[Bug 204358] zfs loader zfs_probe_args secsz is too small, causing memory corruption

2015-11-08 Thread bugzilla-noreply 
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=204358

Mark Linimon  changed:

   What|Removed |Added

   Assignee|freebsd-bugs@FreeBSD.org|freebsd...@freebsd.org
   Keywords||patch

-- 
You are receiving this mail because:
You are the assignee for the bug.
___
freebsd-bugs@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-bugs
To unsubscribe, send any mail to "freebsd-bugs-unsubscr...@freebsd.org"

[Bug 204358] zfs loader zfs_probe_args secsz is too small, causing memory corruption

2015-11-07 Thread bugzilla-noreply 
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=204358

Bug ID: 204358
   Summary: zfs loader zfs_probe_args secsz is too small, causing
memory corruption
   Product: Base System
   Version: 11.0-CURRENT
  Hardware: Any
OS: Any
Status: New
  Severity: Affects Many People
  Priority: ---
 Component: kern
  Assignee: freebsd-bugs@FreeBSD.org
  Reporter: tso...@me.com

sys/boot/zfs/zfs.c has probe args structure including uint16_t secsz variable
for media sector size; its used as an argument for ioctl() at line 484:

ioctl(pa.fd, DIOCGSECTORSIZE, );

however, this ioctl is expecting 32bit data (u_int *) and therefore this ioctl
will overwrite and corrupt 16bits of memory.

other use cases seem to use correct u_int type for secsz.

for fix the following fix should be sufficient.
tsoome@beastie:/code/freebsd/head/sys/boot/zfs$ diff -u zfs.c.orig zfs.c
--- zfs.c.orig  N apr 16 14:49:00 2015
+++ zfs.c   L nov  7 15:13:55 2015
@@ -399,7 +399,7 @@
int fd;
const char  *devname;
uint64_t*pool_guid;
-   uint16_tsecsz;
+   u_int   secsz;
 };

 static int

-- 
You are receiving this mail because:
You are the assignee for the bug.
___
freebsd-bugs@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-bugs
To unsubscribe, send any mail to "freebsd-bugs-unsubscr...@freebsd.org"