Bug #7263: deeply nested nvlist can overflow stack - illumos gate - illumos

Bug #7263

deeply nested nvlist can overflow stack

Added by Prakash Surya about 4 years ago. Updated about 4 years ago.

Status:

Closed

Priority:

Normal

Assignee:

Prakash Surya

Category:

zfs - Zettabyte File System

Start date:

2016-08-02

Due date:

% Done:

100%

Estimated time:

Difficulty:

Medium

Tags:

needs-triage

Gerrit CR:

Description

nvlist_pack()/nvlist_unpack() are implemented recursively, which can cause the stack to overflow with a deeply nested nvlist. i.e. an nvlist which contains an nvlist which contains an nvlist which...

Unprivileged users can pass an nvlist to the kernel via certain ioctls on /dev/zfs, which the kernel will unpack without additional permission checking or validation. Therefore an unprivileged user can cause the kernel's stack to overflow and panic.

Ideally, these functions would be implemented non-recursively. As a quick fix, we will limit the depth of the recursion and return an error when attempting to pack/unpack a deeply-nested nvlist.

History

Updated by Electric Monk about 4 years ago

% Done changed from 0 to 100
Status changed from New to Closed

git commit 9ca527c3d3dfa7c8f304b34a9e03b5eddace838f

commit  9ca527c3d3dfa7c8f304b34a9e03b5eddace838f
Author: Matthew Ahrens <mahrens@delphix.com>
Date:   2016-08-03T15:47:33.000Z

    7263 deeply nested nvlist can overflow stack
    Reviewed by: Adam Leventhal <ahl@delphix.com>
    Reviewed by: George Wilson <george.wilson@delphix.com>
    Reviewed by: Robert Mustacchi <rm@joyent.com>
    Approved by: Dan McDonald <danmcd@omniti.com>

Also available in: Atom PDF

Project

General

Profile

illumos gate

Issues

Custom queries

Bug #7263

deeply nested nvlist can overflow stack

History

Updated by Electric Monk about 4 years ago