NetBSD Problem Report #43837

From www@NetBSD.org  Fri Sep  3 19:15:02 2010
Return-Path: <www@NetBSD.org>
Received: from mail.netbsd.org (mail.netbsd.org [204.152.190.11])
	by www.NetBSD.org (Postfix) with ESMTP id 81BF063BC5B
	for <gnats-bugs@gnats.NetBSD.org>; Fri,  3 Sep 2010 19:15:02 +0000 (UTC)
Message-Id: <20100903191502.1B32E63B8C3@www.NetBSD.org>
Date: Fri,  3 Sep 2010 19:15:02 +0000 (UTC)
From: william_snaman@dell.com
Reply-To: william_snaman@dell.com
To: gnats-bugs@NetBSD.org
Subject: _cpuset_create has uninitialized size argument for call to sysctl
X-Send-Pr-Version: www-1.0

>Number:         43837
>Category:       lib
>Synopsis:       _cpuset_create has uninitialized size argument for call to sysctl
>Confidential:   no
>Severity:       serious
>Priority:       high
>Responsible:    lib-bug-people
>State:          closed
>Class:          sw-bug
>Submitter-Id:   net
>Arrival-Date:   Fri Sep 03 19:20:00 +0000 2010
>Closed-Date:    Sun Oct 20 21:12:42 +0000 2013
>Last-Modified:  Sun Oct 20 21:12:42 +0000 2013
>Originator:     Sandy Snaman
>Release:        V5.0.2
>Organization:
Dell
>Environment:
>Description:
src/common/lib/libc/sys/cpuset.c uses an uninitialized variable (&len below) to pass in the size of the output buffer for a call to sysctl.  

if (sysctl(mib, __arraycount(mib), &nc, >>> &len <<<<, NULL, 0)

When the 3rd arg (*oldp) is not null, the 4th arg (size_t*oldlenp) should point to the size of the buffer before the call is made.  

Depending on what is on the stack at the time of the call, this call may succeed or fail because the value of len was not initialized.
>How-To-Repeat:

>Fix:
--- common/lib/libc/sys/cpuset.c        (revision 136179)
+++ common/lib/libc/sys/cpuset.c        (working copy)
@@ -138,8 +138,8 @@
 {
        if (cpuset_size == 0) {
                static int mib[2] = { CTL_HW, HW_NCPU };
-               size_t len;
                u_int nc;
+               size_t len = sizeof(nc);

                if (sysctl(mib, __arraycount(mib), &nc, &len, NULL, 0) == -1)
                        return NULL;

>Release-Note:

>Audit-Trail:

State-Changed-From-To: open->closed
State-Changed-By: rmind@NetBSD.org
State-Changed-When: Tue, 21 Sep 2010 02:05:16 +0000
State-Changed-Why:
Fixed.  Thanks for the problem report!


From: Mindaugas Rasiukevicius <rmind@netbsd.org>
To: gnats-bugs@gnats.NetBSD.org
Cc: 
Subject: PR/43837 CVS commit: src/common/lib/libc/sys
Date: Tue, 21 Sep 2010 02:03:30 +0000

 Module Name:	src
 Committed By:	rmind
 Date:		Tue Sep 21 02:03:29 UTC 2010

 Modified Files:
 	src/common/lib/libc/sys: cpuset.c

 Log Message:
 _cpuset_create: initialize size argument for sysctl call.
 From PR/43837 by Sandy Snaman.


 To generate a diff of this commit:
 cvs rdiff -u -r1.15 -r1.16 src/common/lib/libc/sys/cpuset.c

 Please note that diffs are not public domain; they are subject to the
 copyright notices on the relevant files.

From: Matthew Mondor <mm_lists@pulsar-zone.net>
To: gnats-bugs@NetBSD.org
Cc: 
Subject: Re: lib/43837 (_cpuset_create has uninitialized size argument for
 call to sysctl)
Date: Tue, 21 Sep 2010 01:18:55 -0400

 On Tue, 21 Sep 2010 02:05:18 +0000 (UTC)
 rmind@NetBSD.org wrote:

 > Synopsis: _cpuset_create has uninitialized size argument for call to sysctl
 > 
 > State-Changed-From-To: open->closed
 > State-Changed-By: rmind@NetBSD.org
 > State-Changed-When: Tue, 21 Sep 2010 02:05:16 +0000
 > State-Changed-Why:
 > Fixed.  Thanks for the problem report!

 Since the submitter reported the problem against 5.0.2, should this
 also be pulled up to netbsd-5 (and possibly netbsd-5-0)?

 Thanks,
 -- 
 Matt

From: David Holland <dholland-bugs@netbsd.org>
To: gnats-bugs@NetBSD.org
Cc: 
Subject: Re: lib/43837 (_cpuset_create has uninitialized size argument for
 call to sysctl)
Date: Sun, 10 Oct 2010 02:33:45 +0000

 On Tue, Sep 21, 2010 at 05:20:04AM +0000, Matthew Mondor wrote:
  >  > State-Changed-From-To: open->closed
  >  > State-Changed-By: rmind@NetBSD.org
  >  > State-Changed-When: Tue, 21 Sep 2010 02:05:16 +0000
  >  > State-Changed-Why:
  >  > Fixed.  Thanks for the problem report!
  >  
  >  Since the submitter reported the problem against 5.0.2, should this
  >  also be pulled up to netbsd-5 (and possibly netbsd-5-0)?

 Yes, I'd say so.

 -- 
 David A. Holland
 dholland@netbsd.org

State-Changed-From-To: closed->pending-pullups
State-Changed-By: dholland@NetBSD.org
State-Changed-When: Sun, 06 Oct 2013 10:44:57 +0000
State-Changed-Why:
pullup-5 #1883 (finally)


From: "Manuel Bouyer" <bouyer@netbsd.org>
To: gnats-bugs@gnats.NetBSD.org
Cc: 
Subject: PR/43837 CVS commit: [netbsd-5] src/common/lib/libc/sys
Date: Sun, 20 Oct 2013 14:02:52 +0000

 Module Name:	src
 Committed By:	bouyer
 Date:		Sun Oct 20 14:02:51 UTC 2013

 Modified Files:
 	src/common/lib/libc/sys [netbsd-5]: cpuset.c

 Log Message:
 Pull up following revision(s) (requested by dholland in ticket #1883):
 	common/lib/libc/sys/cpuset.c: revision 1.16
 _cpuset_create: initialize size argument for sysctl call.
 From PR/43837 by Sandy Snaman.


 To generate a diff of this commit:
 cvs rdiff -u -r1.12 -r1.12.4.1 src/common/lib/libc/sys/cpuset.c

 Please note that diffs are not public domain; they are subject to the
 copyright notices on the relevant files.

State-Changed-From-To: pending-pullups->closed
State-Changed-By: bouyer@NetBSD.org
State-Changed-When: Sun, 20 Oct 2013 21:12:42 +0000
State-Changed-Why:
pulled up to netbsd-5


>Unformatted:

Home	PR Database Search