Project

General

Profile

Actions
Copy link

Bug #7263

closed

deeply nested nvlist can overflow stack

Added by Prakash Surya almost 6 years ago. Updated almost 6 years ago.

Status:
Closed
Priority:
Normal
Assignee:
Prakash Surya
Category:
zfs - Zettabyte File System
Start date:
2016-08-02
Due date:
% Done:

100%

Estimated time:
Difficulty:
Medium
Tags:
needs-triage
Gerrit CR:

Description

nvlist_pack()/nvlist_unpack() are implemented recursively, which can cause the stack to overflow with a deeply nested nvlist. i.e. an nvlist which contains an nvlist which contains an nvlist which...

Unprivileged users can pass an nvlist to the kernel via certain ioctls on /dev/zfs, which the kernel will unpack without additional permission checking or validation. Therefore an unprivileged user can cause the kernel's stack to overflow and panic.

Ideally, these functions would be implemented non-recursively. As a quick fix, we will limit the depth of the recursion and return an error when attempting to pack/unpack a deeply-nested nvlist.

Actions
Copy link
 #1

Updated by Electric Monk almost 6 years ago

  • Status changed from New to Closed
  • % Done changed from 0 to 100

git commit 9ca527c3d3dfa7c8f304b34a9e03b5eddace838f

commit  9ca527c3d3dfa7c8f304b34a9e03b5eddace838f
Author: Matthew Ahrens <mahrens@delphix.com>
Date:   2016-08-03T15:47:33.000Z

    7263 deeply nested nvlist can overflow stack
    Reviewed by: Adam Leventhal <ahl@delphix.com>
    Reviewed by: George Wilson <george.wilson@delphix.com>
    Reviewed by: Robert Mustacchi <rm@joyent.com>
    Approved by: Dan McDonald <danmcd@omniti.com>

Actions
Copy link

Also available in: Atom PDF