git: 92f299dc666d - stable/14 - libgeom: Fix segfault in 32-on-64 case
- Go to: [ bottom of page ] [ top of archives ] [ this month ]
Date: Mon, 12 Jan 2026 17:19:29 UTC
The branch stable/14 has been updated by des:
URL: https://cgit.FreeBSD.org/src/commit/?id=92f299dc666d82925abbe33e826eb52fb1ffb013
commit 92f299dc666d82925abbe33e826eb52fb1ffb013
Author: Dag-Erling Smørgrav <des@FreeBSD.org>
AuthorDate: 2026-01-03 09:09:51 +0000
Commit: Dag-Erling Smørgrav <des@FreeBSD.org>
CommitDate: 2026-01-11 02:30:31 +0000
libgeom: Fix segfault in 32-on-64 case
We were using strtoul() to parse object identifiers, which are kernel
pointers. This works fine as long as the kernel and userland match,
but in a 32-bit libgeom on a 64-bit kernel this will return ULONG_MAX
for all objects, resulting in memory corruption when we later pick the
wrong object while resolving consumer-producer references.
MFC after: 1 week
PR: 292127
Reviewed by: imp
Differential Revision: https://reviews.freebsd.org/D54452
(cherry picked from commit 27894e20f140ee2729c14b589035870c8185b87d)
---
lib/libgeom/geom_xml2tree.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/lib/libgeom/geom_xml2tree.c b/lib/libgeom/geom_xml2tree.c
index 2d2c43e29e77..161425d9fadf 100644
--- a/lib/libgeom/geom_xml2tree.c
+++ b/lib/libgeom/geom_xml2tree.c
@@ -76,10 +76,10 @@ StartElement(void *userData, const char *name, const char **attr)
ref = NULL;
for (i = 0; attr[i] != NULL; i += 2) {
if (!strcmp(attr[i], "id")) {
- id = (void *)strtoul(attr[i + 1], NULL, 0);
+ id = (void *)strtoumax(attr[i + 1], NULL, 0);
mt->nident++;
} else if (!strcmp(attr[i], "ref")) {
- ref = (void *)strtoul(attr[i + 1], NULL, 0);
+ ref = (void *)strtoumax(attr[i + 1], NULL, 0);
} else
printf("%*.*s[%s = %s]\n",
mt->level + 1, mt->level + 1, "",