Date: Sat, 07 Nov 2015 13:20:41 +0000 From: bugzilla-noreply@freebsd.org To: freebsd-bugs@FreeBSD.org Subject: [Bug 204358] zfs loader zfs_probe_args secsz is too small, causing memory corruption Message-ID: <bug-204358-8@https.bugs.freebsd.org/bugzilla/>
next in thread | raw e-mail | index | archive | help
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=204358 Bug ID: 204358 Summary: zfs loader zfs_probe_args secsz is too small, causing memory corruption Product: Base System Version: 11.0-CURRENT Hardware: Any OS: Any Status: New Severity: Affects Many People Priority: --- Component: kern Assignee: freebsd-bugs@FreeBSD.org Reporter: tsoome@me.com sys/boot/zfs/zfs.c has probe args structure including uint16_t secsz variable for media sector size; its used as an argument for ioctl() at line 484: ioctl(pa.fd, DIOCGSECTORSIZE, &pa.secsz); however, this ioctl is expecting 32bit data (u_int *) and therefore this ioctl will overwrite and corrupt 16bits of memory. other use cases seem to use correct u_int type for secsz. for fix the following fix should be sufficient. tsoome@beastie:/code/freebsd/head/sys/boot/zfs$ diff -u zfs.c.orig zfs.c --- zfs.c.orig N apr 16 14:49:00 2015 +++ zfs.c L nov 7 15:13:55 2015 @@ -399,7 +399,7 @@ int fd; const char *devname; uint64_t *pool_guid; - uint16_t secsz; + u_int secsz; }; static int -- You are receiving this mail because: You are the assignee for the bug.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?bug-204358-8>