From owner-svn-src-all@freebsd.org  Wed Feb 20 15:49:36 2019
Return-Path: <owner-svn-src-all@freebsd.org>
Delivered-To: svn-src-all@mailman.ysv.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
 by mailman.ysv.freebsd.org (Postfix) with ESMTP id 99AB514F73F8;
 Wed, 20 Feb 2019 15:49:36 +0000 (UTC)
 (envelope-from markjdb@gmail.com)
Received: from mail-it1-x12f.google.com (mail-it1-x12f.google.com
 [IPv6:2607:f8b0:4864:20::12f])
 (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
 (Client CN "smtp.gmail.com",
 Issuer "Google Internet Authority G3" (verified OK))
 by mx1.freebsd.org (Postfix) with ESMTPS id 261AE85E38;
 Wed, 20 Feb 2019 15:49:36 +0000 (UTC)
 (envelope-from markjdb@gmail.com)
Received: by mail-it1-x12f.google.com with SMTP id m137so16343424ita.0;
 Wed, 20 Feb 2019 07:49:36 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025;
 h=sender:date:from:to:cc:subject:message-id:references:mime-version
 :content-disposition:in-reply-to:user-agent;
 bh=fUeKgPvIGKBs5XRqbXsROWyu1zlrXO6f5tx/FXikIPU=;
 b=Vb3+J5ShX017druqg76Hq+uPWC0yDC983VbdmxqcqyRAarLPipCHXJ/eBAvKGDvuST
 TUsYkb2rs7euaDdHertAerua3VsKp2BKVojmsUcruOziO4l2kbYQCPU9UpGn5Ajdd1fc
 rKydqlMp29Puv4nYekvHMwTGLe38FZAO1KuSf9nvdBZUCwAkaboUoCRVIz2hEd/BKd3v
 hs/FyG/PZjNygngS8HVKSC73tSmk4Dy4HTi4avPv1LPSIaJcehtEeHnmgvxNjUjhLlp6
 o2cvfiL/bdMEqVbT5XyjSho9BjwuWm79B6MpZ8komENqyxXODEA36Z5yzZezWSIqgkuA
 LTsQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=1e100.net; s=20161025;
 h=x-gm-message-state:sender:date:from:to:cc:subject:message-id
 :references:mime-version:content-disposition:in-reply-to:user-agent;
 bh=fUeKgPvIGKBs5XRqbXsROWyu1zlrXO6f5tx/FXikIPU=;
 b=V087tuOBGEUCeu0Wgz/ZN/timjuWSk4Y0s6v6OhfyFXA1AybNglfAS/huvwAkEkN9v
 xUg3FH3K5uB7//mETcmJ2Wx559+Lmal8EJFkGjchL9yX/8eHGzum8uteBdcQ7dRRgA/F
 +FOky/QPCnSgBPqpt/a65RsboSXwRPakEdIcLAUYxNzpCwbncgiLhDc/bg2kREx6MVrA
 hcgugNuKNT7uImZhbo2qMMrVQX7IqjxoyGfvj6OXmM64+1WB1/dNdsoZJSZfyiIPdYvl
 f4x00IQsb8UWFiofINrNpBClVqvQ9qEzBJXCbnxNZdksuAOF00fT3suA3kNs3xd41/Jw
 YVHw==
X-Gm-Message-State: AHQUAuabhwPvpgR6opG+EcqLiYD6HLgEhUQ5vqZvmjREuzlDdglkOJpF
 DdwLt521Kzm8czsu2nzJSkQsjyHa
X-Google-Smtp-Source: AHgI3IbrPivTML4VqUloWSZZmhSkEFVGqg22o2MiKXWMfvfQ7ZWNvEQOgPyLQPQk4Ri1j3TEduuqIA==
X-Received: by 2002:a6b:7405:: with SMTP id s5mr19443018iog.1.1550677775437;
 Wed, 20 Feb 2019 07:49:35 -0800 (PST)
Received: from raichu (toroon0560w-lp140-01-69-159-36-102.dsl.bell.ca.
 [69.159.36.102])
 by smtp.gmail.com with ESMTPSA id a16sm2994748itc.27.2019.02.20.07.49.34
 (version=TLS1_2 cipher=ECDHE-RSA-CHACHA20-POLY1305 bits=256/256);
 Wed, 20 Feb 2019 07:49:34 -0800 (PST)
Sender: Mark Johnston <markjdb@gmail.com>
Date: Wed, 20 Feb 2019 10:49:29 -0500
From: Mark Johnston <markj@freebsd.org>
To: Eugene Grosbein <eugen@grosbein.net>
Cc: src-committers@freebsd.org, svn-src-all@freebsd.org,
 svn-src-head@freebsd.org
Subject: Re: svn commit: r344305 - head/sys/geom
Message-ID: <20190220154929.GA6605@raichu>
References: <201902192122.x1JLMMPM012400@repo.freebsd.org>
 <002a35c7-3dda-05e5-7768-3e1606871018@grosbein.net>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <002a35c7-3dda-05e5-7768-3e1606871018@grosbein.net>
User-Agent: Mutt/1.11.2 (2019-01-07)
X-Rspamd-Queue-Id: 261AE85E38
X-Spamd-Bar: ------
Authentication-Results: mx1.freebsd.org
X-Spamd-Result: default: False [-6.96 / 15.00];
 NEURAL_HAM_MEDIUM(-1.00)[-1.000,0];
 NEURAL_HAM_LONG(-1.00)[-1.000,0]; REPLY(-4.00)[];
 NEURAL_HAM_SHORT(-0.96)[-0.965,0]
X-BeenThere: svn-src-all@freebsd.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "SVN commit messages for the entire src tree \(except for &quot;
 user&quot; and &quot; projects&quot; \)" <svn-src-all.freebsd.org>
List-Unsubscribe: <https://lists.freebsd.org/mailman/options/svn-src-all>,
 <mailto:svn-src-all-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/svn-src-all/>
List-Post: <mailto:svn-src-all@freebsd.org>
List-Help: <mailto:svn-src-all-request@freebsd.org?subject=help>
List-Subscribe: <https://lists.freebsd.org/mailman/listinfo/svn-src-all>,
 <mailto:svn-src-all-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Wed, 20 Feb 2019 15:49:36 -0000

On Wed, Feb 20, 2019 at 09:40:45PM +0700, Eugene Grosbein wrote:
> 20.02.2019 4:22, Mark Johnston wrote:
> 
> > Author: markj
> > Date: Tue Feb 19 21:22:22 2019
> > New Revision: 344305
> > URL: https://svnweb.freebsd.org/changeset/base/344305
> > 
> > Log:
> >   Impose a limit on the number of GEOM_CTL arguments.
> >   
> >   Otherwise a privileged user can trigger a memory allocation of
> >   unbounded size, or an integer overflow in the subsequent
> >   geom_alloc_copyin() call, leading to out-of-bounds accesses.
> >   
> >   Hard-code a large limit to circumvent this problem.
> >   
> >   admbug:		854
> >   Reported by:	Anonymous of the Shellphish Grill Team
> >   Reviewed by:	ae
> >   MFC after:	1 week
> >   Sponsored by:	The FreeBSD Foundation
> >   Differential Revision:	https://reviews.freebsd.org/D19251
> > 
> > Modified:
> >   head/sys/geom/geom_ctl.c
> > 
> > Modified: head/sys/geom/geom_ctl.c
> > ==============================================================================
> > --- head/sys/geom/geom_ctl.c	Tue Feb 19 21:20:50 2019	(r344304)
> > +++ head/sys/geom/geom_ctl.c	Tue Feb 19 21:22:22 2019	(r344305)
> > @@ -139,6 +139,12 @@ gctl_copyin(struct gctl_req *req)
> >  	char *p;
> >  	u_int i;
> >  
> > +	if (req->narg > 2048) {
> > +		gctl_error(req, "too many arguments");
> > +		req->arg = NULL;
> > +		return;
> > +	}
> > +
> 
> Could you replace magic constant 2048 with #define symbol, please?
> Something like GEOM_ARG_MAX in sys/sys/limits.h or similar.

Sure.  Here is the proposed diff: https://reviews.freebsd.org/D19271