From owner-svn-src-head@freebsd.org Sat May 9 07:25:35 2020 Return-Path: Delivered-To: svn-src-head@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id DD7612DF326 for ; Sat, 9 May 2020 07:25:35 +0000 (UTC) (envelope-from tsoome@me.com) Received: from pv50p00im-ztdg10022001.me.com (pv50p00im-ztdg10022001.me.com [17.58.6.58]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 49JzHy6ZTdz4Nbx for ; Sat, 9 May 2020 07:25:34 +0000 (UTC) (envelope-from tsoome@me.com) Received: from nazgul.lan (148-52-235-80.sta.estpak.ee [80.235.52.148]) by pv50p00im-ztdg10022001.me.com (Postfix) with ESMTPSA id D3A67A0314; Sat, 9 May 2020 07:25:31 +0000 (UTC) Content-Type: text/plain; charset=us-ascii Mime-Version: 1.0 (Mac OS X Mail 13.4 \(3608.80.23.2.2\)) Subject: Re: svn commit: r360836 - head/stand/libsa/zfs From: Toomas Soome In-Reply-To: Date: Sat, 9 May 2020 10:25:29 +0300 Cc: src-committers , svn-src-all@freebsd.org, svn-src-head@freebsd.org, Toomas Soome Content-Transfer-Encoding: quoted-printable Message-Id: <2125B6CE-D25F-4BC8-AB13-89C4D01C7150@me.com> References: <202005090625.0496PLvc091232@repo.freebsd.org> To: Ronald Klop X-Mailer: Apple Mail (2.3608.80.23.2.2) X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:6.0.216, 18.0.676 definitions=2020-05-09_02:2020-05-08, 2020-05-09 signatures=0 X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 suspectscore=0 malwarescore=0 phishscore=0 bulkscore=0 spamscore=0 clxscore=1011 mlxscore=0 mlxlogscore=999 adultscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.0.1-2002250000 definitions=main-2005090069 X-Rspamd-Queue-Id: 49JzHy6ZTdz4Nbx X-Spamd-Bar: --- X-Spamd-Result: default: False [-3.60 / 15.00]; RCVD_VIA_SMTP_AUTH(0.00)[]; TO_DN_SOME(0.00)[]; R_SPF_ALLOW(-0.20)[+ip4:17.58.0.0/16]; FREEMAIL_FROM(0.00)[me.com]; RWL_MAILSPIKE_GOOD(0.00)[58.6.58.17.rep.mailspike.net : 127.0.0.18]; MV_CASE(0.50)[]; RCPT_COUNT_FIVE(0.00)[5]; DKIM_TRACE(0.00)[me.com:+]; DMARC_POLICY_ALLOW(-0.50)[me.com,quarantine]; RECEIVED_SPAMHAUS_PBL(0.00)[148.52.235.80.khpj7ygk5idzvmvt5x4ziurxhy.zen.dq.spamhaus.net : 127.0.0.10]; RCVD_IN_DNSWL_LOW(-0.10)[58.6.58.17.list.dnswl.org : 127.0.5.1]; MIME_TRACE(0.00)[0:+]; FROM_EQ_ENVFROM(0.00)[]; ASN(0.00)[asn:714, ipnet:17.58.0.0/20, country:US]; MID_RHS_MATCH_FROM(0.00)[]; ARC_NA(0.00)[]; FREEMAIL_ENVFROM(0.00)[me.com]; R_DKIM_ALLOW(-0.20)[me.com:s=1a1hai]; NEURAL_HAM_MEDIUM(-1.00)[-1.000,0]; FROM_HAS_DN(0.00)[]; NEURAL_HAM_LONG(-1.00)[-1.000,0]; MIME_GOOD(-0.10)[text/plain]; IP_SCORE(0.00)[ip: (-4.73), ipnet: 17.58.0.0/20(-2.17), asn: 714(-2.52), country: US(-0.05)]; IP_SCORE_FREEMAIL(0.00)[]; DWL_DNSWL_LOW(-1.00)[me.com.dwl.dnswl.org : 127.0.5.1]; TO_MATCH_ENVRCPT_SOME(0.00)[]; RCVD_COUNT_TWO(0.00)[2]; RCVD_TLS_ALL(0.00)[] X-BeenThere: svn-src-head@freebsd.org X-Mailman-Version: 2.1.32 Precedence: list List-Id: SVN commit messages for the src tree for head/-current List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 09 May 2020 07:25:35 -0000 > On 9. May 2020, at 09:57, Ronald Klop wrote: >=20 > Hi Toomas, >=20 > Could this fix this issue = https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D144234 ? >=20 > Regards, > Ronald. I doubt a bit unless you have GELI encryption or 4kn disk (which we can = not boot with BIOS, only with UEFI). That issue was reported 2010 agains = 9.0? is it still the case? rgds, toomas >=20 >=20 > On Sat, 09 May 2020 08:25:21 +0200, Toomas Soome = wrote: >=20 >> Author: tsoome >> Date: Sat May 9 06:25:20 2020 >> New Revision: 360836 >> URL: https://svnweb.freebsd.org/changeset/base/360836 >>=20 >> Log: >> loader: vdev_read() can corrupt memory >> When reading less than sector size but from sector boundary, >> the vdev_read() will read full sector into the provided buffer >> and therefore corrupting memory past buffer end. >> MFC after: 2 days >>=20 >> Modified: >> head/stand/libsa/zfs/zfs.c >>=20 >> Modified: head/stand/libsa/zfs/zfs.c >> = =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D >> --- head/stand/libsa/zfs/zfs.c Sat May 9 05:04:02 2020 = (r360835) >> +++ head/stand/libsa/zfs/zfs.c Sat May 9 06:25:20 2020 = (r360836) >> @@ -418,7 +418,7 @@ vdev_read(vdev_t *vdev, void *priv, off_t offset, = void >> full_sec_size -=3D secsz; >> /* Return of partial sector data requires a bounce buffer. */ >> - if ((head > 0) || do_tail_read) { >> + if ((head > 0) || do_tail_read || bytes < secsz) { >> bouncebuf =3D malloc(secsz); >> if (bouncebuf =3D=3D NULL) { >> printf("vdev_read: out of memory\n"); >> @@ -442,14 +442,28 @@ vdev_read(vdev_t *vdev, void *priv, off_t = offset, void >> outbuf +=3D min(secsz - head, bytes); >> } >> - /* Full data return from read sectors */ >> + /* >> + * Full data return from read sectors. >> + * Note, there is still corner case where we read >> + * from sector boundary, but less than sector size, e.g. reading = 512B >> + * from 4k sector. >> + */ >> if (full_sec_size > 0) { >> - res =3D read(fd, outbuf, full_sec_size); >> - if (res !=3D full_sec_size) { >> - ret =3D EIO; >> - goto error; >> + if (bytes < full_sec_size) { >> + res =3D read(fd, bouncebuf, secsz); >> + if (res !=3D secsz) { >> + ret =3D EIO; >> + goto error; >> + } >> + memcpy(outbuf, bouncebuf, bytes); >> + } else { >> + res =3D read(fd, outbuf, full_sec_size); >> + if (res !=3D full_sec_size) { >> + ret =3D EIO; >> + goto error; >> + } >> + outbuf +=3D full_sec_size; >> } >> - outbuf +=3D full_sec_size; >> } >> /* Partial data return from last sector */ >> _______________________________________________ >> svn-src-all@freebsd.org mailing list >> https://lists.freebsd.org/mailman/listinfo/svn-src-all >> To unsubscribe, send any mail to = "svn-src-all-unsubscribe@freebsd.org"