svn commit: r253351 - in head: sys/arm/arm sys/i386/i386 sys/kern sys/mips/mips sys/powerpc/aim sys/powerpc/booke sys/sparc64/sparc64 sys/sys usr.bin/netstat

Ulrich Spörlein uqs at FreeBSD.org
Wed Jul 24 14:52:33 UTC 2013 

On Mon, 2013-07-15 at 06:16:57 +0000, Andrey V. Elsukov wrote:
> Author: ae
> Date: Mon Jul 15 06:16:57 2013
> New Revision: 253351
> URL: http://svnweb.freebsd.org/changeset/base/253351
> 
> Log:
>   Introduce new structure sfstat for collecting sendfile's statistics
>   and remove corresponding fields from struct mbstat. Use PCPU counters
>   and SFSTAT_INC() macro for update these statistics.
>   
>   Discussed with:	glebius
> 
> Modified:
>   head/sys/arm/arm/vm_machdep.c
>   head/sys/i386/i386/vm_machdep.c
>   head/sys/kern/kern_mbuf.c
>   head/sys/kern/uipc_syscalls.c
>   head/sys/mips/mips/vm_machdep.c
>   head/sys/powerpc/aim/vm_machdep.c
>   head/sys/powerpc/booke/vm_machdep.c
>   head/sys/sparc64/sparc64/vm_machdep.c
>   head/sys/sys/mbuf.h
>   head/sys/sys/sf_buf.h
>   head/usr.bin/netstat/main.c
>   head/usr.bin/netstat/mbuf.c
> 
> Modified: head/usr.bin/netstat/mbuf.c
> ==============================================================================
> --- head/usr.bin/netstat/mbuf.c	Mon Jul 15 05:09:13 2013	(r253350)
> +++ head/usr.bin/netstat/mbuf.c	Mon Jul 15 06:16:57 2013	(r253351)
> @@ -308,20 +309,21 @@ mbpr(void *kvmd, u_long mbaddr)
>  		    &mlen, NULL, 0))
>  			printf("%d/%d/%d sfbufs in use (current/peak/max)\n",
>  			    nsfbufsused, nsfbufspeak, nsfbufs);
> -		mlen = sizeof(mbstat);
> -		if (sysctlbyname("kern.ipc.mbstat", &mbstat, &mlen, NULL, 0)) {
> -			warn("kern.ipc.mbstat");
> +		mlen = sizeof(sfstat);
> +		if (sysctlbyname("kern.ipc.sfstat", &sfstat, &mlen, NULL, 0)) {
> +			warn("kern.ipc.sfstat");
>  			goto out;
>  		}
>  	} else {

Hmm, Coverity flags the sysctlbyname() as an OVERRUN, claiming:

overrun-buffer-val: Overrunning struct type sfstat of 24 bytes by passing it to a function which accesses it at byte offset 37.

So sysctlbyname.c basically calls sysctl(3) and Coverity thinks that
name[1] is USER_CS_PATH in this case, entering the case statement on
line 69, which then clobbers oldlenp with sizeof(_PATH_STDPATH) at line
74 in lib/libc/gen/sysctl.c, which is 37 bytes (sizeof("/rescue:/usr/bin:/bin:/usr/sbin:/sbin")).

Then it calls
memmove(oldp, _PATH_STDPATH, sizeof(_PATH_STDPATH));
where the oldp only has space for the aforementioned 24 bytes of struct
sfstat.

Any thoughts on this? It's CID 1054778 at scan.coverity.com, if you
wanna have a look yourself.

Cheers,
Uli

More information about the svn-src-all mailing list