Skip site navigation (1)Skip section navigation (2) 
Date:      Wed, 23 Dec 2020 16:17:44 GMT
From:      Mark Johnston <markj@FreeBSD.org>
To:        src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-main@FreeBSD.org
Subject:   git: ace3d9475cee - ffs: Avoid out-of-bounds accesses in the fs_active bitmap
Message-ID:  <202012231617.0BNGHiuJ055163@gitrepo.freebsd.org>
next in thread | raw e-mail | index | archive | help 
The branch main has been updated by markj:

URL: https://cgit.FreeBSD.org/src/commit/?id=ace3d9475ceecd9bcb766bb82a1c8f87e8f560be

commit ace3d9475ceecd9bcb766bb82a1c8f87e8f560be
Author:     Mark Johnston <markj@FreeBSD.org>
AuthorDate: 2020-12-23 16:13:00 +0000
Commit:     Mark Johnston <markj@FreeBSD.org>
CommitDate: 2020-12-23 16:16:40 +0000

    ffs: Avoid out-of-bounds accesses in the fs_active bitmap
    
    We use a bitmap to track which cylinder groups have changed between
    snapshot creation and filesystem suspension.  The "legs" of the bitmap
    are four bytes wide (see ACTIVESET()) so we must round up the allocation
    size to a multiple of four bytes.
    
    I believe this bug is harmless since UMA/kmem_* will both pad the
    allocation and zero the full allocation.  Note that malloc() does inline
    zeroing when the allocation size is known at compile-time.
    
    Reported by:    pho (using KASAN)
    Reviewed by:    kib, mckusick
    MFC after:      1 week
    Sponsored by:   The FreeBSD Foundation
    Differential Revision:  https://reviews.freebsd.org/D27731
---
 sys/ufs/ffs/ffs_snapshot.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/sys/ufs/ffs/ffs_snapshot.c b/sys/ufs/ffs/ffs_snapshot.c
index f224e828062b..201dbf6000de 100644
--- a/sys/ufs/ffs/ffs_snapshot.c
+++ b/sys/ufs/ffs/ffs_snapshot.c
@@ -385,8 +385,8 @@ restart:
 	 * touch up the few cylinder groups that changed during
 	 * the suspension period.
 	 */
-	len = howmany(fs->fs_ncg, NBBY);
-	space = malloc(len, M_DEVBUF, M_WAITOK|M_ZERO);
+	len = roundup2(howmany(fs->fs_ncg, NBBY), sizeof(int));
+	space = malloc(len, M_DEVBUF, M_WAITOK | M_ZERO);
 	UFS_LOCK(ump);
 	fs->fs_active = space;
 	UFS_UNLOCK(ump);

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?202012231617.0BNGHiuJ055163>