HomeFreeBSD

dmu: fix integer overflows

Description

dmu: fix integer overflows

The params to the functions are uint64_t, but the offsets to memcpy
/ bcopy are calculated using 32bit ints. This patch changes them to
also be uint64_t so there isnt an overflow. PaX's Size Overflow
caught this when formatting a zvol.

Gentoo bug: #546490

PAX: offset: 1ffffb000 db->db_offset: 1ffffa000 db->db_size: 2000 size: 5000
PAX: size overflow detected in function dmu_read /var/tmp/portage/sys-fs/zfs-kmod-0.6.3-r1/work/zfs-zfs-0.6.3/module/zfs/../../module/zfs/dmu.c:781 cicus.366_146 max, count: 15
CPU: 1 PID: 2236 Comm: zvol/10 Tainted: P O 3.17.7-hardened-r1 #1
Call Trace:
[<ffffffffa0382ee8>] ? dsl_dataset_get_holds+0x9d58/0x343ce [zfs]
[<ffffffff81a59c88>] dump_stack+0x4e/0x7a
[<ffffffffa0393c2a>] ? dsl_dataset_get_holds+0x1aa9a/0x343ce [zfs]
[<ffffffff81206696>] report_size_overflow+0x36/0x40
[<ffffffffa02dba2b>] dmu_read+0x52b/0x920 [zfs]
[<ffffffffa0373ad1>] zrl_is_locked+0x7d1/0x1ce0 [zfs]
[<ffffffffa0364cd2>] zil_clean+0x9d2/0xc00 [zfs]
[<ffffffffa0364f21>] zil_commit+0x21/0x30 [zfs]
[<ffffffffa0373fe1>] zrl_is_locked+0xce1/0x1ce0 [zfs]
[<ffffffff81a5e2c7>] ? __schedule+0x547/0xbc0
[<ffffffffa01582e6>] taskq_cancel_id+0x2a6/0x5b0 [spl]
[<ffffffff81103eb0>] ? wake_up_state+0x20/0x20
[<ffffffffa0158150>] ? taskq_cancel_id+0x110/0x5b0 [spl]
[<ffffffff810f7ff4>] kthread+0xc4/0xe0
[<ffffffff810f7f30>] ? kthread_create_on_node+0x170/0x170
[<ffffffff81a62fa4>] ret_from_fork+0x74/0xa0
[<ffffffff810f7f30>] ? kthread_create_on_node+0x170/0x170

Signed-off-by: Jason Zaman <jason@perfinion.com>
Signed-off-by: Brian Behlendorf <behlendorf1@llnl.gov>
Closes #3333

Details

Provenance
Jason Zaman <jason@perfinion.com>Authored on Apr 30 2015, 12:20 PM
Brian Behlendorf <behlendorf1@llnl.gov>Committed on May 4 2015, 4:12 PM
Parents
rG98b254188a73: Illumos #5244 - zio pipeline callers should explicitly invoke next stage
Branches
Unknown
Tags
Unknown

Event Timeline

Brian Behlendorf <behlendorf1@llnl.gov> committed rGc9520ecc0f46: dmu: fix integer overflows (authored by Jason Zaman <jason@perfinion.com>).May 4 2015, 4:12 PM