https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=204358
Bug ID: 204358
Summary: zfs loader zfs_probe_args secsz is too small, causing
memory corruption
Product: Base System
Version: 11.0-CURRENT
Hardware: Any
OS: Any
Status: New
Severity: Affects Many People
Priority: ---
Component: kern
Assignee: freebsd-bugs@FreeBSD.org
Reporter: tso...@me.com
sys/boot/zfs/zfs.c has probe args structure including uint16_t secsz variable
for media sector size; its used as an argument for ioctl() at line 484:
ioctl(pa.fd, DIOCGSECTORSIZE, );
however, this ioctl is expecting 32bit data (u_int *) and therefore this ioctl
will overwrite and corrupt 16bits of memory.
other use cases seem to use correct u_int type for secsz.
for fix the following fix should be sufficient.
tsoome@beastie:/code/freebsd/head/sys/boot/zfs$ diff -u zfs.c.orig zfs.c
--- zfs.c.orig N apr 16 14:49:00 2015
+++ zfs.c L nov 7 15:13:55 2015
@@ -399,7 +399,7 @@
int fd;
const char *devname;
uint64_t*pool_guid;
- uint16_tsecsz;
+ u_int secsz;
};
static int
--
You are receiving this mail because:
You are the assignee for the bug.
___
freebsd-bugs@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-bugs
To unsubscribe, send any mail to "freebsd-bugs-unsubscr...@freebsd.org"