From owner-svn-src-head@freebsd.org Thu Sep 3 17:46:25 2015 Return-Path: Delivered-To: svn-src-head@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 1A7B99C95F0; Thu, 3 Sep 2015 17:46:25 +0000 (UTC) (envelope-from avg@FreeBSD.org) Received: from citadel.icyb.net.ua (citadel.icyb.net.ua [212.40.38.140]) by mx1.freebsd.org (Postfix) with ESMTP id B72B5914; Thu, 3 Sep 2015 17:46:22 +0000 (UTC) (envelope-from avg@FreeBSD.org) Received: from porto.starpoint.kiev.ua (porto-e.starpoint.kiev.ua [212.40.38.100]) by citadel.icyb.net.ua (8.8.8p3/ICyb-2.3exp) with ESMTP id UAA02750; Thu, 03 Sep 2015 20:46:20 +0300 (EEST) (envelope-from avg@FreeBSD.org) Received: from localhost ([127.0.0.1]) by porto.starpoint.kiev.ua with esmtp (Exim 4.34 (FreeBSD)) id 1ZXYaa-0008UB-6L; Thu, 03 Sep 2015 20:46:20 +0300 Subject: Re: svn commit: r287283 - head/sys/cddl/contrib/opensolaris/uts/common/fs/zfs To: Xin LI , src-committers@FreeBSD.org, svn-src-all@FreeBSD.org, svn-src-head@FreeBSD.org References: <201508290922.t7T9MXhF007620@repo.freebsd.org> From: Andriy Gapon X-Enigmail-Draft-Status: N1110 Message-ID: <55E88733.5010403@FreeBSD.org> Date: Thu, 3 Sep 2015 20:45:23 +0300 User-Agent: Mozilla/5.0 (X11; FreeBSD amd64; rv:38.0) Gecko/20100101 Thunderbird/38.2.0 MIME-Version: 1.0 In-Reply-To: <201508290922.t7T9MXhF007620@repo.freebsd.org> Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 7bit X-BeenThere: svn-src-head@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: SVN commit messages for the src tree for head/-current List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 03 Sep 2015 17:46:25 -0000 On 29/08/2015 12:22, Xin LI wrote: > Author: delphij > Date: Sat Aug 29 09:22:32 2015 > New Revision: 287283 > URL: https://svnweb.freebsd.org/changeset/base/287283 > > Log: > Fix a buffer overrun which may lead to data corruption, introduced in > r286951 by reinstating changes in r274628. > > In l2arc_compress_buf(), we allocate a buffer to stash away the compressed > data in 'cdata', allocated of l2hdr->b_asize bytes. > > We then ask zio_compress_data() to compress the buffer, b_l1hdr.b_tmp_cdata, > which is of l2hdr->b_asize bytes, and have the compressed size (or original > size, if compress didn't gain enough) stored in csize. > > To pad the buffer to fit the optimal write size, we round up the compressed > size to L2 device's vdev_ashift. > > Illumos code rounds up the size by at most SPA_MINBLOCKSIZE. Because we > know csize <= b_asize, and b_asize is integer multiple of SPA_MINBLOCKSIZE, > we are guaranteed that the rounded up csize would be <= b_asize. However, > this is not necessarily true when we round up to 1 << vdev_ashift, because > it could be larger than SPA_MINBLOCKSIZE. > > So, in the worst case scenario, we are overwriting at most > > (1 << vdev_ashift - SPA_MINBLOCKSIZE) > > bytes of memory next to the compressed data buffer. > > Andriy's original change in r274628 reorganized the code a little bit, > by moving the padding to after we determined that the compression was > beneficial. At which point, we would check rounded size against the > allocated buffer size, and the buffer overrun would not be possible. Thank you very much for this fix! I completely forgot why I had that code moved (and it was exactly to avoid the buffer overrun) and so I thought that it was a non-essential difference from upstream. -- Andriy Gapon