Skip site navigation (1)Skip section navigation (2) 
Date:      Wed, 19 May 2004 17:15:47 +1000 (EST)
From:      Bruce Evans <bde@zeta.org.au>
To:        Ruslan Ermilov <ru@FreeBSD.org>
Cc:        cvs-all@FreeBSD.org
Subject:   Re: cvs commit: src/sys/dev/md md.c
Message-ID:  <20040519165754.Q13836@gamplex.bde.org>
In-Reply-To: <20040518103846.GB70919@ip.net.ua>
References:  <200405180730.i4I7U5CZ018341@repoman.freebsd.org> <20040518103846.GB70919@ip.net.ua>
next in thread | previous in thread | raw e-mail | index | archive | help 
On Tue, 18 May 2004, Ruslan Ermilov wrote:

> On Tue, May 18, 2004 at 12:30:05AM -0700, Pawel Jakub Dawidek wrote:
> > pjd         2004/05/18 00:30:05 PDT
> >
> >   FreeBSD src repository
> >
> >   Modified files:
> >     sys/dev/md           md.c
> >   Log:
> >   Fix panic which occurs when given sector size for memory-backed device
> >   is less than DEV_BSIZE (512) bytes.
> >
> >   Reported by:    Mike Bristow <mike@urgle.com>
> >   Approved by:    phk
> >
> >   Revision  Changes    Path
> >   1.123     +1 -2      src/sys/dev/md/md.c
> >
> Nice catch!

This introduces a bug that the old version was (not very well) written
to avoid: overflow at UINT_MAX bytes (typically 4GB).  Previously, md
only overflowed at UINT_MAX sectors (typically 2TB).  Overflow probably
can't happen here yet because most machines can't hold 4GB and others
shouldn't waste 4GB for malloc()able memory.  Overfow at 2TB can easily
happen for the vnode case.

Here are some of md's unchecked overflows:

New bug:

% 	sc->nsect = (mdio->md_size * DEV_BSIZE) / sc->secsize;

This is easy to fix using btodb(), except when DEV_BSIZE > sc->secsize.
Using DEV_BSIZE instead of dbtodb() or btodb() when the latter works is
a style bug even when it works.

vnode case:

% 	/*
% 	 * If the size is specified, override the file attributes.
% 	 */
% 	if (mdio->md_size)
% 		sc->nsect = mdio->md_size;
% 	else
% 		sc->nsect = vattr.va_size / sc->secsize; /* XXX: round up ? */

The assignment overflows when vattr.va_size is large.  The fix is not so
easy.  There are lots of u_int's in md's ABI and implementation.

Bruce

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20040519165754.Q13836>