[Bug 204358] zfs loader zfs_probe_args secsz is too small, causing memory corruption
bugzilla-noreply at freebsd.org
bugzilla-noreply at freebsd.org
Sat Nov 7 13:20:41 UTC 2015
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=204358
Bug ID: 204358
Summary: zfs loader zfs_probe_args secsz is too small, causing
memory corruption
Product: Base System
Version: 11.0-CURRENT
Hardware: Any
OS: Any
Status: New
Severity: Affects Many People
Priority: ---
Component: kern
Assignee: freebsd-bugs at FreeBSD.org
Reporter: tsoome at me.com
sys/boot/zfs/zfs.c has probe args structure including uint16_t secsz variable
for media sector size; its used as an argument for ioctl() at line 484:
ioctl(pa.fd, DIOCGSECTORSIZE, &pa.secsz);
however, this ioctl is expecting 32bit data (u_int *) and therefore this ioctl
will overwrite and corrupt 16bits of memory.
other use cases seem to use correct u_int type for secsz.
for fix the following fix should be sufficient.
tsoome at beastie:/code/freebsd/head/sys/boot/zfs$ diff -u zfs.c.orig zfs.c
--- zfs.c.orig N apr 16 14:49:00 2015
+++ zfs.c L nov 7 15:13:55 2015
@@ -399,7 +399,7 @@
int fd;
const char *devname;
uint64_t *pool_guid;
- uint16_t secsz;
+ u_int secsz;
};
static int
--
You are receiving this mail because:
You are the assignee for the bug.
More information about the freebsd-bugs
mailing list