Date: Sat, 9 May 2020 10:25:29 +0300 From: Toomas Soome <tsoome@me.com> To: Ronald Klop <ronald-lists@klop.ws> Cc: src-committers <src-committers@freebsd.org>, svn-src-all@freebsd.org, svn-src-head@freebsd.org, Toomas Soome <tsoome@freebsd.org> Subject: Re: svn commit: r360836 - head/stand/libsa/zfs Message-ID: <2125B6CE-D25F-4BC8-AB13-89C4D01C7150@me.com> In-Reply-To: <op.0kb8afh7kndu52@sjakie> References: <202005090625.0496PLvc091232@repo.freebsd.org> <op.0kb8afh7kndu52@sjakie>
next in thread | previous in thread | raw e-mail | index | archive | help
> On 9. May 2020, at 09:57, Ronald Klop <ronald-lists@klop.ws> wrote: >=20 > Hi Toomas, >=20 > Could this fix this issue = https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D144234 ? >=20 > Regards, > Ronald. I doubt a bit unless you have GELI encryption or 4kn disk (which we can = not boot with BIOS, only with UEFI). That issue was reported 2010 agains = 9.0? is it still the case? rgds, toomas >=20 >=20 > On Sat, 09 May 2020 08:25:21 +0200, Toomas Soome <tsoome@freebsd.org> = wrote: >=20 >> Author: tsoome >> Date: Sat May 9 06:25:20 2020 >> New Revision: 360836 >> URL: https://svnweb.freebsd.org/changeset/base/360836 >>=20 >> Log: >> loader: vdev_read() can corrupt memory >> When reading less than sector size but from sector boundary, >> the vdev_read() will read full sector into the provided buffer >> and therefore corrupting memory past buffer end. >> MFC after: 2 days >>=20 >> Modified: >> head/stand/libsa/zfs/zfs.c >>=20 >> Modified: head/stand/libsa/zfs/zfs.c >> = =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D >> --- head/stand/libsa/zfs/zfs.c Sat May 9 05:04:02 2020 = (r360835) >> +++ head/stand/libsa/zfs/zfs.c Sat May 9 06:25:20 2020 = (r360836) >> @@ -418,7 +418,7 @@ vdev_read(vdev_t *vdev, void *priv, off_t offset, = void >> full_sec_size -=3D secsz; >> /* Return of partial sector data requires a bounce buffer. */ >> - if ((head > 0) || do_tail_read) { >> + if ((head > 0) || do_tail_read || bytes < secsz) { >> bouncebuf =3D malloc(secsz); >> if (bouncebuf =3D=3D NULL) { >> printf("vdev_read: out of memory\n"); >> @@ -442,14 +442,28 @@ vdev_read(vdev_t *vdev, void *priv, off_t = offset, void >> outbuf +=3D min(secsz - head, bytes); >> } >> - /* Full data return from read sectors */ >> + /* >> + * Full data return from read sectors. >> + * Note, there is still corner case where we read >> + * from sector boundary, but less than sector size, e.g. reading = 512B >> + * from 4k sector. >> + */ >> if (full_sec_size > 0) { >> - res =3D read(fd, outbuf, full_sec_size); >> - if (res !=3D full_sec_size) { >> - ret =3D EIO; >> - goto error; >> + if (bytes < full_sec_size) { >> + res =3D read(fd, bouncebuf, secsz); >> + if (res !=3D secsz) { >> + ret =3D EIO; >> + goto error; >> + } >> + memcpy(outbuf, bouncebuf, bytes); >> + } else { >> + res =3D read(fd, outbuf, full_sec_size); >> + if (res !=3D full_sec_size) { >> + ret =3D EIO; >> + goto error; >> + } >> + outbuf +=3D full_sec_size; >> } >> - outbuf +=3D full_sec_size; >> } >> /* Partial data return from last sector */ >> _______________________________________________ >> svn-src-all@freebsd.org mailing list >> https://lists.freebsd.org/mailman/listinfo/svn-src-all >> To unsubscribe, send any mail to = "svn-src-all-unsubscribe@freebsd.org"
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?2125B6CE-D25F-4BC8-AB13-89C4D01C7150>