Page MenuHomeFreeBSD

pseudofs: Fix a potential out-of-bounds access in pfs_lookup()
ClosedPublic

Authored by markj on Jun 21 2023, 2:05 PM.
Tags
None
Referenced Files
F102993496: D40692.diff
Tue, Nov 19, 2:29 PM
Unknown Object (File)
Mon, Nov 18, 2:33 AM
Unknown Object (File)
Oct 9 2024, 3:17 AM
Unknown Object (File)
Oct 9 2024, 3:17 AM
Unknown Object (File)
Oct 9 2024, 3:17 AM
Unknown Object (File)
Oct 9 2024, 2:48 AM
Unknown Object (File)
Sep 22 2024, 8:31 AM
Unknown Object (File)
Sep 20 2024, 2:57 AM
Subscribers

Details

Summary

pseudofs nodes store their name in a flexible array member, so the node
allocation is sized using the length of the name, including a nul
terminator. pfs_lookup() scans a directory of nodes, comparing names to
find a match. The comparison was incorrect and assumed that all node
names were at least as long as the name being looked up, which of course
isn't true.

I believe the bug is mostly harmless since it cannot result in false
positive or negative matches from the lookup, but it triggers a KASAN
check.

Reported by: pho

Diff Detail

Repository
rG FreeBSD src repository
Lint
Lint Skipped
Unit
Tests Skipped
Build Status
Buildable 52229
Build 49120: arc lint + arc unit