Project

General

Profile

Actions

Bug #5895

closed

mdb_alloc() succeeds for 4294967295 bytes in 32-bit process

Added by David Pacheco over 7 years ago. Updated over 6 years ago.

Status:
Closed
Priority:
Normal
Category:
mdb - modular debugger
Start date:
2015-05-01
Due date:
% Done:

100%

Estimated time:
Difficulty:
Medium
Tags:
needs-triage
Gerrit CR:

Description

While debugging a 32-bit dmod, I discovered it was calling mdb_alloc() with a size_t whose value had been decremented to -1 (so wrapped around to 4294967295 bytes). mdb_alloc() ended up returning a buffer, which should be impossible because such a buffer would span the entire address space (minus a byte).

Here's a simple dmod to reproduce this:

#include <sys/mdb_modapi.h>

/* ARGSUSED */
static int
dcmd_dotest(uintptr_t addr, uint_t flags, int argc, const mdb_arg_t *argv)
{
        size_t sz = 0;
        void *ptr;

        sz--;
        ptr = mdb_alloc(sz, UM_SLEEP);
        mdb_printf("mdb_alloc(%u, UM_SLEEP) returned %p\n", sz, ptr);
        return (DCMD_OK);
}

static const mdb_dcmd_t test_dcmds[] = {
        { "dotest", NULL, "test bug", dcmd_dotest },
        { NULL }
};

static const mdb_walker_t test_walkers[] = {
        { NULL }
};

static mdb_modinfo_t test_mdb = { MDB_API_VERSION, test_dcmds, test_walkers };

const mdb_modinfo_t *
_mdb_init(void)
{
        return (&test_mdb);
}

When I run it:

$ mdb dotest.so 
> ::load ./dotest.so
> ::dotest
mdb_alloc(4294967295, UM_SLEEP) returned 8178fe0
>

(Note I only ran mdb on the dmod to ensure I got a 32-bit mdb. You could have run it on anything, or no target at all if you ran the 32-bit version of MDB directly.)

Actions #1

Updated by Robert Mustacchi over 6 years ago

  • Category set to mdb - modular debugger
  • Assignee set to Robert Mustacchi
Actions #2

Updated by Electric Monk over 6 years ago

  • Status changed from New to Closed
  • % Done changed from 0 to 100

git commit 258e8624229ac7ff3af9890752a92cd251b83825

commit  258e8624229ac7ff3af9890752a92cd251b83825
Author: Robert Mustacchi <rm@joyent.com>
Date:   2016-03-28T14:30:32.000Z

    5895 mdb_alloc() succeeds for 4294967295 bytes in 32-bit process
    Reviewed by: Patrick Mooney <patrick.mooney@joyent.com>
    Reviewed by: Dave Pacheco <dap@joyent.com>
    Reviewed by: Toomas Soome <tsoome@me.com>
    Reviewed by: Jason King <jason.brian.king@gmail.com>
    Approved by: Richard Lowe <richlowe@richlowe.net>

Actions

Also available in: Atom PDF