svn commit: r311284 - head/sys/kern

Wed, 04 Jan 2017 06:51:46 -0800 

Author: trasz
Date: Wed Jan  4 14:43:57 2017
New Revision: 311284
URL: https://svnweb.freebsd.org/changeset/base/311284

Log:
  Fix bug that would result in a kernel crash in some cases involving
  a symlink and an autofs mount request.  The crash was caused by namei()
  calling bcopy() with a negative length, caused by numeric underflow:
  in lookup(), in the relookup path, the ni_pathlen was decremented too
  many times.  The bug was introduced in r296715.
  
  Big thanks to Alex Deiter for his help with debugging this.
  
  Reviewed by:  kib@
  Tested by:    Alex Deiter <alex.deiter at gmail.com>
  MFC after:    1 month

Modified:
  head/sys/kern/vfs_lookup.c

Modified: head/sys/kern/vfs_lookup.c
==============================================================================
--- head/sys/kern/vfs_lookup.c  Wed Jan  4 12:50:44 2017        (r311283)
+++ head/sys/kern/vfs_lookup.c  Wed Jan  4 14:43:57 2017        (r311284)
@@ -621,11 +621,13 @@ needs_exclusive_leaf(struct mount *mp, i
 int
 lookup(struct nameidata *ndp)
 {
-       char *cp;               /* pointer into pathname argument */
+       char *cp;                       /* pointer into pathname argument */
+       char *prev_ni_next;             /* saved ndp->ni_next */
        struct vnode *dp = NULL;        /* the directory we are searching */
        struct vnode *tdp;              /* saved dp */
        struct mount *mp;               /* mount table entry */
        struct prison *pr;
+       size_t prev_ni_pathlen;         /* saved ndp->ni_pathlen */
        int docache;                    /* == 0 do not cache last component */
        int wantparent;                 /* 1 => wantparent or lockparent flag */
        int rdonly;                     /* lookup read-only flag bit */
@@ -687,7 +689,11 @@ dirloop:
        printf("{%s}: ", cnp->cn_nameptr);
        *cp = c; }
 #endif
+       prev_ni_pathlen = ndp->ni_pathlen;
        ndp->ni_pathlen -= cnp->cn_namelen;
+       KASSERT(ndp->ni_pathlen <= PATH_MAX,
+           ("%s: ni_pathlen underflow to %zd\n", __func__, ndp->ni_pathlen));
+       prev_ni_next = ndp->ni_next;
        ndp->ni_next = cp;
 
        /*
@@ -1008,6 +1014,8 @@ nextname:
            ("lookup: invalid path state."));
        if (relookup) {
                relookup = 0;
+               ndp->ni_pathlen = prev_ni_pathlen;
+               ndp->ni_next = prev_ni_next;
                if (ndp->ni_dvp != dp)
                        vput(ndp->ni_dvp);
                else
_______________________________________________
svn-src-head@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/svn-src-head
To unsubscribe, send any mail to "svn-src-head-unsubscr...@freebsd.org"

Reply via email to