svn commit: r344305 - head/sys/geom
Eugene Grosbein
eugen at grosbein.net
Wed Feb 20 14:41:02 UTC 2019
20.02.2019 4:22, Mark Johnston wrote:
> Author: markj
> Date: Tue Feb 19 21:22:22 2019
> New Revision: 344305
> URL: https://svnweb.freebsd.org/changeset/base/344305
>
> Log:
> Impose a limit on the number of GEOM_CTL arguments.
>
> Otherwise a privileged user can trigger a memory allocation of
> unbounded size, or an integer overflow in the subsequent
> geom_alloc_copyin() call, leading to out-of-bounds accesses.
>
> Hard-code a large limit to circumvent this problem.
>
> admbug: 854
> Reported by: Anonymous of the Shellphish Grill Team
> Reviewed by: ae
> MFC after: 1 week
> Sponsored by: The FreeBSD Foundation
> Differential Revision: https://reviews.freebsd.org/D19251
>
> Modified:
> head/sys/geom/geom_ctl.c
>
> Modified: head/sys/geom/geom_ctl.c
> ==============================================================================
> --- head/sys/geom/geom_ctl.c Tue Feb 19 21:20:50 2019 (r344304)
> +++ head/sys/geom/geom_ctl.c Tue Feb 19 21:22:22 2019 (r344305)
> @@ -139,6 +139,12 @@ gctl_copyin(struct gctl_req *req)
> char *p;
> u_int i;
>
> + if (req->narg > 2048) {
> + gctl_error(req, "too many arguments");
> + req->arg = NULL;
> + return;
> + }
> +
Could you replace magic constant 2048 with #define symbol, please?
Something like GEOM_ARG_MAX in sys/sys/limits.h or similar.
More information about the svn-src-head
mailing list