Project

General

Profile

Bug #7263

deeply nested nvlist can overflow stack

Added by Prakash Surya about 3 years ago. Updated about 3 years ago.

Status:
Closed
Priority:
Normal
Assignee:
Category:
zfs - Zettabyte File System
Start date:
2016-08-02
Due date:
% Done:

100%

Estimated time:
Difficulty:
Medium
Tags:
needs-triage

Description

nvlist_pack()/nvlist_unpack() are implemented recursively, which can cause the stack to overflow with a deeply nested nvlist. i.e. an nvlist which contains an nvlist which contains an nvlist which...

Unprivileged users can pass an nvlist to the kernel via certain ioctls on /dev/zfs, which the kernel will unpack without additional permission checking or validation. Therefore an unprivileged user can cause the kernel's stack to overflow and panic.

Ideally, these functions would be implemented non-recursively. As a quick fix, we will limit the depth of the recursion and return an error when attempting to pack/unpack a deeply-nested nvlist.

History

#1

Updated by Electric Monk about 3 years ago

  • % Done changed from 0 to 100
  • Status changed from New to Closed

git commit 9ca527c3d3dfa7c8f304b34a9e03b5eddace838f

commit  9ca527c3d3dfa7c8f304b34a9e03b5eddace838f
Author: Matthew Ahrens <mahrens@delphix.com>
Date:   2016-08-03T15:47:33.000Z

    7263 deeply nested nvlist can overflow stack
    Reviewed by: Adam Leventhal <ahl@delphix.com>
    Reviewed by: George Wilson <george.wilson@delphix.com>
    Reviewed by: Robert Mustacchi <rm@joyent.com>
    Approved by: Dan McDonald <danmcd@omniti.com>

Also available in: Atom PDF