Project

General

Profile

Actions

Bug #14153

closed

libzfs: str2shift called with NULL handle can crash

Added by Toomas Soome 14 days ago. Updated 8 days ago.

Status:
Closed
Priority:
Normal
Assignee:
Category:
zfs - Zettabyte File System
Start date:
Due date:
% Done:

100%

Estimated time:
Difficulty:
Bite-size
Tags:
Gerrit CR:

Description

    > ::status
    debugging core file of zpool (64-bit) from openindiana
    file: /sbin/zpool
    initial argv: zpool trim -r 10X testpool
    threading model: native threads
    status: process terminated by SIGSEGV (Segmentation Fault), addr=43c
    > ::stack
    libc.so.1`memcpy+0x58c()
    libc.so.1`_ndoprnt+0x2d0(7fffaefb80f6, 7fffbfffa700, 7fffbfffa650, 0)
    libc.so.1`vsnprintf+0x79(43c, 400, 7fffaefb80f6, 7fffbfffa700)
    libzfs.so.1`zfs_error_aux+0xb5(0, 7fffaefb80f6)
    libzfs.so.1`str2shift+0xf3(0, 7fffbfffef50)
    libzfs.so.1`zfs_nicestrtonum+0xd1(0, 7fffbfffef4e, 7fffbfffa8e8)
    zpool_do_trim+0xf6(4, 7fffbfffeab0)
    main+0xdf(5, 7fffbfffeaa8)
    _start_crt+0x87()
    _start+0x18()
    > 7fffbfffef4e/S
    0x7fffbfffef4e: 10X
X is illegal in str2shift(), and we will call zfs_error_aux() without
checking if hdl is NULL or not.

Testing done: verified command: "zpool trim -r 10X poolname" does not crash, but will print error message instead:

tsoome@beastie:/code/14153$ env LD_LIBRARY_PATH=/code/14153/proto/root_i386/usr/lib/amd64  zpool trim -r 10X rpool
invalid value for rate
usage:
        trim [-d] [-r <rate>] [-c | -s] <pool> [<device> ...]


Related issues

Related to illumos gate - Bug #14154: zpool should call zfs_nicestrtonum() with non-NULL handleClosedToomas Soome

Actions
Actions #1

Updated by Electric Monk 14 days ago

  • Gerrit CR set to 1748
Actions #2

Updated by Andy Fiddaman 14 days ago

Actions #3

Updated by Yuri Pankov 14 days ago

With both openzfs and proposed fixes we are missing the error message, wonder if we can open/close temporary hdl if we were passed a NULL one.

Actions #4

Updated by Toomas Soome 14 days ago

Yuri Pankov wrote in #note-3:

With both openzfs and proposed fixes we are missing the error message, wonder if we can open/close temporary hdl if we were passed a NULL one.

That is another issue (with zpool command, not with libzfs). Worth fixing, I think, but still another issue.

Actions #5

Updated by Toomas Soome 14 days ago

  • Related to Bug #14154: zpool should call zfs_nicestrtonum() with non-NULL handle added
Actions #6

Updated by Toomas Soome 13 days ago

  • Description updated (diff)
Actions #7

Updated by Toomas Soome 12 days ago

  • Description updated (diff)
Actions #8

Updated by Electric Monk 8 days ago

  • Status changed from In Progress to Closed
  • % Done changed from 90 to 100

git commit 9e494b8a787c7b2d9fd087a2dde8811e386513d4

commit  9e494b8a787c7b2d9fd087a2dde8811e386513d4
Author: Toomas Soome <tsoome@me.com>
Date:   2021-10-15T22:15:40.000Z

    14153 libzfs: str2shift called with NULL handle can crash
    Reviewed by: Andy Fiddaman <andy@omnios.org>
    Reviewed by: Yuri Pankov <ypankov@tintri.com>
    Approved by: Robert Mustacchi <rm@fingolfin.org>

Actions

Also available in: Atom PDF