git: d78aee09c08b - stable/12 - ffs: Avoid out-of-bounds accesses in the fs_active bitmap
Mark Johnston
markj at FreeBSD.org
Wed Jan 6 14:57:53 UTC 2021
The branch stable/12 has been updated by markj:
URL: https://cgit.FreeBSD.org/src/commit/?id=d78aee09c08b575c9bbc4c90a92f6253dfd8fa3b
commit d78aee09c08b575c9bbc4c90a92f6253dfd8fa3b
Author: Mark Johnston <markj at FreeBSD.org>
AuthorDate: 2020-12-23 16:13:00 +0000
Commit: Mark Johnston <markj at FreeBSD.org>
CommitDate: 2021-01-06 14:43:22 +0000
ffs: Avoid out-of-bounds accesses in the fs_active bitmap
We use a bitmap to track which cylinder groups have changed between
snapshot creation and filesystem suspension. The "legs" of the bitmap
are four bytes wide (see ACTIVESET()) so we must round up the allocation
size to a multiple of four bytes.
I believe this bug is harmless since UMA/kmem_* will both pad the
allocation and zero the full allocation. Note that malloc() does inline
zeroing when the allocation size is known at compile-time.
Reported by: pho (using KASAN)
Reviewed by: kib, mckusick
(cherry picked from commit ace3d9475ceecd9bcb766bb82a1c8f87e8f560be)
---
sys/ufs/ffs/ffs_snapshot.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/sys/ufs/ffs/ffs_snapshot.c b/sys/ufs/ffs/ffs_snapshot.c
index 3cb999a01c56..749ab28fab56 100644
--- a/sys/ufs/ffs/ffs_snapshot.c
+++ b/sys/ufs/ffs/ffs_snapshot.c
@@ -377,8 +377,8 @@ restart:
* touch up the few cylinder groups that changed during
* the suspension period.
*/
- len = howmany(fs->fs_ncg, NBBY);
- space = malloc(len, M_DEVBUF, M_WAITOK|M_ZERO);
+ len = roundup2(howmany(fs->fs_ncg, NBBY), sizeof(int));
+ space = malloc(len, M_DEVBUF, M_WAITOK | M_ZERO);
UFS_LOCK(ump);
fs->fs_active = space;
UFS_UNLOCK(ump);
More information about the dev-commits-src-all
mailing list