From owner-svn-src-stable-7@FreeBSD.ORG Fri Nov 12 01:45:30 2010 Return-Path: Delivered-To: svn-src-stable-7@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 1B1C1106566B; Fri, 12 Nov 2010 01:45:30 +0000 (UTC) (envelope-from delphij@FreeBSD.org) Received: from svn.freebsd.org (svn.freebsd.org [IPv6:2001:4f8:fff6::2c]) by mx1.freebsd.org (Postfix) with ESMTP id E1FA58FC12; Fri, 12 Nov 2010 01:45:29 +0000 (UTC) Received: from svn.freebsd.org (localhost [127.0.0.1]) by svn.freebsd.org (8.14.3/8.14.3) with ESMTP id oAC1jTvv091660; Fri, 12 Nov 2010 01:45:29 GMT (envelope-from delphij@svn.freebsd.org) Received: (from delphij@localhost) by svn.freebsd.org (8.14.3/8.14.3/Submit) id oAC1jTSp091658; Fri, 12 Nov 2010 01:45:29 GMT (envelope-from delphij@svn.freebsd.org) Message-Id: <201011120145.oAC1jTSp091658@svn.freebsd.org> From: Xin LI Date: Fri, 12 Nov 2010 01:45:29 +0000 (UTC) To: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-stable@freebsd.org, svn-src-stable-7@freebsd.org X-SVN-Group: stable-7 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Cc: Subject: svn commit: r215155 - in stable: 7/sys/cddl/contrib/opensolaris/uts/common/fs/zfs 8/sys/cddl/contrib/opensolaris/uts/common/fs/zfs X-BeenThere: svn-src-stable-7@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: SVN commit messages for only the 7-stable src tree List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 12 Nov 2010 01:45:30 -0000 Author: delphij Date: Fri Nov 12 01:45:29 2010 New Revision: 215155 URL: http://svn.freebsd.org/changeset/base/215155 Log: MFC r214854: Validate whether the zfs_cmd_t submitted from userland is not smaller than what we have. Without the check the kernel could accessing memory that does not belong to the request struct. Note that we do not test if the struct equals in size at this time, which may faciliate forward compatibility with newer binaries. Modified: stable/7/sys/cddl/contrib/opensolaris/uts/common/fs/zfs/zfs_ioctl.c Directory Properties: stable/7/sys/ (props changed) stable/7/sys/cddl/contrib/opensolaris/ (props changed) stable/7/sys/contrib/dev/acpica/ (props changed) stable/7/sys/contrib/pf/ (props changed) Changes in other areas also in this revision: Modified: stable/8/sys/cddl/contrib/opensolaris/uts/common/fs/zfs/zfs_ioctl.c Directory Properties: stable/8/sys/ (props changed) stable/8/sys/amd64/include/xen/ (props changed) stable/8/sys/cddl/contrib/opensolaris/ (props changed) stable/8/sys/contrib/dev/acpica/ (props changed) stable/8/sys/contrib/pf/ (props changed) stable/8/sys/dev/xen/xenpci/ (props changed) Modified: stable/7/sys/cddl/contrib/opensolaris/uts/common/fs/zfs/zfs_ioctl.c ============================================================================== --- stable/7/sys/cddl/contrib/opensolaris/uts/common/fs/zfs/zfs_ioctl.c Fri Nov 12 01:40:29 2010 (r215154) +++ stable/7/sys/cddl/contrib/opensolaris/uts/common/fs/zfs/zfs_ioctl.c Fri Nov 12 01:45:29 2010 (r215155) @@ -2989,6 +2989,14 @@ zfsdev_ioctl(struct cdev *dev, u_long cm uint_t vec; int error; + /* + * Check if we have sufficient kernel memory allocated + * for the zfs_cmd_t request. Bail out if not so we + * will not access undefined memory region. + */ + if (IOCPARM_LEN(cmd) < sizeof(zfs_cmd_t)) + return (EINVAL); + vec = ZFS_IOC(cmd); if (vec >= sizeof (zfs_ioc_vec) / sizeof (zfs_ioc_vec[0]))