Skip site navigation (1)Skip section navigation (2) 
Date:      Thu, 28 Jun 2012 14:26:55 +0000 (UTC)
From:      Konstantin Belousov <kib@FreeBSD.org>
To:        src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-stable@freebsd.org, svn-src-stable-9@freebsd.org
Subject:   svn commit: r237713 - stable/9/sys/ufs/ffs
Message-ID:  <201206281426.q5SEQtwV081212@svn.freebsd.org>
next in thread | raw e-mail | index | archive | help 
Author: kib
Date: Thu Jun 28 14:26:55 2012
New Revision: 237713
URL: http://svn.freebsd.org/changeset/base/237713

Log:
  Fix unbounded-length malloc, controlled from usermode. The added check
  is performed before exact size of the buffer is calculated, but the
  buffer cannot have size greater then the total space allocated for
  extended attributes. The existing check is executing with precise
  size, but it is too late, since buffer needs to be allocated in
  advance.
  
  Also, adapt to uio_resid being of ssize_t type.  Use lblktosize instead of
  multiplying by fs block size by hand as well.

Modified:
  stable/9/sys/ufs/ffs/ffs_vnops.c
Directory Properties:
  stable/9/sys/   (props changed)

Modified: stable/9/sys/ufs/ffs/ffs_vnops.c
==============================================================================
--- stable/9/sys/ufs/ffs/ffs_vnops.c	Thu Jun 28 14:13:45 2012	(r237712)
+++ stable/9/sys/ufs/ffs/ffs_vnops.c	Thu Jun 28 14:26:55 2012	(r237713)
@@ -1649,7 +1649,8 @@ vop_setextattr {
 	struct inode *ip;
 	struct fs *fs;
 	uint32_t ealength, ul;
-	int ealen, olen, eapad1, eapad2, error, i, easize;
+	ssize_t ealen;
+	int olen, eapad1, eapad2, error, i, easize;
 	u_char *eae, *p;
 
 	ip = VTOI(ap->a_vp);
@@ -1668,6 +1669,10 @@ vop_setextattr {
 	if (ap->a_vp->v_mount->mnt_flag & MNT_RDONLY)
 		return (EROFS);
 
+	ealen = ap->a_uio->uio_resid;
+	if (ealen < 0 || ealen > lblktosize(fs, NXADDR))
+		return (EINVAL);
+
 	error = extattr_check_cred(ap->a_vp, ap->a_attrnamespace,
 	    ap->a_cred, ap->a_td, VWRITE);
 	if (error) {
@@ -1685,7 +1690,6 @@ vop_setextattr {
 	if (error)
 		return (error);
 
-	ealen = ap->a_uio->uio_resid;
 	ealength = sizeof(uint32_t) + 3 + strlen(ap->a_name);
 	eapad1 = 8 - (ealength % 8);
 	if (eapad1 == 8)
@@ -1713,7 +1717,7 @@ vop_setextattr {
 			easize += (ealength - ul);
 		}
 	}
-	if (easize > NXADDR * fs->fs_bsize) {
+	if (easize > lblktosize(fs, NXADDR)) {
 		free(eae, M_TEMP);
 		ffs_close_ea(ap->a_vp, 0, ap->a_cred, ap->a_td);
 		if (ip->i_ea_area != NULL && ip->i_ea_error == 0)

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201206281426.q5SEQtwV081212>