From owner-svn-src-stable-8@FreeBSD.ORG Thu Jun 28 16:54:11 2012 Return-Path: Delivered-To: svn-src-stable-8@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id B1A91106566C; Thu, 28 Jun 2012 16:54:11 +0000 (UTC) (envelope-from kib@FreeBSD.org) Received: from svn.freebsd.org (svn.freebsd.org [IPv6:2001:4f8:fff6::2c]) by mx1.freebsd.org (Postfix) with ESMTP id 83A838FC12; Thu, 28 Jun 2012 16:54:11 +0000 (UTC) Received: from svn.freebsd.org (localhost [127.0.0.1]) by svn.freebsd.org (8.14.4/8.14.4) with ESMTP id q5SGsBGb087254; Thu, 28 Jun 2012 16:54:11 GMT (envelope-from kib@svn.freebsd.org) Received: (from kib@localhost) by svn.freebsd.org (8.14.4/8.14.4/Submit) id q5SGsBoc087252; Thu, 28 Jun 2012 16:54:11 GMT (envelope-from kib@svn.freebsd.org) Message-Id: <201206281654.q5SGsBoc087252@svn.freebsd.org> From: Konstantin Belousov Date: Thu, 28 Jun 2012 16:54:11 +0000 (UTC) To: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-stable@freebsd.org, svn-src-stable-8@freebsd.org X-SVN-Group: stable-8 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Cc: Subject: svn commit: r237717 - stable/8/sys/ufs/ffs X-BeenThere: svn-src-stable-8@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: SVN commit messages for only the 8-stable src tree List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 28 Jun 2012 16:54:11 -0000 Author: kib Date: Thu Jun 28 16:54:10 2012 New Revision: 237717 URL: http://svn.freebsd.org/changeset/base/237717 Log: MFC r237366: Fix unbounded-length malloc, controlled from usermode. The added check is performed before exact size of the buffer is calculated, but the buffer cannot have size greater then the total space allocated for extended attributes. The existing check is executing with precise size, but it is too late, since buffer needs to be allocated in advance. Also, adapt to uio_resid being of ssize_t type. Use lblktosize instead of multiplying by fs block size by hand as well. Modified: stable/8/sys/ufs/ffs/ffs_vnops.c Directory Properties: stable/8/sys/ (props changed) Modified: stable/8/sys/ufs/ffs/ffs_vnops.c ============================================================================== --- stable/8/sys/ufs/ffs/ffs_vnops.c Thu Jun 28 16:44:29 2012 (r237716) +++ stable/8/sys/ufs/ffs/ffs_vnops.c Thu Jun 28 16:54:10 2012 (r237717) @@ -1648,7 +1648,8 @@ vop_setextattr { struct inode *ip; struct fs *fs; uint32_t ealength, ul; - int ealen, olen, eapad1, eapad2, error, i, easize; + ssize_t ealen; + int olen, eapad1, eapad2, error, i, easize; u_char *eae, *p; ip = VTOI(ap->a_vp); @@ -1667,6 +1668,10 @@ vop_setextattr { if (ap->a_vp->v_mount->mnt_flag & MNT_RDONLY) return (EROFS); + ealen = ap->a_uio->uio_resid; + if (ealen < 0 || ealen > lblktosize(fs, NXADDR)) + return (EINVAL); + error = extattr_check_cred(ap->a_vp, ap->a_attrnamespace, ap->a_cred, ap->a_td, VWRITE); if (error) { @@ -1684,7 +1689,6 @@ vop_setextattr { if (error) return (error); - ealen = ap->a_uio->uio_resid; ealength = sizeof(uint32_t) + 3 + strlen(ap->a_name); eapad1 = 8 - (ealength % 8); if (eapad1 == 8) @@ -1712,7 +1716,7 @@ vop_setextattr { easize += (ealength - ul); } } - if (easize > NXADDR * fs->fs_bsize) { + if (easize > lblktosize(fs, NXADDR)) { free(eae, M_TEMP); ffs_close_ea(ap->a_vp, 0, ap->a_cred, ap->a_td); if (ip->i_ea_area != NULL && ip->i_ea_error == 0)