Skip site navigation (1)Skip section navigation (2) 
Date:      Wed, 4 Jan 2017 14:43:58 +0000 (UTC)
From:      Edward Tomasz Napierala <trasz@FreeBSD.org>
To:        src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-head@freebsd.org
Subject:   svn commit: r311284 - head/sys/kern
Message-ID:  <201701041443.v04EhwMQ034433@repo.freebsd.org>
next in thread | raw e-mail | index | archive | help 
Author: trasz
Date: Wed Jan  4 14:43:57 2017
New Revision: 311284
URL: https://svnweb.freebsd.org/changeset/base/311284

Log:
  Fix bug that would result in a kernel crash in some cases involving
  a symlink and an autofs mount request.  The crash was caused by namei()
  calling bcopy() with a negative length, caused by numeric underflow:
  in lookup(), in the relookup path, the ni_pathlen was decremented too
  many times.  The bug was introduced in r296715.
  
  Big thanks to Alex Deiter for his help with debugging this.
  
  Reviewed by:	kib@
  Tested by:	Alex Deiter <alex.deiter at gmail.com>
  MFC after:	1 month

Modified:
  head/sys/kern/vfs_lookup.c

Modified: head/sys/kern/vfs_lookup.c
==============================================================================
--- head/sys/kern/vfs_lookup.c	Wed Jan  4 12:50:44 2017	(r311283)
+++ head/sys/kern/vfs_lookup.c	Wed Jan  4 14:43:57 2017	(r311284)
@@ -621,11 +621,13 @@ needs_exclusive_leaf(struct mount *mp, i
 int
 lookup(struct nameidata *ndp)
 {
-	char *cp;		/* pointer into pathname argument */
+	char *cp;			/* pointer into pathname argument */
+	char *prev_ni_next;		/* saved ndp->ni_next */
 	struct vnode *dp = NULL;	/* the directory we are searching */
 	struct vnode *tdp;		/* saved dp */
 	struct mount *mp;		/* mount table entry */
 	struct prison *pr;
+	size_t prev_ni_pathlen;		/* saved ndp->ni_pathlen */
 	int docache;			/* == 0 do not cache last component */
 	int wantparent;			/* 1 => wantparent or lockparent flag */
 	int rdonly;			/* lookup read-only flag bit */
@@ -687,7 +689,11 @@ dirloop:
 	printf("{%s}: ", cnp->cn_nameptr);
 	*cp = c; }
 #endif
+	prev_ni_pathlen = ndp->ni_pathlen;
 	ndp->ni_pathlen -= cnp->cn_namelen;
+	KASSERT(ndp->ni_pathlen <= PATH_MAX,
+	    ("%s: ni_pathlen underflow to %zd\n", __func__, ndp->ni_pathlen));
+	prev_ni_next = ndp->ni_next;
 	ndp->ni_next = cp;
 
 	/*
@@ -1008,6 +1014,8 @@ nextname:
 	    ("lookup: invalid path state."));
 	if (relookup) {
 		relookup = 0;
+		ndp->ni_pathlen = prev_ni_pathlen;
+		ndp->ni_next = prev_ni_next;
 		if (ndp->ni_dvp != dp)
 			vput(ndp->ni_dvp);
 		else

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201701041443.v04EhwMQ034433>