NetBSD Problem Report #53367
From www@NetBSD.org Fri Jun 15 15:01:26 2018
Return-Path: <www@NetBSD.org>
Received: from mail.netbsd.org (mail.netbsd.org [199.233.217.200])
(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
(Client CN "mail.NetBSD.org", Issuer "mail.NetBSD.org CA" (not verified))
by mollari.NetBSD.org (Postfix) with ESMTPS id 6FC487A155
for <gnats-bugs@gnats.NetBSD.org>; Fri, 15 Jun 2018 15:01:26 +0000 (UTC)
Message-Id: <20180615150125.4B20E7A26C@mollari.NetBSD.org>
Date: Fri, 15 Jun 2018 15:01:25 +0000 (UTC)
From: thomas.barabosch@fkie.fraunhofer.de
Reply-To: thomas.barabosch@fkie.fraunhofer.de
To: gnats-bugs@NetBSD.org
Subject: Integer overflow in usr.sbin/dumplfs
X-Send-Pr-Version: www-1.0
>Number: 53367
>Category: bin
>Synopsis: Integer overflow in usr.sbin/dumplfs
>Confidential: no
>Severity: serious
>Priority: medium
>Responsible: bin-bug-people
>State: closed
>Class: sw-bug
>Submitter-Id: net
>Arrival-Date: Fri Jun 15 15:05:00 +0000 2018
>Closed-Date: Sat Jun 16 23:57:15 +0000 2018
>Last-Modified: Sat Jun 16 23:57:15 +0000 2018
>Originator: Thomas Barabosch
>Release: 7.1.2
>Organization:
Fraunhofer FKIE
>Environment:
>Description:
There is a memory allocation in usr.sbin/dumplfs/dumplfs.c with malloc that utilizes multiplication. This is considered harmful and it is better to utilize calloc. Furthermore, there is a possible null pointer reference since malloc may fail to allocate memory but there is no check for a NULL return value.
I've drafted a patch as a possible solution to this issue.
>How-To-Repeat:
>Fix:
--- usr.sbin/dumplfs/dumplfs.c 2018-05-14 00:00:49.651718558 +0200
+++ usr.sbin/dumplfs/dumplfs.c.patched 2018-06-15 16:54:43.556979202 +0200
@@ -680,8 +680,8 @@
} else {
el_size = sizeof(u_int32_t);
}
- datap = (char *)malloc(el_size * numblocks);
- memset(datap, 0, el_size * numblocks);
+ if ((datap = (char *)calloc(numblocks, el_size)) == NULL)
+ err(1, "calloc");
acc = 0;
addr += lfs_btofsb(lfsp, lfs_sb_getsumsize(lfsp));
buf = malloc(lfs_sb_getbsize(lfsp));
>Release-Note:
>Audit-Trail:
From: "Christos Zoulas" <christos@netbsd.org>
To: gnats-bugs@gnats.NetBSD.org
Cc:
Subject: PR/53367 CVS commit: src/usr.sbin/dumplfs
Date: Fri, 15 Jun 2018 11:16:05 -0400
Module Name: src
Committed By: christos
Date: Fri Jun 15 15:16:05 UTC 2018
Modified Files:
src/usr.sbin/dumplfs: Makefile dumplfs.c
Log Message:
PR/53367: Thomas Barabosch: Integer overflow in usr.sbin/dumplfs
While here use the "e" functions to always check for allocation errors.
To generate a diff of this commit:
cvs rdiff -u -r1.17 -r1.18 src/usr.sbin/dumplfs/Makefile
cvs rdiff -u -r1.63 -r1.64 src/usr.sbin/dumplfs/dumplfs.c
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
State-Changed-From-To: open->closed
State-Changed-By: dholland@NetBSD.org
State-Changed-When: Sat, 16 Jun 2018 23:57:15 +0000
State-Changed-Why:
fixed
>Unformatted:
(Contact us)
$NetBSD: query-full-pr,v 1.43 2018/01/16 07:36:43 maya Exp $
$NetBSD: gnats_config.sh,v 1.9 2014/08/02 14:16:04 spz Exp $
Copyright © 1994-2017
The NetBSD Foundation, Inc. ALL RIGHTS RESERVED.