https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=290409
Dag-Erling Smørgrav <[email protected]> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|New |Closed Resolution|--- |Works As Intended CC| |[email protected] --- Comment #1 from Dag-Erling Smørgrav <[email protected]> --- (In reply to Igor Gabriel S. Souza from comment #0) > The values `in.dbsz` and `out.dbsz` come from command-line arguments > (`ibs=`, `obs=`, or `bs=`). > > Both are `size_t`, but they can be assigned from an integer without > validation, coming from argv parsing. Validation is performed in f_bs(), f_ibs() and f_obs() in bin/dd/args.c. > The calculation `(size_t)out.dbsz + in.dbsz - 1` can exceed > `SIZE_MAX`, which causes an arithmetic overflow and the result wraps > to a small value — `malloc()` then allocates less memory than the code > expects. Both variables are constrained to SSIZE_MAX (2^63 - 1), therefore their sum cannot exceed SIZE_MAX - 1 (2^64 - 2). > root@igor:~ # valgrind dd if=infile of=outfile ibs=9223372036854775800 > obs=9223372036854775800 > [...] > dd: input buffer: Cannot allocate memory > [...] > This confirms heap corruption. No, it means that dd tried to allocate more memory than is possible and malloc() returned NULL. You can confirm this with ktrace: % MALLOC_CONF=utrace:true ktrace dd if=/boot/CRASH/kernel of=/dev/zero ibs=9223372036854775800 obs=9223372036854775800 dd: input buffer: Cannot allocate memory % kdump | grep malloc 66287 dd NAMI "/etc/malloc.conf" 66287 dd USER 0x3dcfc8c08000 = malloc(128) 66287 dd USER 0x3dcfc8c09600 = malloc(104160) 66287 dd USER 0x3dcfc8c26000 = malloc(22) 66287 dd USER 0x3dcfc8c27000 = malloc(13) 66287 dd USER 0x3dcfc8c26020 = malloc(24) 66287 dd USER 0x3dcfc8c26040 = malloc(24) 66287 dd USER 0x0 = malloc(18446744073709551599) 66287 dd USER 0x3dcfc8c28000 = malloc(2) 66287 dd USER 0x3dcfc8c29000 = malloc(104) 66287 dd USER 0x3dcfc8c30000 = malloc(56) 66287 dd USER 0x3dcfc8c28000 = malloc(5) 66287 dd USER 0x3dcfc8c28008 = malloc(2) -- You are receiving this mail because: You are the assignee for the bug.
