From owner-svn-src-all@freebsd.org Fri Oct 4 14:10:56 2019 Return-Path: Delivered-To: svn-src-all@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id E0D9B12F85F; Fri, 4 Oct 2019 14:10:56 +0000 (UTC) (envelope-from andrew@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) server-signature RSA-PSS (4096 bits) client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "Let's Encrypt Authority X3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 46lBcJ5NHTz4Q24; Fri, 4 Oct 2019 14:10:56 +0000 (UTC) (envelope-from andrew@FreeBSD.org) Received: from repo.freebsd.org (repo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:0]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 9AF562558D; Fri, 4 Oct 2019 14:10:56 +0000 (UTC) (envelope-from andrew@FreeBSD.org) Received: from repo.freebsd.org ([127.0.1.37]) by repo.freebsd.org (8.15.2/8.15.2) with ESMTP id x94EAu62091840; Fri, 4 Oct 2019 14:10:56 GMT (envelope-from andrew@FreeBSD.org) Received: (from andrew@localhost) by repo.freebsd.org (8.15.2/8.15.2/Submit) id x94EAuJj091839; Fri, 4 Oct 2019 14:10:56 GMT (envelope-from andrew@FreeBSD.org) Message-Id: <201910041410.x94EAuJj091839@repo.freebsd.org> X-Authentication-Warning: repo.freebsd.org: andrew set sender to andrew@FreeBSD.org using -f From: Andrew Turner Date: Fri, 4 Oct 2019 14:10:56 +0000 (UTC) To: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-releng@freebsd.org Subject: svn commit: r353104 - releng/12.1/sys/kern X-SVN-Group: releng X-SVN-Commit-Author: andrew X-SVN-Commit-Paths: releng/12.1/sys/kern X-SVN-Commit-Revision: 353104 X-SVN-Commit-Repository: base MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-BeenThere: svn-src-all@freebsd.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: "SVN commit messages for the entire src tree \(except for " user" and " projects" \)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 04 Oct 2019 14:10:57 -0000 Author: andrew Date: Fri Oct 4 14:10:56 2019 New Revision: 353104 URL: https://svnweb.freebsd.org/changeset/base/353104 Log: MFS r353032: Check the vfs option length is valid before accessing through When a VFS option passed to nmount is present but NULL the kernel will place an empty option in its internal list. This will have a NULL pointer and a length of 0. When we come to read one of these the kernel will try to load from the last address of virtual memory. This is normally invalid so will fault resulting in a kernel panic. Fix this by checking if the length is valid before dereferencing. Approved by: re (kib) Sponsored by: DARPA, AFRL Modified: releng/12.1/sys/kern/vfs_mount.c Directory Properties: releng/12.1/ (props changed) Modified: releng/12.1/sys/kern/vfs_mount.c ============================================================================== --- releng/12.1/sys/kern/vfs_mount.c Fri Oct 4 13:43:07 2019 (r353103) +++ releng/12.1/sys/kern/vfs_mount.c Fri Oct 4 14:10:56 2019 (r353104) @@ -603,7 +603,7 @@ vfs_donmount(struct thread *td, uint64_t fsflags, stru */ fstypelen = 0; error = vfs_getopt(optlist, "fstype", (void **)&fstype, &fstypelen); - if (error || fstype[fstypelen - 1] != '\0') { + if (error || fstypelen <= 0 || fstype[fstypelen - 1] != '\0') { error = EINVAL; if (errmsg != NULL) strncpy(errmsg, "Invalid fstype", errmsg_len); @@ -611,7 +611,7 @@ vfs_donmount(struct thread *td, uint64_t fsflags, stru } fspathlen = 0; error = vfs_getopt(optlist, "fspath", (void **)&fspath, &fspathlen); - if (error || fspath[fspathlen - 1] != '\0') { + if (error || fspathlen <= 0 || fspath[fspathlen - 1] != '\0') { error = EINVAL; if (errmsg != NULL) strncpy(errmsg, "Invalid fspath", errmsg_len);