Actions
Bug #8713
closed
Buffer overflow in dsl_dataset_name()
Start date:
2017-10-11
Due date:
% Done:
100%
Estimated time:
Difficulty:
Bite-size
Tags:
needs-triage
Gerrit CR:
External Bug:
Description
If we're creating a pool with version >= SPA_VERSION_DSL_SCRUB (v11) we need to account for additional space needed by the origin dataset which will also be snapshotted: "poolname"+"/"+"$ORIGIN"+"@"+"$ORIGIN".
Enforce this limit in pool_namecheck().
Reproducer:
POOLNAME="$(printf 'A%.s' `seq 1 240`)" TMPDIR='/tmp' mkfile 64m $TMPDIR/zpool.dat zpool create -O mountpoint=none $POOLNAME $TMPDIR/zpool.dat
Crash is from my devel box running current OpenZFS master:
Loading modules: [ unix genunix specfs dtrace mac cpu.generic uppc pcplusmp scsi_vhci zfs ip hook neti sockfs arp usba uhci fctl stmf stmf_sbd mm lofs sata random sd idm sppp cpc fcip ufs logindmux ptm nfs ]
> ::obey
No Language H here
> ::status
debugging crash dump vmcore.0 (64-bit) from openindiana
operating system: 5.11 master-0-g7624f180cf (i86pc)
image uuid: 1ef8459e-c376-cac7-b8ca-b478d2b81f25
panic message: assertion failed: strlcat(name, ds->ds_snapname, 256) < 256 (0x100 < 0x100), file: ../../common/fs/zfs/dsl_dataset.c, line: 670
dump content: kernel pages only
> $C
ffffff000ddb06d0 vpanic()
ffffff000ddb0720 0xfffffffffbdff58d()
ffffff000ddb0760 dsl_dataset_name+0xeb(ffffff032a22e700, ffffff000ddb07a0)
ffffff000ddb0930 spa_history_log_internal_ds+0x7d(ffffff032a22e700, fffffffff793bdea, ffffff032d94e800, fffffffff7939459)
ffffff000ddb09e0 dsl_dataset_snapshot_sync_impl+0x549(ffffff03177e8c00, fffffffff793bddd, ffffff032d94e800)
ffffff000ddb0a20 dsl_pool_create_origin+0xb2(ffffff032a220b40, ffffff032d94e800)
ffffff000ddb0ab0 dsl_pool_create+0x24b(ffffff0339cfb000, ffffff032b907fc0, 4)
ffffff000ddb0b70 spa_create+0x381(ffffff0339cf8000, ffffff032b3d4c60, ffffff031994c2b0, ffffff032b907fc0)
ffffff000ddb0bd0 zfs_ioc_pool_create+0x181(ffffff0339cf8000)
ffffff000ddb0c70 zfsdev_ioctl+0x546(10e00000000, 5a00, 80425f8, 100003, ffffff0337df6e00, ffffff000ddb0e58)
ffffff000ddb0cb0 cdev_ioctl+0x39(10e00000000, 5a00, 80425f8, 100003, ffffff0337df6e00, ffffff000ddb0e58)
ffffff000ddb0d00 spec_ioctl+0x60(ffffff031dbdac00, 5a00, 80425f8, 100003, ffffff0337df6e00, ffffff000ddb0e58, 0)
ffffff000ddb0d90 fop_ioctl+0x55(ffffff031dbdac00, 5a00, 80425f8, 100003, ffffff0337df6e00, ffffff000ddb0e58, 0)
ffffff000ddb0eb0 ioctl+0x9b(3, 5a00, 80425f8)
ffffff000ddb0f00 _sys_sysenter_post_swapgs+0x234()
> ffffff032a22e700::print dsl_dataset_t ds_snapname ds_is_snapshot
ds_snapname = [ "$ORIGIN" ]
ds_is_snapshot = 0x1 (B_TRUE)
> ffffff000ddb07a0,0x10f::dump
\/ 1 2 3 4 5 6 7 8 9 a b c d e f v123456789abcdef
ffffff000ddb07a0: 41414141 41414141 41414141 41414141 AAAAAAAAAAAAAAAA
ffffff000ddb07b0: 41414141 41414141 41414141 41414141 AAAAAAAAAAAAAAAA
ffffff000ddb07c0: 41414141 41414141 41414141 41414141 AAAAAAAAAAAAAAAA
ffffff000ddb07d0: 41414141 41414141 41414141 41414141 AAAAAAAAAAAAAAAA
ffffff000ddb07e0: 41414141 41414141 41414141 41414141 AAAAAAAAAAAAAAAA
ffffff000ddb07f0: 41414141 41414141 41414141 41414141 AAAAAAAAAAAAAAAA
ffffff000ddb0800: 41414141 41414141 41414141 41414141 AAAAAAAAAAAAAAAA
ffffff000ddb0810: 41414141 41414141 41414141 41414141 AAAAAAAAAAAAAAAA
ffffff000ddb0820: 41414141 41414141 41414141 41414141 AAAAAAAAAAAAAAAA
ffffff000ddb0830: 41414141 41414141 41414141 41414141 AAAAAAAAAAAAAAAA
ffffff000ddb0840: 41414141 41414141 41414141 41414141 AAAAAAAAAAAAAAAA
ffffff000ddb0850: 41414141 41414141 41414141 41414141 AAAAAAAAAAAAAAAA
ffffff000ddb0860: 41414141 41414141 41414141 41414141 AAAAAAAAAAAAAAAA
ffffff000ddb0870: 41414141 41414141 41414141 41414141 AAAAAAAAAAAAAAAA
ffffff000ddb0880: 41414141 41414141 41414141 41414141 AAAAAAAAAAAAAAAA
ffffff000ddb0890: 2f244f52 4947494e 40244f52 49474900 /$ORIGIN@$ORIGI.
ffffff000ddb08a0: 00fa3e1b 03ffffff b7375df1 a642f1f1 ..>......7]..B..
>
Related issues
Updated by 
Updated by
Actions