Project

General

Profile

Actions

Bug #14153

closed

libzfs: str2shift called with NULL handle can crash

Added by Toomas Soome about 2 months ago. Updated about 2 months ago.

Status:
Closed
Priority:
Normal
Assignee:
Category:
zfs - Zettabyte File System
Start date:
Due date:
% Done:

100%

Estimated time:
Difficulty:
Bite-size
Tags:
Gerrit CR:

Description

    > ::status
    debugging core file of zpool (64-bit) from openindiana
    file: /sbin/zpool
    initial argv: zpool trim -r 10X testpool
    threading model: native threads
    status: process terminated by SIGSEGV (Segmentation Fault), addr=43c
    > ::stack
    libc.so.1`memcpy+0x58c()
    libc.so.1`_ndoprnt+0x2d0(7fffaefb80f6, 7fffbfffa700, 7fffbfffa650, 0)
    libc.so.1`vsnprintf+0x79(43c, 400, 7fffaefb80f6, 7fffbfffa700)
    libzfs.so.1`zfs_error_aux+0xb5(0, 7fffaefb80f6)
    libzfs.so.1`str2shift+0xf3(0, 7fffbfffef50)
    libzfs.so.1`zfs_nicestrtonum+0xd1(0, 7fffbfffef4e, 7fffbfffa8e8)
    zpool_do_trim+0xf6(4, 7fffbfffeab0)
    main+0xdf(5, 7fffbfffeaa8)
    _start_crt+0x87()
    _start+0x18()
    > 7fffbfffef4e/S
    0x7fffbfffef4e: 10X
X is illegal in str2shift(), and we will call zfs_error_aux() without
checking if hdl is NULL or not.

Testing done: verified command: "zpool trim -r 10X poolname" does not crash, but will print error message instead:

tsoome@beastie:/code/14153$ env LD_LIBRARY_PATH=/code/14153/proto/root_i386/usr/lib/amd64  zpool trim -r 10X rpool
invalid value for rate
usage:
        trim [-d] [-r <rate>] [-c | -s] <pool> [<device> ...]


Related issues

Related to illumos gate - Bug #14154: zpool should call zfs_nicestrtonum() with non-NULL handleClosedToomas Soome

Actions
Actions

Also available in: Atom PDF