Module Name: src Committed By: maxv Date: Wed Jul 2 15:00:29 UTC 2014
Modified Files: src/sys/kern: subr_kmem.c Log Message: Fix the KMEM_POISON check: it should check the whole buffer, otherwise some write-after-free's wouldn't be detected (those occurring in the 8 last bytes of the allocated buffer). Was here before my changes, spotted by lars@. To generate a diff of this commit: cvs rdiff -u -r1.57 -r1.58 src/sys/kern/subr_kmem.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files.
Modified files: Index: src/sys/kern/subr_kmem.c diff -u src/sys/kern/subr_kmem.c:1.57 src/sys/kern/subr_kmem.c:1.58 --- src/sys/kern/subr_kmem.c:1.57 Tue Jul 1 12:08:33 2014 +++ src/sys/kern/subr_kmem.c Wed Jul 2 15:00:28 2014 @@ -1,4 +1,4 @@ -/* $NetBSD: subr_kmem.c,v 1.57 2014/07/01 12:08:33 maxv Exp $ */ +/* $NetBSD: subr_kmem.c,v 1.58 2014/07/02 15:00:28 maxv Exp $ */ /*- * Copyright (c) 2009 The NetBSD Foundation, Inc. @@ -90,7 +90,7 @@ */ #include <sys/cdefs.h> -__KERNEL_RCSID(0, "$NetBSD: subr_kmem.c,v 1.57 2014/07/01 12:08:33 maxv Exp $"); +__KERNEL_RCSID(0, "$NetBSD: subr_kmem.c,v 1.58 2014/07/02 15:00:28 maxv Exp $"); #include <sys/param.h> #include <sys/callback.h> @@ -273,7 +273,7 @@ kmem_intr_alloc(size_t requested_size, k p = pool_cache_get(pc, kmflags); if (__predict_true(p != NULL)) { - kmem_poison_check(p, size); + kmem_poison_check(p, allocsz); FREECHECK_OUT(&kmem_freecheck, p); kmem_size_set(p, requested_size); kmem_redzone_fill(p, requested_size + SIZE_SIZE);