[Bug 284593] geom/raid/md_ddf.c can cause vmem_alloc() to crash

From: <bugzilla-noreply_at_freebsd.org>
Date: Wed, 05 Feb 2025 16:14:26 UTC 
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=284593

            Bug ID: 284593
           Summary: geom/raid/md_ddf.c can cause vmem_alloc() to crash
           Product: Base System
           Version: CURRENT
          Hardware: Any
                OS: Any
            Status: New
          Severity: Affects Some People
          Priority: ---
         Component: kern
          Assignee: bugs@FreeBSD.org
          Reporter: rtm@lcs.mit.edu

In a situation where something like a USB thumb drive can supply
whatever value it likes for provider->sectorsize, during taste
ddf_meta_read() can call g_read_data() with a crazy length.

With an INVARIANTS kernel, this might be caught by g_read_data()'s

        KASSERT(length > 0 && length >= cp->provider->sectorsize &&
            length <= maxphys, ("g_read_data(): invalid length %jd",
            (intmax_t)length));

Without INVARIANTS, g_read_data() can pass a crazy size value to
g_malloc(). One possibility is that the size (due to sign-extension)
is near the maximum 64-bit number, in which case the DEBUG_REDZONE
increment added by redzone_size_ntor() and/or the roundup() in
malloc_large() can wrap the size to zero. With INVARIANTS,
vmem_alloc() will then trip over

        MPASS(size > 0);

Without INVARIANTS, a size of zero will cause this array reference in
vmem_alloc() to fault:

                qc = &vm->vm_qcache[(size - 1) >> vm->vm_quantum_shift];

The sii, nvidia, jmicron, and intel xxx_meta_read() functions have
similar code that uses provider->sectorsize without enough
sanity-checking.

I can reproduce this, with the following back-trace:

#0  vmem_alloc (vm=0xffffffd000808000, size=0, flags=<optimized out>, 
    addrp=0xffffffc08284c7e0) at /usr/rtm/symbsd/src/sys/kern/subr_vmem.c:1331
#1  0xffffffc000741e76 in kmem_malloc_domain (flags=2, domain=<optimized out>, 
    size=<optimized out>) at /usr/rtm/symbsd/src/sys/vm/vm_kern.c:483
#2  kmem_malloc_domainset (ds=<optimized out>, size=<optimized out>, flags=2)
    at /usr/rtm/symbsd/src/sys/vm/vm_kern.c:515
#3  0xffffffc0003b3ce2 in malloc_large (size=0, 
    mtp=0xffffffc0009de050 <M_GEOM>, policy=0xffffffd000808000, flags=2, 
    osize=18446744073709543416)
    at /usr/rtm/symbsd/src/sys/kern/kern_malloc.c:602
#4  0xffffffc0003b3b62 in malloc (size=18446744073709547528, 
    mtp=0xffffffc0009de050 <M_GEOM>, flags=2)
    at /usr/rtm/symbsd/src/sys/kern/kern_malloc.c:659
#5  0xffffffc00032ec96 in g_malloc (size=-8200, flags=2)
    at /usr/rtm/symbsd/src/sys/geom/geom.h:371
#6  g_read_data (cp=0xffffffd002b41880, offset=4398038114304, 
    length=4294959096, error=0xffffffc08284ca2c)
    at /usr/rtm/symbsd/src/sys/geom/geom_io.c:909
#7  0xffffffc000344554 in ddf_meta_read (cp=0xffffffd002b41880, 
    meta=0xffffffc08284c9d8) at /usr/rtm/symbsd/src/sys/geom/raid/md_ddf.c:1052
#8  g_raid_md_taste_ddf (md=0xffffffd001a44d00, 
    mp=0xffffffc0009e0fd0 <g_raid_class>, cp=0xffffffd002b41880, 
    gp=0xffffffc08284cac0) at /usr/rtm/symbsd/src/sys/geom/raid/md_ddf.c:2172
#9  0xffffffc00033e9fc in G_RAID_MD_TASTE (md=0xffffffd001a44d00, 
    mp=0xffffffc0009e0fd0 <g_raid_class>, cp=0xffffffd002b41880, 
    gp=0xffffffc08284cac0) at ./g_raid_md_if.h:70
#10 g_raid_taste (mp=0xffffffc0009e0fd0 <g_raid_class>, pp=0xffffffd002b4bf00, 
    flags=<optimized out>) at /usr/rtm/symbsd/src/sys/geom/raid/g_raid.c:2240
#11 0xffffffc000331d42 in g_new_provider_event (arg=0xffffffd002b4bf00, 
    flag=<optimized out>) at /usr/rtm/symbsd/src/sys/geom/geom_subr.c:592

-- 
You are receiving this mail because:
You are the assignee for the bug.