat Jan  9 01:08:39 UTC 2010

 Modified Files:
 	src/sys/kern [netbsd-5]: kern_event.c

 Log Message:
 Pull up following revision(s) (requested by dsl in ticket #1208):
 	sys/kern/kern_event.c: revision 1.69
 Use sizeof correct type, not pointer to wrong type.
 Fixes PR/42498.
 This has been wrong since the initial import!


 To generate a diff of this commit:
 cvs rdiff -u -r1.60.6.1 -r1.60.6.2 src/sys/kern/kern_event.c

 Please note that diffs are not public domain; they are subject to the
 copyright notices on the relevant files.

From: Soren Jacobsen <snj@netbsd.org>
To: gnats-bugs@gnats.NetBSD.org
Cc: 
Subject: PR/42498 CVS commit: [netbsd-5-0] src/sys/kern
Date: Sat, 9 Jan 2010 01:10:53 +0000

 Module Name:	src
 Committed By:	snj
 Date:		Sat Jan  9 01:10:53 UTC 2010

 Modified Files:
 	src/sys/kern [netbsd-5-0]: kern_event.c

 Log Message:
 Pull up following revision(s) (requested by dsl in ticket #1208):
 	sys/kern/kern_event.c: revision 1.69
 Use sizeof correct type, not pointer to wrong type.
 Fixes PR/42498.
 This has been wrong since the initial import!


 To generate a diff of this commit:
 cvs rdiff -u -r1.60.6.1 -r1.60.6.1.2.1 src/sys/kern/kern_event.c

 Please note that diffs are not public domain; they are subject to the
 copyright notices on the relevant files.

>Unformatted:
NetBSD Home
NetBSD PR Database Search
(Contact us) $NetBSD: query-full-pr,v 1.39 2013/11/01 18:47:49 spz Exp $
$NetBSD: gnats_config.sh,v 1.8 2006/05/07 09:23:38 tsutsui Exp $
Copyright © 1994-2007 The NetBSD Foundation, Inc. ALL RIGHTS RESERVED.