deeply nested nvlist can overflow stack
nvlist_pack()/nvlist_unpack() are implemented recursively, which can cause the stack to overflow with a deeply nested nvlist. i.e. an nvlist which contains an nvlist which contains an nvlist which...
Unprivileged users can pass an nvlist to the kernel via certain ioctls on /dev/zfs, which the kernel will unpack without additional permission checking or validation. Therefore an unprivileged user can cause the kernel's stack to overflow and panic.
Ideally, these functions would be implemented non-recursively. As a quick fix, we will limit the depth of the recursion and return an error when attempting to pack/unpack a deeply-nested nvlist.
Updated by Electric Monk about 4 years ago
- % Done changed from 0 to 100
- Status changed from New to Closed
commit 9ca527c3d3dfa7c8f304b34a9e03b5eddace838f Author: Matthew Ahrens <email@example.com> Date: 2016-08-03T15:47:33.000Z 7263 deeply nested nvlist can overflow stack Reviewed by: Adam Leventhal <firstname.lastname@example.org> Reviewed by: George Wilson <email@example.com> Reviewed by: Robert Mustacchi <firstname.lastname@example.org> Approved by: Dan McDonald <email@example.com>