Date: Wed, 20 Feb 2019 21:40:45 +0700 From: Eugene Grosbein <eugen@grosbein.net> To: Mark Johnston <markj@FreeBSD.org>, src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-head@freebsd.org Subject: Re: svn commit: r344305 - head/sys/geom Message-ID: <002a35c7-3dda-05e5-7768-3e1606871018@grosbein.net> In-Reply-To: <201902192122.x1JLMMPM012400@repo.freebsd.org> References: <201902192122.x1JLMMPM012400@repo.freebsd.org>
next in thread | previous in thread | raw e-mail | index | archive | help
20.02.2019 4:22, Mark Johnston wrote: > Author: markj > Date: Tue Feb 19 21:22:22 2019 > New Revision: 344305 > URL: https://svnweb.freebsd.org/changeset/base/344305 > > Log: > Impose a limit on the number of GEOM_CTL arguments. > > Otherwise a privileged user can trigger a memory allocation of > unbounded size, or an integer overflow in the subsequent > geom_alloc_copyin() call, leading to out-of-bounds accesses. > > Hard-code a large limit to circumvent this problem. > > admbug: 854 > Reported by: Anonymous of the Shellphish Grill Team > Reviewed by: ae > MFC after: 1 week > Sponsored by: The FreeBSD Foundation > Differential Revision: https://reviews.freebsd.org/D19251 > > Modified: > head/sys/geom/geom_ctl.c > > Modified: head/sys/geom/geom_ctl.c > ============================================================================== > --- head/sys/geom/geom_ctl.c Tue Feb 19 21:20:50 2019 (r344304) > +++ head/sys/geom/geom_ctl.c Tue Feb 19 21:22:22 2019 (r344305) > @@ -139,6 +139,12 @@ gctl_copyin(struct gctl_req *req) > char *p; > u_int i; > > + if (req->narg > 2048) { > + gctl_error(req, "too many arguments"); > + req->arg = NULL; > + return; > + } > + Could you replace magic constant 2048 with #define symbol, please? Something like GEOM_ARG_MAX in sys/sys/limits.h or similar.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?002a35c7-3dda-05e5-7768-3e1606871018>