Skip site navigation (1)Skip section navigation (2) 
Date:      Thu, 3 Oct 2019 07:17:26 +0000 (UTC)
From:      Andrew Turner <andrew@FreeBSD.org>
To:        src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-stable@freebsd.org, svn-src-stable-12@freebsd.org
Subject:   svn commit: r353032 - stable/12/sys/kern
Message-ID:  <201910030717.x937HQXe086112@repo.freebsd.org>
next in thread | raw e-mail | index | archive | help 
Author: andrew
Date: Thu Oct  3 07:17:26 2019
New Revision: 353032
URL: https://svnweb.freebsd.org/changeset/base/353032

Log:
  MFC r352796:
  
  Check the vfs option length is valid before accessing through
  
  When a VFS option passed to nmount is present but NULL the kernel will
  place an empty option in its internal list. This will have a NULL
  pointer and a length of 0. When we come to read one of these the kernel
  will try to load from the last address of virtual memory. This is
  normally invalid so will fault resulting in a kernel panic.
  
  Fix this by checking if the length is valid before dereferencing.
  
  Sponsored by:	DARPA, AFRL

Modified:
  stable/12/sys/kern/vfs_mount.c
Directory Properties:
  stable/12/   (props changed)

Modified: stable/12/sys/kern/vfs_mount.c
==============================================================================
--- stable/12/sys/kern/vfs_mount.c	Thu Oct  3 06:08:04 2019	(r353031)
+++ stable/12/sys/kern/vfs_mount.c	Thu Oct  3 07:17:26 2019	(r353032)
@@ -603,7 +603,7 @@ vfs_donmount(struct thread *td, uint64_t fsflags, stru
 	 */
 	fstypelen = 0;
 	error = vfs_getopt(optlist, "fstype", (void **)&fstype, &fstypelen);
-	if (error || fstype[fstypelen - 1] != '\0') {
+	if (error || fstypelen <= 0 || fstype[fstypelen - 1] != '\0') {
 		error = EINVAL;
 		if (errmsg != NULL)
 			strncpy(errmsg, "Invalid fstype", errmsg_len);
@@ -611,7 +611,7 @@ vfs_donmount(struct thread *td, uint64_t fsflags, stru
 	}
 	fspathlen = 0;
 	error = vfs_getopt(optlist, "fspath", (void **)&fspath, &fspathlen);
-	if (error || fspath[fspathlen - 1] != '\0') {
+	if (error || fspathlen <= 0 || fspath[fspathlen - 1] != '\0') {
 		error = EINVAL;
 		if (errmsg != NULL)
 			strncpy(errmsg, "Invalid fspath", errmsg_len);

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201910030717.x937HQXe086112>