svn commit: r215155 - in stable: 7/sys/cddl/contrib/opensolaris/uts/common/fs/zfs 8/sys/cddl/contrib/opensolaris/uts/common/fs/zfs

Xin LI delphij at FreeBSD.org
Fri Nov 12 01:45:30 UTC 2010


Author: delphij
Date: Fri Nov 12 01:45:29 2010
New Revision: 215155
URL: http://svn.freebsd.org/changeset/base/215155

Log:
  MFC r214854:
  
  Validate whether the zfs_cmd_t submitted from userland is not smaller than
  what we have.  Without the check the kernel could accessing memory that
  does not belong to the request struct.
  
  Note that we do not test if the struct equals in size at this time, which
  may faciliate forward compatibility with newer binaries.

Modified:
  stable/7/sys/cddl/contrib/opensolaris/uts/common/fs/zfs/zfs_ioctl.c
Directory Properties:
  stable/7/sys/   (props changed)
  stable/7/sys/cddl/contrib/opensolaris/   (props changed)
  stable/7/sys/contrib/dev/acpica/   (props changed)
  stable/7/sys/contrib/pf/   (props changed)

Changes in other areas also in this revision:
Modified:
  stable/8/sys/cddl/contrib/opensolaris/uts/common/fs/zfs/zfs_ioctl.c
Directory Properties:
  stable/8/sys/   (props changed)
  stable/8/sys/amd64/include/xen/   (props changed)
  stable/8/sys/cddl/contrib/opensolaris/   (props changed)
  stable/8/sys/contrib/dev/acpica/   (props changed)
  stable/8/sys/contrib/pf/   (props changed)
  stable/8/sys/dev/xen/xenpci/   (props changed)

Modified: stable/7/sys/cddl/contrib/opensolaris/uts/common/fs/zfs/zfs_ioctl.c
==============================================================================
--- stable/7/sys/cddl/contrib/opensolaris/uts/common/fs/zfs/zfs_ioctl.c	Fri Nov 12 01:40:29 2010	(r215154)
+++ stable/7/sys/cddl/contrib/opensolaris/uts/common/fs/zfs/zfs_ioctl.c	Fri Nov 12 01:45:29 2010	(r215155)
@@ -2989,6 +2989,14 @@ zfsdev_ioctl(struct cdev *dev, u_long cm
 	uint_t vec;
 	int error;
 
+	/*
+	 * Check if we have sufficient kernel memory allocated
+	 * for the zfs_cmd_t request.  Bail out if not so we
+	 * will not access undefined memory region.
+	 */
+	if (IOCPARM_LEN(cmd) < sizeof(zfs_cmd_t))
+		return (EINVAL);
+
 	vec = ZFS_IOC(cmd);
 
 	if (vec >= sizeof (zfs_ioc_vec) / sizeof (zfs_ioc_vec[0]))


More information about the svn-src-all mailing list