From owner-svn-src-head@freebsd.org  Wed Aug 24 16:30:16 2016
Return-Path: <owner-svn-src-head@freebsd.org>
Delivered-To: svn-src-head@mailman.ysv.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org
 [IPv6:2001:1900:2254:206a::19:1])
 by mailman.ysv.freebsd.org (Postfix) with ESMTP id F019ABC34B4;
 Wed, 24 Aug 2016 16:30:16 +0000 (UTC)
 (envelope-from tsoome@FreeBSD.org)
Received: from repo.freebsd.org (repo.freebsd.org
 [IPv6:2610:1c1:1:6068::e6a:0])
 (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
 (Client did not present a certificate)
 by mx1.freebsd.org (Postfix) with ESMTPS id A880213C7;
 Wed, 24 Aug 2016 16:30:16 +0000 (UTC)
 (envelope-from tsoome@FreeBSD.org)
Received: from repo.freebsd.org ([127.0.1.37])
 by repo.freebsd.org (8.15.2/8.15.2) with ESMTP id u7OGUFBl010106;
 Wed, 24 Aug 2016 16:30:15 GMT (envelope-from tsoome@FreeBSD.org)
Received: (from tsoome@localhost)
 by repo.freebsd.org (8.15.2/8.15.2/Submit) id u7OGUFTp010105;
 Wed, 24 Aug 2016 16:30:15 GMT (envelope-from tsoome@FreeBSD.org)
Message-Id: <201608241630.u7OGUFTp010105@repo.freebsd.org>
X-Authentication-Warning: repo.freebsd.org: tsoome set sender to
 tsoome@FreeBSD.org using -f
From: Toomas Soome <tsoome@FreeBSD.org>
Date: Wed, 24 Aug 2016 16:30:15 +0000 (UTC)
To: src-committers@freebsd.org, svn-src-all@freebsd.org,
 svn-src-head@freebsd.org
Subject: svn commit: r304753 - head/sys/cddl/boot/zfs
X-SVN-Group: head
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
X-BeenThere: svn-src-head@freebsd.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: SVN commit messages for the src tree for head/-current
 <svn-src-head.freebsd.org>
List-Unsubscribe: <https://lists.freebsd.org/mailman/options/svn-src-head>,
 <mailto:svn-src-head-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/svn-src-head/>
List-Post: <mailto:svn-src-head@freebsd.org>
List-Help: <mailto:svn-src-head-request@freebsd.org?subject=help>
List-Subscribe: <https://lists.freebsd.org/mailman/listinfo/svn-src-head>,
 <mailto:svn-src-head-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Wed, 24 Aug 2016 16:30:17 -0000

Author: tsoome
Date: Wed Aug 24 16:30:15 2016
New Revision: 304753
URL: https://svnweb.freebsd.org/changeset/base/304753

Log:
  Bug 212114 - loader: zio_checksum_verify() must test spa for NULL pointer
  
  The issue was introduced with adding support for salted checksums, and
  was revealed by bhyve userboot.so.
  
  During pool discovery the loader is reading pool label from disks, and
  at that time the spa structure is not yet set up, so the NULL pointer
  is passed for spa. This condition must be checked to avoid the corruption
  of the memory and NULL pointer dereference.
  
  PR:		212114
  Reported by:	tsoome@freebsd.com
  Reviewed by:	allanjude
  Approved by:	allanjude (mentor)
  Differential Revision:	https://reviews.freebsd.org/D7634

Modified:
  head/sys/cddl/boot/zfs/zfssubr.c

Modified: head/sys/cddl/boot/zfs/zfssubr.c
==============================================================================
--- head/sys/cddl/boot/zfs/zfssubr.c	Wed Aug 24 15:36:48 2016	(r304752)
+++ head/sys/cddl/boot/zfs/zfssubr.c	Wed Aug 24 16:30:15 2016	(r304753)
@@ -270,6 +270,7 @@ zio_checksum_verify(const spa_t *spa, co
 	uint64_t size;
 	unsigned int checksum;
 	zio_checksum_info_t *ci;
+	void *ctx = NULL;
 	zio_cksum_t actual_cksum, expected_cksum, verifier;
 	int byteswap;
 
@@ -282,7 +283,11 @@ zio_checksum_verify(const spa_t *spa, co
 	if (ci->ci_func[0] == NULL || ci->ci_func[1] == NULL)
 		return (EINVAL);
 
-	zio_checksum_template_init(checksum, (spa_t *) spa);
+	if (spa != NULL) {
+		zio_checksum_template_init(checksum, (spa_t *) spa);
+		ctx = spa->spa_cksum_tmpls[checksum];
+	}
+
 	if (ci->ci_flags & ZCHECKSUM_FLAG_EMBEDDED) {
 		zio_eck_t *eck;
 
@@ -306,8 +311,7 @@ zio_checksum_verify(const spa_t *spa, co
 
 		expected_cksum = eck->zec_cksum;
 		eck->zec_cksum = verifier;
-		ci->ci_func[byteswap](data, size,
-		    spa->spa_cksum_tmpls[checksum], &actual_cksum);
+		ci->ci_func[byteswap](data, size, ctx, &actual_cksum);
 		eck->zec_cksum = expected_cksum;
 
 		if (byteswap)
@@ -315,8 +319,7 @@ zio_checksum_verify(const spa_t *spa, co
 			    sizeof (zio_cksum_t));
 	} else {
 		expected_cksum = bp->blk_cksum;
-		ci->ci_func[0](data, size, spa->spa_cksum_tmpls[checksum],
-		    &actual_cksum);
+		ci->ci_func[0](data, size, ctx, &actual_cksum);
 	}
 
 	if (!ZIO_CHECKSUM_EQUAL(actual_cksum, expected_cksum)) {