Date: Sat, 09 May 2020 10:23:28 +0200 From: "Ronald Klop" <ronald-lists@klop.ws> To: "Toomas Soome" <tsoome@me.com> Cc: src-committers <src-committers@freebsd.org>, svn-src-all@freebsd.org, svn-src-head@freebsd.org, "Toomas Soome" <tsoome@freebsd.org> Subject: Re: svn commit: r360836 - head/stand/libsa/zfs Message-ID: <op.0kcb9emkkndu52@sjakie> In-Reply-To: <2125B6CE-D25F-4BC8-AB13-89C4D01C7150@me.com> References: <202005090625.0496PLvc091232@repo.freebsd.org> <op.0kb8afh7kndu52@sjakie> <2125B6CE-D25F-4BC8-AB13-89C4D01C7150@me.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Sat, 09 May 2020 09:25:29 +0200, Toomas Soome <tsoome@me.com> wrote: > > >> On 9. May 2020, at 09:57, Ronald Klop <ronald-lists@klop.ws> wrote: >> >> Hi Toomas, >> >> Could this fix this issue >> https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=144234 ? >> >> Regards, >> Ronald. > > > I doubt a bit unless you have GELI encryption or 4kn disk (which we can > not boot with BIOS, only with UEFI). That issue was reported 2010 agains > 9.0? is it still the case? > > rgds, > toomas Clear answer. I don't use the computer I had this problem with anymore. (It is in the attic somewhere,) And the problem disappeared for me in 2017 (https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=144234#c33). But the issue apparently happens for other people in 12.1 still as I read in the replies to the issue. Because of the bogus LBA numbers I suspected some memory corruption. But never found further evidence for this. Regards, Ronald. >> >> >> On Sat, 09 May 2020 08:25:21 +0200, Toomas Soome <tsoome@freebsd.org> >> wrote: >> >>> Author: tsoome >>> Date: Sat May 9 06:25:20 2020 >>> New Revision: 360836 >>> URL: https://svnweb.freebsd.org/changeset/base/360836 >>> >>> Log: >>> loader: vdev_read() can corrupt memory >>> When reading less than sector size but from sector boundary, >>> the vdev_read() will read full sector into the provided buffer >>> and therefore corrupting memory past buffer end. >>> MFC after: 2 days >>> >>> Modified: >>> head/stand/libsa/zfs/zfs.c >>> >>> Modified: head/stand/libsa/zfs/zfs.c >>> ============================================================================== >>> --- head/stand/libsa/zfs/zfs.c Sat May 9 05:04:02 2020 (r360835) >>> +++ head/stand/libsa/zfs/zfs.c Sat May 9 06:25:20 2020 (r360836) >>> @@ -418,7 +418,7 @@ vdev_read(vdev_t *vdev, void *priv, off_t offset, >>> void >>> full_sec_size -= secsz; >>> /* Return of partial sector data requires a bounce buffer. */ >>> - if ((head > 0) || do_tail_read) { >>> + if ((head > 0) || do_tail_read || bytes < secsz) { >>> bouncebuf = malloc(secsz); >>> if (bouncebuf == NULL) { >>> printf("vdev_read: out of memory\n"); >>> @@ -442,14 +442,28 @@ vdev_read(vdev_t *vdev, void *priv, off_t >>> offset, void >>> outbuf += min(secsz - head, bytes); >>> } >>> - /* Full data return from read sectors */ >>> + /* >>> + * Full data return from read sectors. >>> + * Note, there is still corner case where we read >>> + * from sector boundary, but less than sector size, e.g. reading 512B >>> + * from 4k sector. >>> + */ >>> if (full_sec_size > 0) { >>> - res = read(fd, outbuf, full_sec_size); >>> - if (res != full_sec_size) { >>> - ret = EIO; >>> - goto error; >>> + if (bytes < full_sec_size) { >>> + res = read(fd, bouncebuf, secsz); >>> + if (res != secsz) { >>> + ret = EIO; >>> + goto error; >>> + } >>> + memcpy(outbuf, bouncebuf, bytes); >>> + } else { >>> + res = read(fd, outbuf, full_sec_size); >>> + if (res != full_sec_size) { >>> + ret = EIO; >>> + goto error; >>> + } >>> + outbuf += full_sec_size; >>> } >>> - outbuf += full_sec_size; >>> } >>> /* Partial data return from last sector */ >>> _______________________________________________ >>> svn-src-all@freebsd.org mailing list >>> https://lists.freebsd.org/mailman/listinfo/svn-src-all >>> To unsubscribe, send any mail to "svn-src-all-unsubscribe@freebsd.org"
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?op.0kcb9emkkndu52>