Module Name: src
Committed By: maxv
Date: Wed Jul 2 15:00:29 UTC 2014
Modified Files:
src/sys/kern: subr_kmem.c
Log Message:
Fix the KMEM_POISON check: it should check the whole buffer, otherwise some
write-after-free's wouldn't be detected (those occurring in the 8 last bytes
of the allocated buffer).
Was here before my changes, spotted by lars@.
To generate a diff of this commit:
cvs rdiff -u -r1.57 -r1.58 src/sys/kern/subr_kmem.c
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
Modified files:
Index: src/sys/kern/subr_kmem.c
diff -u src/sys/kern/subr_kmem.c:1.57 src/sys/kern/subr_kmem.c:1.58
--- src/sys/kern/subr_kmem.c:1.57 Tue Jul 1 12:08:33 2014
+++ src/sys/kern/subr_kmem.c Wed Jul 2 15:00:28 2014
@@ -1,4 +1,4 @@
-/* $NetBSD: subr_kmem.c,v 1.57 2014/07/01 12:08:33 maxv Exp $ */
+/* $NetBSD: subr_kmem.c,v 1.58 2014/07/02 15:00:28 maxv Exp $ */
/*-
* Copyright (c) 2009 The NetBSD Foundation, Inc.
@@ -90,7 +90,7 @@
*/
#include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: subr_kmem.c,v 1.57 2014/07/01 12:08:33 maxv Exp $");
+__KERNEL_RCSID(0, "$NetBSD: subr_kmem.c,v 1.58 2014/07/02 15:00:28 maxv Exp $");
#include <sys/param.h>
#include <sys/callback.h>
@@ -273,7 +273,7 @@ kmem_intr_alloc(size_t requested_size, k
p = pool_cache_get(pc, kmflags);
if (__predict_true(p != NULL)) {
- kmem_poison_check(p, size);
+ kmem_poison_check(p, allocsz);
FREECHECK_OUT(&kmem_freecheck, p);
kmem_size_set(p, requested_size);
kmem_redzone_fill(p, requested_size + SIZE_SIZE);
