Date: Fri, 5 Nov 2010 22:18:09 +0000 (UTC) From: Xin LI <delphij@FreeBSD.org> To: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-head@freebsd.org Subject: svn commit: r214854 - head/sys/cddl/contrib/opensolaris/uts/common/fs/zfs Message-ID: <201011052218.oA5MI9MR010847@svn.freebsd.org>
next in thread | raw e-mail | index | archive | help
Author: delphij Date: Fri Nov 5 22:18:09 2010 New Revision: 214854 URL: http://svn.freebsd.org/changeset/base/214854 Log: Validate whether the zfs_cmd_t submitted from userland is not smaller than what we have. Without the check the kernel could accessing memory that does not belong to the request struct. Note that we do not test if the struct equals in size at this time, which may faciliate forward compatibility with newer binaries. Reviewed by: pjd at MeetBSD CA '2010 MFC after: 1 week Modified: head/sys/cddl/contrib/opensolaris/uts/common/fs/zfs/zfs_ioctl.c Modified: head/sys/cddl/contrib/opensolaris/uts/common/fs/zfs/zfs_ioctl.c ============================================================================== --- head/sys/cddl/contrib/opensolaris/uts/common/fs/zfs/zfs_ioctl.c Fri Nov 5 21:47:58 2010 (r214853) +++ head/sys/cddl/contrib/opensolaris/uts/common/fs/zfs/zfs_ioctl.c Fri Nov 5 22:18:09 2010 (r214854) @@ -3627,6 +3627,14 @@ zfsdev_ioctl(struct cdev *dev, u_long cm uint_t vec; int error; + /* + * Check if we have sufficient kernel memory allocated + * for the zfs_cmd_t request. Bail out if not so we + * will not access undefined memory region. + */ + if (IOCPARM_LEN(cmd) < sizeof(zfs_cmd_t)) + return (EINVAL); + vec = ZFS_IOC(cmd); if (vec >= sizeof (zfs_ioc_vec) / sizeof (zfs_ioc_vec[0]))
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201011052218.oA5MI9MR010847>