Bug #6434
closed
sa_find_sizes() may compute wrong SA header size
100%
Description
Under the right conditions sa_find_sizes() will compute an incorrect
size of the system attribute (SA) header. This causes a failed assertion
when the SA_HDR_SIZE_MATCH_LAYOUT() test returns false, and may lead
to corruption of SA data.
The bug presents itself when there are more than two variable-length SAs
of just the right size to fit in the bonus buffer of a dnode. The
existing logic fails to account for the SA header space needed to store
the sizes of all the variable-length SAs.
A reproducer was possible on Linux by setting the xattr=sa dataset
property and storing xattrs on symbolic links. Note the corrupt link
target name:
$ zfs set xattr=sa tank/fish
$ cd /tank/fish
$ ln -fs 12345678901234567 link
$ setfattr -n trusted.0000000000000000000 -v 0x000000000000000000000000 -h link
$ setfattr -n trusted.1111111111111111111 -v 0x000000000000000000000000 -h link
$ ls -l link
lrwxrwxrwx 1 root root 17 Dec 6 15:40 link -> 90123456701234567
The reference link below contains a reproducer for FreeBSD.
References:
http://lists.open-zfs.org/pipermail/developer/2013-November/000306.html
zfsonlinux/zfs#1890
Related issues
Updated by Electric Monk about 8 years ago
- Status changed from New to Closed
- % Done changed from 0 to 100
git commit 3502ed6e7cb3f3d2e781960ab8fe465fdc884834
commit 3502ed6e7cb3f3d2e781960ab8fe465fdc884834
Author: James Pan <jiaming.pan@yahoo.com>
Date: 2015-11-05T01:16:13.000Z
6434 sa_find_sizes() may compute wrong SA header size
Reviewed-by: Ned Bass <bass6@llnl.gov>
Reviewed-by: Brian Behlendorf <behlendorf1@llnl.gov>
Reviewed by: Andriy Gapon <avg@freebsd.org>
Reviewed by: Matthew Ahrens <mahrens@delphix.com>
Approved by: Robert Mustacchi <rm@joyent.com>
Updated by Alek Pinchuk almost 8 years ago
- Related to Bug #6529: Properly handle updates of variably-sized SA entries. added