216939 – A buffer underflow in the ZFS implementation of vop_vptocnp VFS method

Bug 216939 - A buffer underflow in the ZFS implementation of vop_vptocnp VFS method

Summary: A buffer underflow in the ZFS implementation of vop_vptocnp VFS method

Status:	Closed FIXED

Alias:	None

Product:	Base System
Classification:	Unclassified
Component:	kern (show other bugs)
Version:	10.3-STABLE
Hardware:	Any Any

Importance:	--- Affects Some People
Assignee:	Andriy Gapon

URL:
Keywords:	patch

Depends on:
Blocks:

Reported:	2017-02-09 13:49 UTC by Iouri V. Ivliev
Modified:	2017-02-21 09:35 UTC (History)
CC List:	1 user (show)

See Also:

Attachments
This patch adds check for remaining buffer space. ENOMEM will be returned when buffer too small. (489 bytes, application/x-gzip) 2017-02-09 13:49 UTC, Iouri V. Ivliev	no flags	Details
This patch adds check for remaining buffer space. ENOMEM will be returned when buffer too small. (1.18 KB, patch) 2017-02-09 14:27 UTC, Iouri V. Ivliev	no flags	Details \| Diff
Show Obsolete (1) View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Iouri V. Ivliev 2017-02-09 13:49:12 UTC

Created attachment 179795 [details]
This patch adds check for remaining buffer space. ENOMEM will be returned when buffer too small.

ZFS implementation the vop_vptocnp VFS method doesn't check for remaining buffer space. So some memory before the begin of buffer may be overwritten. Also negative buffer length may be returned. This affects at least kern___getcwd function on 64-bit platforms. Buffer length in vn_fullpath1 used by kern___getcwd have declared as unsigned int, so '/' char may be written far beyond the end of the buffer.

Comment 1 Iouri V. Ivliev 2017-02-09 14:27:44 UTC

Created attachment 179798 [details]
This patch adds check for remaining buffer space. ENOMEM will be returned when buffer too small.

Reupload the patch with correct mime type

Comment 2 commit-hook freebsd_committer

2017-02-12 19:41:25 UTC

A commit references this bug:

Author: avg
Date: Sun Feb 12 19:40:59 UTC 2017
New revision: 313686
URL: https://svnweb.freebsd.org/changeset/base/313686

Log:
  check remaining space in zfs implementations of vptocnp

  PR:		216939
  Submitted by:	Iouri V. Ivliev <fbsd@any.com.ru>
  MFC after:	1 week

Changes:
  head/sys/cddl/contrib/opensolaris/uts/common/fs/zfs/zfs_ctldir.c
  head/sys/cddl/contrib/opensolaris/uts/common/fs/zfs/zfs_vnops.c

Comment 3 Andriy Gapon freebsd_committer

2017-02-12 19:42:49 UTC

Committed, thank you!

Comment 4 commit-hook freebsd_committer

2017-02-21 08:58:30 UTC

A commit references this bug:

Author: avg
Date: Tue Feb 21 08:57:28 UTC 2017
New revision: 314029
URL: https://svnweb.freebsd.org/changeset/base/314029

Log:
  MFC r313686: check remaining space in zfs implementations of vptocnp

  PR:		216939

Changes:
_U  stable/10/
  stable/10/sys/cddl/contrib/opensolaris/uts/common/fs/zfs/zfs_ctldir.c
  stable/10/sys/cddl/contrib/opensolaris/uts/common/fs/zfs/zfs_vnops.c

Comment 5 commit-hook freebsd_committer

2017-02-21 08:58:34 UTC

A commit references this bug:

Author: avg
Date: Tue Feb 21 08:57:29 UTC 2017
New revision: 314030
URL: https://svnweb.freebsd.org/changeset/base/314030

Log:
  MFC r313686: check remaining space in zfs implementations of vptocnp

  PR:		216939

Changes:
_U  stable/11/
  stable/11/sys/cddl/contrib/opensolaris/uts/common/fs/zfs/zfs_ctldir.c
  stable/11/sys/cddl/contrib/opensolaris/uts/common/fs/zfs/zfs_vnops.c