org
From: Dag-Erling=?utf-8?Q? Sm=C3=B8rg?=rav <des@FreeBSD.org>
Subject: git: 08e7bdaf18b9 - stable/15 - libgeom: Fix segfault in 32-on-64 case
List-Id: Commits to the stable branches of the FreeBSD src repository <dev-commits-src-branches.freebsd.org>
List-Archive: https://lists.freebsd.org/archives/dev-commits-src-branches
List-Help: <mailto:dev-commits-src-branches+help@freebsd.org>
List-Post: <mailto:dev-commits-src-branches@freebsd.org>
List-Subscribe: <mailto:dev-commits-src-branches+subscribe@freebsd.org>
List-Unsubscribe: <mailto:dev-commits-src-branches+unsubscribe@freebsd.org>
X-BeenThere: dev-commits-src-branches@freebsd.org
Sender: owner-dev-commits-src-branches@FreeBSD.org
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: 8bit
X-Git-Committer: des
X-Git-Repository: src
X-Git-Refname: refs/heads/stable/15
X-Git-Reftype: branch
X-Git-Commit: 08e7bdaf18b9d452501772cf7914a252363cba61
Auto-Submitted: auto-generated
Date: Mon, 12 Jan 2026 17:18:44 +0000
Message-Id: <69652cf4.357ea.32ea88d6@gitrepo.freebsd.org>

The branch stable/15 has been updated by des:

URL: https://cgit.FreeBSD.org/src/commit/?id=08e7bdaf18b9d452501772cf7914a252363cba61

commit 08e7bdaf18b9d452501772cf7914a252363cba61
Author:     Dag-Erling Smørgrav <des@FreeBSD.org>
AuthorDate: 2026-01-03 09:09:51 +0000
Commit:     Dag-Erling Smørgrav <des@FreeBSD.org>
CommitDate: 2026-01-12 17:18:22 +0000

    libgeom: Fix segfault in 32-on-64 case
    
    We were using strtoul() to parse object identifiers, which are kernel
    pointers.  This works fine as long as the kernel and userland match,
    but in a 32-bit libgeom on a 64-bit kernel this will return ULONG_MAX
    for all objects, resulting in memory corruption when we later pick the
    wrong object while resolving consumer-producer references.
    
    MFC after:      1 week
    PR:             292127
    Reviewed by:    imp
    Differential Revision:  https://reviews.freebsd.org/D54452
    
    (cherry picked from commit 27894e20f140ee2729c14b589035870c8185b87d)
---
 lib/libgeom/geom_xml2tree.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/lib/libgeom/geom_xml2tree.c b/lib/libgeom/geom_xml2tree.c
index 2d2c43e29e77..161425d9fadf 100644
--- a/lib/libgeom/geom_xml2tree.c
+++ b/lib/libgeom/geom_xml2tree.c
@@ -76,10 +76,10 @@ StartElement(void *userData, const char *name, const char **attr)
 	ref = NULL;
 	for (i = 0; attr[i] != NULL; i += 2) {
 		if (!strcmp(attr[i], "id")) {
-			id = (void *)strtoul(attr[i + 1], NULL, 0);
+			id = (void *)strtoumax(attr[i + 1], NULL, 0);
 			mt->nident++;
 		} else if (!strcmp(attr[i], "ref")) {
-			ref = (void *)strtoul(attr[i + 1], NULL, 0);
+			ref = (void *)strtoumax(attr[i + 1], NULL, 0);
 		} else
 			printf("%*.*s[%s = %s]\n",
 			    mt->level + 1, mt->level + 1, "",