Bug 212137

Summary: NULL pointer dereference in the boot zfs code
Product: Base System Reporter: Andrew Turner <Andrew>
Component: kernAssignee: Andrew Turner <Andrew>
Status: Closed DUPLICATE    
Severity: Affects Some People CC: allanjude, emaste, gjb
Priority: ---    
Version: CURRENT   
Hardware: arm64   
OS: Any   
Attachments:
Description Flags
Patch to work around the issue none

Description Andrew Turner freebsd_committer freebsd_triage 2016-08-25 11:15:58 UTC 
There seems to be a NULL pointer dereference in boot1.efi and loader.efi when probing a vdev.

In sys/boot/zfs/zfsimpl.c vdev_probe will create a temp vdev to use to read vdev label. As part of this it will memset the vdev to 0, then set the needed data, however the spa remains zero.

It then calls vdev_read_phys with this temp vdev. This will call back into boot1 to perform the read. It then performs a checksum on the data, however as the spa is NULL this will cause the NULL pointer dereference as the checksum code will make use of this pointer.

I've worked around this for now by only calling zio_checksum_verify in vdev_read_phys when the spa is non-NULL and can load loader.efi from boot1 with that.
Comment 1 Andrew Turner freebsd_committer freebsd_triage 2016-08-25 11:22:00 UTC 
Created attachment 174051 [details]
Patch to work around the issue
Comment 2 Andrew Turner freebsd_committer freebsd_triage 2016-08-25 13:10:46 UTC 
Seems to be fixed in r304753.

*** This bug has been marked as a duplicate of bug 212114 ***