svn commit: r253351 - in head: sys/arm/arm sys/i386/i386 sys/kern sys/mips/mips sys/powerpc/aim sys/powerpc/booke sys/sparc64/sparc64 sys/sys usr.bin/netstat
Ulrich Spörlein
uqs at FreeBSD.org
Wed Jul 24 14:52:33 UTC 2013
On Mon, 2013-07-15 at 06:16:57 +0000, Andrey V. Elsukov wrote:
> Author: ae
> Date: Mon Jul 15 06:16:57 2013
> New Revision: 253351
> URL: http://svnweb.freebsd.org/changeset/base/253351
>
> Log:
> Introduce new structure sfstat for collecting sendfile's statistics
> and remove corresponding fields from struct mbstat. Use PCPU counters
> and SFSTAT_INC() macro for update these statistics.
>
> Discussed with: glebius
>
> Modified:
> head/sys/arm/arm/vm_machdep.c
> head/sys/i386/i386/vm_machdep.c
> head/sys/kern/kern_mbuf.c
> head/sys/kern/uipc_syscalls.c
> head/sys/mips/mips/vm_machdep.c
> head/sys/powerpc/aim/vm_machdep.c
> head/sys/powerpc/booke/vm_machdep.c
> head/sys/sparc64/sparc64/vm_machdep.c
> head/sys/sys/mbuf.h
> head/sys/sys/sf_buf.h
> head/usr.bin/netstat/main.c
> head/usr.bin/netstat/mbuf.c
>
> Modified: head/usr.bin/netstat/mbuf.c
> ==============================================================================
> --- head/usr.bin/netstat/mbuf.c Mon Jul 15 05:09:13 2013 (r253350)
> +++ head/usr.bin/netstat/mbuf.c Mon Jul 15 06:16:57 2013 (r253351)
> @@ -308,20 +309,21 @@ mbpr(void *kvmd, u_long mbaddr)
> &mlen, NULL, 0))
> printf("%d/%d/%d sfbufs in use (current/peak/max)\n",
> nsfbufsused, nsfbufspeak, nsfbufs);
> - mlen = sizeof(mbstat);
> - if (sysctlbyname("kern.ipc.mbstat", &mbstat, &mlen, NULL, 0)) {
> - warn("kern.ipc.mbstat");
> + mlen = sizeof(sfstat);
> + if (sysctlbyname("kern.ipc.sfstat", &sfstat, &mlen, NULL, 0)) {
> + warn("kern.ipc.sfstat");
> goto out;
> }
> } else {
Hmm, Coverity flags the sysctlbyname() as an OVERRUN, claiming:
overrun-buffer-val: Overrunning struct type sfstat of 24 bytes by passing it to a function which accesses it at byte offset 37.
So sysctlbyname.c basically calls sysctl(3) and Coverity thinks that
name[1] is USER_CS_PATH in this case, entering the case statement on
line 69, which then clobbers oldlenp with sizeof(_PATH_STDPATH) at line
74 in lib/libc/gen/sysctl.c, which is 37 bytes (sizeof("/rescue:/usr/bin:/bin:/usr/sbin:/sbin")).
Then it calls
memmove(oldp, _PATH_STDPATH, sizeof(_PATH_STDPATH));
where the oldp only has space for the aforementioned 24 bytes of struct
sfstat.
Any thoughts on this? It's CID 1054778 at scan.coverity.com, if you
wanna have a look yourself.
Cheers,
Uli
More information about the svn-src-all
mailing list