Bug 216939

Summary:

A buffer underflow in the ZFS implementation of vop_vptocnp VFS method

Product:

Base System

Reporter:

Iouri V. Ivliev <fbsd>

Component:

kern

Assignee:

Andriy Gapon <avg>

Status:

Closed FIXED

Severity:

Affects Some People

CC:

avg

Priority:

---

Keywords:

patch

Version:

10.3-STABLE

Hardware:

Any

OS:

Any

Attachments:

Description	Flags
This patch adds check for remaining buffer space. ENOMEM will be returned when buffer too small.	none
This patch adds check for remaining buffer space. ENOMEM will be returned when buffer too small.	none

Description Iouri V. Ivliev 2017-02-09 13:49:12 UTC

Created attachment 179795 [details]
This patch adds check for remaining buffer space. ENOMEM will be returned when buffer too small.

ZFS implementation the vop_vptocnp VFS method doesn't check for remaining buffer space. So some memory before the begin of buffer may be overwritten. Also negative buffer length may be returned. This affects at least kern___getcwd function on 64-bit platforms. Buffer length in vn_fullpath1 used by kern___getcwd have declared as unsigned int, so '/' char may be written far beyond the end of the buffer.

Comment 1 Iouri V. Ivliev 2017-02-09 14:27:44 UTC

Created attachment 179798 [details]
This patch adds check for remaining buffer space. ENOMEM will be returned when buffer too small.

Reupload the patch with correct mime type

Comment 2 commit-hook freebsd_committer

2017-02-12 19:41:25 UTC

A commit references this bug:

Author: avg
Date: Sun Feb 12 19:40:59 UTC 2017
New revision: 313686
URL: https://svnweb.freebsd.org/changeset/base/313686

Log:
  check remaining space in zfs implementations of vptocnp

  PR:		216939
  Submitted by:	Iouri V. Ivliev <fbsd@any.com.ru>
  MFC after:	1 week

Changes:
  head/sys/cddl/contrib/opensolaris/uts/common/fs/zfs/zfs_ctldir.c
  head/sys/cddl/contrib/opensolaris/uts/common/fs/zfs/zfs_vnops.c

Comment 3 Andriy Gapon freebsd_committer

2017-02-12 19:42:49 UTC

Committed, thank you!

Comment 4 commit-hook freebsd_committer

2017-02-21 08:58:30 UTC

A commit references this bug:

Author: avg
Date: Tue Feb 21 08:57:28 UTC 2017
New revision: 314029
URL: https://svnweb.freebsd.org/changeset/base/314029

Log:
  MFC r313686: check remaining space in zfs implementations of vptocnp

  PR:		216939

Changes:
_U  stable/10/
  stable/10/sys/cddl/contrib/opensolaris/uts/common/fs/zfs/zfs_ctldir.c
  stable/10/sys/cddl/contrib/opensolaris/uts/common/fs/zfs/zfs_vnops.c

Comment 5 commit-hook freebsd_committer

2017-02-21 08:58:34 UTC

A commit references this bug:

Author: avg
Date: Tue Feb 21 08:57:29 UTC 2017
New revision: 314030
URL: https://svnweb.freebsd.org/changeset/base/314030

Log:
  MFC r313686: check remaining space in zfs implementations of vptocnp

  PR:		216939

Changes:
_U  stable/11/
  stable/11/sys/cddl/contrib/opensolaris/uts/common/fs/zfs/zfs_ctldir.c
  stable/11/sys/cddl/contrib/opensolaris/uts/common/fs/zfs/zfs_vnops.c