https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=284593
Bug ID: 284593
Summary: geom/raid/md_ddf.c can cause vmem_alloc() to crash
Product: Base System
Version: CURRENT
Hardware: Any
OS: Any
Status: New
Severity: Affects Some People
Priority: ---
Component: kern
Assignee: b...@freebsd.org
Reporter: r...@lcs.mit.edu
In a situation where something like a USB thumb drive can supply
whatever value it likes for provider->sectorsize, during taste
ddf_meta_read() can call g_read_data() with a crazy length.
With an INVARIANTS kernel, this might be caught by g_read_data()'s
KASSERT(length > 0 && length >= cp->provider->sectorsize &&
length <= maxphys, ("g_read_data(): invalid length %jd",
(intmax_t)length));
Without INVARIANTS, g_read_data() can pass a crazy size value to
g_malloc(). One possibility is that the size (due to sign-extension)
is near the maximum 64-bit number, in which case the DEBUG_REDZONE
increment added by redzone_size_ntor() and/or the roundup() in
malloc_large() can wrap the size to zero. With INVARIANTS,
vmem_alloc() will then trip over
MPASS(size > 0);
Without INVARIANTS, a size of zero will cause this array reference in
vmem_alloc() to fault:
qc = &vm->vm_qcache[(size - 1) >> vm->vm_quantum_shift];
The sii, nvidia, jmicron, and intel xxx_meta_read() functions have
similar code that uses provider->sectorsize without enough
sanity-checking.
I can reproduce this, with the following back-trace:
#0 vmem_alloc (vm=0xffffffd000808000, size=0, flags=<optimized out>,
addrp=0xffffffc08284c7e0) at /usr/rtm/symbsd/src/sys/kern/subr_vmem.c:1331
#1 0xffffffc000741e76 in kmem_malloc_domain (flags=2, domain=<optimized out>,
size=<optimized out>) at /usr/rtm/symbsd/src/sys/vm/vm_kern.c:483
#2 kmem_malloc_domainset (ds=<optimized out>, size=<optimized out>, flags=2)
at /usr/rtm/symbsd/src/sys/vm/vm_kern.c:515
#3 0xffffffc0003b3ce2 in malloc_large (size=0,
mtp=0xffffffc0009de050 <M_GEOM>, policy=0xffffffd000808000, flags=2,
osize=18446744073709543416)
at /usr/rtm/symbsd/src/sys/kern/kern_malloc.c:602
#4 0xffffffc0003b3b62 in malloc (size=18446744073709547528,
mtp=0xffffffc0009de050 <M_GEOM>, flags=2)
at /usr/rtm/symbsd/src/sys/kern/kern_malloc.c:659
#5 0xffffffc00032ec96 in g_malloc (size=-8200, flags=2)
at /usr/rtm/symbsd/src/sys/geom/geom.h:371
#6 g_read_data (cp=0xffffffd002b41880, offset=4398038114304,
length=4294959096, error=0xffffffc08284ca2c)
at /usr/rtm/symbsd/src/sys/geom/geom_io.c:909
#7 0xffffffc000344554 in ddf_meta_read (cp=0xffffffd002b41880,
meta=0xffffffc08284c9d8) at /usr/rtm/symbsd/src/sys/geom/raid/md_ddf.c:1052
#8 g_raid_md_taste_ddf (md=0xffffffd001a44d00,
mp=0xffffffc0009e0fd0 <g_raid_class>, cp=0xffffffd002b41880,
gp=0xffffffc08284cac0) at /usr/rtm/symbsd/src/sys/geom/raid/md_ddf.c:2172
#9 0xffffffc00033e9fc in G_RAID_MD_TASTE (md=0xffffffd001a44d00,
mp=0xffffffc0009e0fd0 <g_raid_class>, cp=0xffffffd002b41880,
gp=0xffffffc08284cac0) at ./g_raid_md_if.h:70
#10 g_raid_taste (mp=0xffffffc0009e0fd0 <g_raid_class>, pp=0xffffffd002b4bf00,
flags=<optimized out>) at /usr/rtm/symbsd/src/sys/geom/raid/g_raid.c:2240
#11 0xffffffc000331d42 in g_new_provider_event (arg=0xffffffd002b4bf00,
flag=<optimized out>) at /usr/rtm/symbsd/src/sys/geom/geom_subr.c:592
--
You are receiving this mail because:
You are the assignee for the bug.
