[Bug 216939] A buffer underflow in the ZFS implementation of vop_vptocnp VFS method

Thu Feb 9 13:49:12 UTC 2017

https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=216939

            Bug ID: 216939
           Summary: A buffer underflow in the ZFS implementation of
                    vop_vptocnp VFS method
           Product: Base System
           Version: 10.3-STABLE
          Hardware: Any
                OS: Any
            Status: New
          Severity: Affects Some People
          Priority: ---
         Component: kern
          Assignee: freebsd-bugs at FreeBSD.org
          Reporter: fbsd at any.com.ru

Created attachment 179795
  --> https://bugs.freebsd.org/bugzilla/attachment.cgi?id=179795&action=edit
This patch adds check for remaining buffer space. ENOMEM will be returned when
buffer too small.

ZFS implementation the vop_vptocnp VFS method doesn't check for remaining
buffer space. So some memory before the begin of buffer may be overwritten.
Also negative buffer length may be returned. This affects at least
kern___getcwd function on 64-bit platforms. Buffer length in vn_fullpath1 used
by kern___getcwd have declared as unsigned int, so '/' char may be written far
beyond the end of the buffer.

-- 
You are receiving this mail because:
You are the assignee for the bug.