Page MenuHomeFreeBSD
Differential D27726

sendfile: Ensure that sfio->npages is initialized
ClosedPublic
Actions

Authored by markj on Dec 22 2020, 5:31 PM.
Tags
None
Referenced Files
F132621444: D27726.diff
Sat, Oct 18, 12:25 PM
F132584545: D27726.id.diff
Sat, Oct 18, 4:35 AM
F132584535: D27726.id81195.diff
Sat, Oct 18, 4:35 AM
F132584532: D27726.id81063.diff
Sat, Oct 18, 4:35 AM
F132532591: D27726.diff
Fri, Oct 17, 6:06 PM
Unknown Object (File)
Thu, Oct 2, 11:36 PM
Unknown Object (File)
Fri, Sep 26, 9:52 AM
Unknown Object (File)
Fri, Sep 26, 7:21 AM
View All 78 Files
Subscribers
imp

Details

Reviewers
kib
chs
glebius
Commits
rG26b23f07fb98: sendfile: Ensure that sfio->npages is initialized
Summary

We initialize sfio->npages only when some I/O is required to satisfy the
request. However, sendfile_iodone() contains an INVARIANTS-only check
that references sfio->npages, and this check is executed even if no I/O
is performed, so the check may use an uninitialized value.

Fix the problem by initializing sfio->npages earlier. Note that
sendfile_swapin() always initializes the page array. In some rare cases
we need to trim the page array so ensure that sfio->npages gets updated
accordingly.

Test Plan

syzkaller triggered the bug and KASAN detected it because the uninitialized
value caused the loop in sendfile_iodone() to run past the end of the buffer.

Diff Detail

Repository
rG FreeBSD src repository
Lint
Lint Not Applicable
Unit
Tests Not Applicable

Revision Contents
Changeset List

PathSize
sys/
kern/
19 lines

Diff 81195

View Options

sys/kern/kern_sendfile.c

Loading...