[Bug 204358] zfs loader zfs_probe_args secsz is too small, causing memory corruption

bugzilla-noreply at freebsd.org bugzilla-noreply at freebsd.org
Sat Nov 7 13:20:41 UTC 2015


https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=204358

            Bug ID: 204358
           Summary: zfs loader zfs_probe_args secsz is too small, causing
                    memory corruption
           Product: Base System
           Version: 11.0-CURRENT
          Hardware: Any
                OS: Any
            Status: New
          Severity: Affects Many People
          Priority: ---
         Component: kern
          Assignee: freebsd-bugs at FreeBSD.org
          Reporter: tsoome at me.com

sys/boot/zfs/zfs.c has probe args structure including uint16_t secsz variable
for media sector size; its used as an argument for ioctl() at line 484:

ioctl(pa.fd, DIOCGSECTORSIZE, &pa.secsz);

however, this ioctl is expecting 32bit data (u_int *) and therefore this ioctl
will overwrite and corrupt 16bits of memory.

other use cases seem to use correct u_int type for secsz.

for fix the following fix should be sufficient.
tsoome at beastie:/code/freebsd/head/sys/boot/zfs$ diff -u zfs.c.orig zfs.c
--- zfs.c.orig  N apr 16 14:49:00 2015
+++ zfs.c       L nov  7 15:13:55 2015
@@ -399,7 +399,7 @@
        int             fd;
        const char      *devname;
        uint64_t        *pool_guid;
-       uint16_t        secsz;
+       u_int           secsz;
 };

 static int

-- 
You are receiving this mail because:
You are the assignee for the bug.


More information about the freebsd-bugs mailing list