Project

General

Profile

Bug #3118

zfsdev_ioctl: kernel doesn't validate arguments from userspace

Added by Vitaliy Gusev about 8 years ago.

Status:
New
Priority:
Normal
Assignee:
-
Category:
-
Start date:
2012-08-24
Due date:
% Done:

0%

Estimated time:
Difficulty:
Medium
Tags:
needs-triage
Gerrit CR:

Description

Kernel had to check all passed argument against "wrong" values. But now zfsdev_ioctl trusts in userspace.

----
zfsdev_ioctl() {
...
if (zc->zc_nvlist_src_size != 0) {
error = get_nvlist(zc->zc_nvlist_src, zc->zc_nvlist_src_size,
zc->zc_iflags, &innvl);
if (error != 0)
goto out;
}

So if "zc" is not initialized, it brings possibility to call
get_nvlist() with some random values.

For instance wrong zinject hangs during

ioctl(zfs_fd, ZFS_IOC_INJECT_LIST_NEXT, &zc)

on trying allocate huge amount of memory.

Kernel stack:

ffffff000510d610 swtch+0x145()
ffffff000510d640 cv_wait+0x61()
ffffff000510d6b0 vmem_nextfit_alloc+0x143()
ffffff000510d700 vmem_alloc+0x19b()
ffffff000510d750 kmem_firewall_va_alloc+0x45()
ffffff000510d890 vmem_xalloc+0x5b6()
ffffff000510d8f0 vmem_alloc+0x161()
ffffff000510d980 segkmem_xalloc+0x90()
ffffff000510d9e0 segkmem_alloc_vn+0xdf()
ffffff000510da10 segkmem_alloc+0x24()
ffffff000510db50 vmem_xalloc+0x5b6()
ffffff000510dbb0 vmem_alloc+0x161()
ffffff000510dbf0 kmem_alloc+0x64()
ffffff000510dc60 get_nvlist+0x46()
ffffff000510dd00 zfsdev_ioctl+0xe7()
ffffff000510dd40 cdev_ioctl+0x45()
ffffff000510dd80 spec_ioctl+0x5a()
ffffff000510de00 fop_ioctl+0x7b()
ffffff000510df00 ioctl+0x18e()

Also available in: Atom PDF