[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
kern_sysctl.c -- uninitialized variables in fill_eproc()
Hello,
This problem is reproducible and I included a source code fix. I cannot
use sendbug, because my openbsd box isn't configured to send email. Are
you guys interested in fixing this problem?
Summary
-------
I was experimenting with the sysctl() call -- using KERN_PROC/KERN_PROC_ALL
to fill an array of struct kinfo_proc. But I noticed that the e_wmesg
field (see /usr/include/sys/sysctl.h) would sometimes be filled with
garbage.
How To Reproduce
----------------
Grab a copy of the PicoBSD archive:
http://people.freebsd.org/~picobsd/picobsd/picobsd.tgz
Here are the revisions of the files in the archive I used:
$ ident Makefile README sps.c
Makefile:
$Id: Makefile,v 1.1.1.1 1998/08/27 17:38:45 abial Exp $
README:
$Id: README,v 1.2 1998/11/01 20:19:42 abial Exp $
sps.c:
$Id: sps.c,v 1.1.1.1 1998/08/27 17:38:45 abial Exp $
Goto the picobsd/tinyware/sps directory and type make to build the sps
util. The sps util is a version of "ps" that uses the sysctl() API.
Then run these two commands, from your shell:
$ sleep 999 &
$ ./sps
In the output, I saw the following:
USERNAME PID PPID PRI NICE TTY STAT WCHAN COMMAND
[...]
kirk1445218251 32 20 p9 S nanoslej (sleep)
kirk1041218251 50 20 p9 R ,( (sps)
Notice that "nanosleep" has a "j" in it and the wchan message for the
"sps" util are junk characters.
The Problem
-----------
Uninitialized variables. Take a look at revision 1.48 of kern_sysctl.c:
http://www.openbsd.org/cgi-bin/cvsweb/~checkout~/src/sys/kern/kern_sysctl.c?rev=1.48
On line 954 to 955:
954 if (p->p_wmesg)
955 strncpy(ep->e_wmesg, p->p_wmesg, WMESGLEN);
i) if length of wchan message string is >= WMESGLEN
The e_wmesg field is WMESGLEN+1 characters long. The e_wmesg[WMESGLEN]
char is never initialized to 0x00. And strncpy() will not set
e_wmesg[WMESGLEN-1] to 0x00. So it appears that the string may not
be zero terminated.
ii) if p->p_wmesg is NULL
The e_wmesg field is not initialized in this case. The e_wmesg field
will contain whatever is on the stack.
The Fix
-------
954,955c954,955
< if (p->p_wmesg)
< strncpy(ep->e_wmesg, p->p_wmesg, WMESGLEN);
---
> strncpy(ep->e_wmesg, ((p->p_wmesg) ? p->p_wmesg : ""), WMESGLEN);
> ep->e_wmesg[WMESGLEN] = '\0';
/var/run/dmesg.boot
-------------------
OpenBSD 2.8 (GREYHAWK) #0: Sun May 6 08:23:58 EDT 2001
kirk@greyhawk:/usr/src/sys/arch/i386/compile/GREYHAWK
cpu0: AMD K7 (Athlon) ("AuthenticAMD" 686-class) 807 MHz
cpu0: FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,SYS,MTRR,PGE,MCA,CMOV,PAT,PSE36,MMX,FXSR
real mem = 133722112 (130588K)
avail mem = 121294848 (118452K)
using 1657 buffers containing 6787072 bytes (6628K) of memory
mainbus0 (root)
bios0 at mainbus0: AT/286+(d3) BIOS, date 09/26/00, BIOS32 rev. 0 @ 0xf0ef0
pcibios0 at bios0: rev. 2.1 found at 0xf0000[0x1772]
pcibios0: PCI IRQ Routing Table rev. 1.0 found at 0xf16c0, size 176 bytes (9 entries)
pcibios0: PCI Interrupt Router at 000:04:0 (vendor 0x1106 product 0x0686 rev 0x00)
pci_intr_fixup: no compatible PCI ICU found: ICU vendor 0x1106 product 0x0686
pcibios0: Warning, unable to fix up PCI interrupt routing
pcibios0: PCI bus #1 is the last bus
pci0 at mainbus0 bus 0: configuration mode 1 (no bios)
pchb0 at pci0 dev 0 function 0 vendor 0x1106 product 0x0305 rev 0x02
ppb0 at pci0 dev 1 function 0 vendor 0x1106 product 0x8305 rev 0x00
pci1 at ppb0 bus 1
pcib0 at pci0 dev 4 function 0 vendor 0x1106 product 0x0686 rev 0x22
vendor 0x1106 product 0x0571 (class mass storage, subclass IDE, rev 0x10) at pci0 dev 4 function 1 not configured
pchb1 at pci0 dev 4 function 4 vendor 0x1106 product 0x3057 rev 0x30
ahc0 at pci0 dev 10 function 0 vendor 0x9004 product 0x7178 rev 0x00: irq 11
ahc0: Single Channel A, SCSI Id=7, 16/255 SCBs
scsibus0 at ahc0: 8 targets
ahc0: target 0 synchronous at 10.0MHz, offset = 0xf
sd0 at scsibus0 targ 0 lun 0: <SEAGATE, ST12550N, 0014> SCSI2 0/direct fixed
sd0: 2040MB, 2708 cyl, 19 head, 81 sec, 512 bytes/sec, 4178874 sec total
ahc0: target 1 synchronous at 10.0MHz, offset = 0xf
sd1 at scsibus0 targ 1 lun 0: <SEAGATE, ST12550N, 0014> SCSI2 0/direct fixed
sd1: 2040MB, 2708 cyl, 19 head, 81 sec, 512 bytes/sec, 4178874 sec total
ahc0: target 4 synchronous at 5.0MHz, offset = 0xf
sd2 at scsibus0 targ 4 lun 0: <SyQuest, SQ5200C, A32> SCSI2 0/direct removable
sd2: 190MB, 2260 cyl, 2 head, 86 sec, 512 bytes/sec, 390696 sec total
vendor 0x1002 product 0x4755 (class display, subclass VGA, rev 0x9a) at pci0 dev 11 function 0 not configured
xl0 at pci0 dev 13 function 0 vendor 0x10b7 product 0x9050 rev 0x00: irq 10 address 00:60:97:b8:79:30
ukphy0 at xl0 phy 24: Generic IEEE 802.3u media interface
ukphy0: OUI 0x080017, model 0x0000, rev. 1
vendor 0x105a product 0x0d30 (class mass storage, subclass miscellaneous, rev 0x02) at pci0 dev 17 function 0 not configured
isa0 at pcib0
isadma0 at isa0
pcppi0 at isa0 port 0x61
sysbeep0 at pcppi0
npx0 at isa0 port 0xf0/16: using exception 16
pccom0 at isa0 port 0x3f8/8 irq 4: ns16550a, 16 byte fifo
pccom1 at isa0 port 0x2f8/8 irq 3: ns16550a, 16 byte fifo
vt0 at isa0 port 0x60/16 irq 1: vga 80 col, color, 8 scr, mf2-kbd
pms0 at vt0 irq 12
fdc0 at isa0 port 0x3f0/6 irq 6 drq 2
fd0 at fdc0 drive 0: 1.44MB 80 cyl, 2 head, 18 sec
biomask 840 netmask c40 ttymask 1c42
pctr: user-level cycle counter enabled
mtrr: Pentium Pro MTRR support
dkcsum: sd0 matched BIOS disk 80
dkcsum: sd1 matched BIOS disk 81
dkcsum: sd2 had no matching BIOS disk
rootdev=0x400 rrootdev=0xd00 rawdev=0xd02
xl0: transmission error: 90
xl0: tx underrun, increasing tx start threshold to 120
--
Kirk Russell Bridlewood Software Testers Guild
Kanata Ontario Canada email: kirk.russell@acm.org