Skip site navigation (1)Skip section navigation (2) 
Date:      Fri, 4 Oct 2019 17:27:50 +0000 (UTC)
From:      Ed Maste <emaste@FreeBSD.org>
To:        src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-stable@freebsd.org, svn-src-stable-11@freebsd.org
Subject:   svn commit: r353109 - stable/11/sys/kern
Message-ID:  <201910041727.x94HRod9008431@repo.freebsd.org>
next in thread | raw e-mail | index | archive | help 
Author: emaste
Date: Fri Oct  4 17:27:49 2019
New Revision: 353109
URL: https://svnweb.freebsd.org/changeset/base/353109

Log:
  MFC r352796: Check the vfs option length is valid before accessing through
  
  When a VFS option passed to nmount is present but NULL the kernel will
  place an empty option in its internal list. This will have a NULL
  pointer and a length of 0. When we come to read one of these the kernel
  will try to load from the last address of virtual memory. This is
  normally invalid so will fault resulting in a kernel panic.
  
  Fix this by checking if the length is valid before dereferencing.

Modified:
  stable/11/sys/kern/vfs_mount.c
Directory Properties:
  stable/11/   (props changed)

Modified: stable/11/sys/kern/vfs_mount.c
==============================================================================
--- stable/11/sys/kern/vfs_mount.c	Fri Oct  4 16:36:09 2019	(r353108)
+++ stable/11/sys/kern/vfs_mount.c	Fri Oct  4 17:27:49 2019	(r353109)
@@ -591,7 +591,7 @@ vfs_donmount(struct thread *td, uint64_t fsflags, stru
 	 */
 	fstypelen = 0;
 	error = vfs_getopt(optlist, "fstype", (void **)&fstype, &fstypelen);
-	if (error || fstype[fstypelen - 1] != '\0') {
+	if (error || fstypelen <= 0 || fstype[fstypelen - 1] != '\0') {
 		error = EINVAL;
 		if (errmsg != NULL)
 			strncpy(errmsg, "Invalid fstype", errmsg_len);
@@ -599,7 +599,7 @@ vfs_donmount(struct thread *td, uint64_t fsflags, stru
 	}
 	fspathlen = 0;
 	error = vfs_getopt(optlist, "fspath", (void **)&fspath, &fspathlen);
-	if (error || fspath[fspathlen - 1] != '\0') {
+	if (error || fspathlen <= 0 || fspath[fspathlen - 1] != '\0') {
 		error = EINVAL;
 		if (errmsg != NULL)
 			strncpy(errmsg, "Invalid fspath", errmsg_len);

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201910041727.x94HRod9008431>