Diffusion FreeBSD src repository ac6500389b12

zfs: add bounds checking to zil_parse (#16308)
ac6500389b12
Actions

Description

zfs: add bounds checking to zil_parse (#16308)

Make sure log record don't stray beyond valid memory region.

There is a lack of verification of the space occupied by fixed members
of lr_t in the zil_parse.

We can create a crafted image to trigger an out of bounds read by
following these steps:

Do some file operations and reboot to simulate abnormal exit without umount
zil_chain.zc_nused: 0x1000
First lr_t lr_t.lrc_txtype: 0x0 lr_t.lrc_reclen: 0x1000-0xb8-0x1 lr_t.lrc_txg: 0x0 lr_t.lrc_seq: 0x1
Update checksum in zil_chain.zc_eck

Fix:
Add some checks to make sure the remaining bytes are large enough to
hold an log record.

Signed-off-by: XDTG <click1799@163.com>
Reviewed-by: Alexander Motin <mav@FreeBSD.org>
Reviewed-by: Tony Hutter <hutter2@llnl.gov>
Reviewed-by: Brian Behlendorf <behlendorf1@llnl.gov>

Details

Provenance

c1ick <35128600+XDTG@users.noreply.github.com>	Authored on Aug 1 2024, 12:17 AM
Tony Hutter <hutter2@llnl.gov>	Committed on Aug 22 2024, 10:12 PM

Parents

rG1f055436f3a2: linux/zvol_os: fix SET_ERROR with negative return codes

Branches

Unknown

Tags

Unknown

Event Timeline

Tony Hutter <hutter2@llnl.gov> committed rGac6500389b12: zfs: add bounds checking to zil_parse (#16308) (authored by c1ick <35128600+XDTG@users.noreply.github.com>).Aug 22 2024, 10:12 PM

mm mentioned this in rG755e773877e9: zfs: merge openzfs/zfs@33174af15 (zfs-2.2-release) into stable/14.Mon, Sep 9, 8:59 PM

Changes (1)

Path

Size

module/

zfs/

zil.c

rGac6500389b12

View Options