From owner-dev-commits-src-branches@freebsd.org Wed Jan 6 14:57:53 2021 Return-Path: Delivered-To: dev-commits-src-branches@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id 1F4264D3501; Wed, 6 Jan 2021 14:57:53 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "Let's Encrypt Authority X3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4D9st90RVZz3vN2; Wed, 6 Jan 2021 14:57:53 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 0234520536; Wed, 6 Jan 2021 14:57:53 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from gitrepo.freebsd.org ([127.0.1.44]) by gitrepo.freebsd.org (8.16.1/8.16.1) with ESMTP id 106EvqhL047769; Wed, 6 Jan 2021 14:57:52 GMT (envelope-from git@gitrepo.freebsd.org) Received: (from git@localhost) by gitrepo.freebsd.org (8.16.1/8.16.1/Submit) id 106EvqsE047768; Wed, 6 Jan 2021 14:57:52 GMT (envelope-from git) Date: Wed, 6 Jan 2021 14:57:52 GMT Message-Id: <202101061457.106EvqsE047768@gitrepo.freebsd.org> To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-branches@FreeBSD.org From: Mark Johnston Subject: git: d78aee09c08b - stable/12 - ffs: Avoid out-of-bounds accesses in the fs_active bitmap MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit X-Git-Committer: markj X-Git-Repository: src X-Git-Refname: refs/heads/stable/12 X-Git-Reftype: branch X-Git-Commit: d78aee09c08b575c9bbc4c90a92f6253dfd8fa3b Auto-Submitted: auto-generated X-BeenThere: dev-commits-src-branches@freebsd.org X-Mailman-Version: 2.1.34 Precedence: list List-Id: Commits to the stable branches of the FreeBSD src repository List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 06 Jan 2021 14:57:53 -0000 The branch stable/12 has been updated by markj: URL: https://cgit.FreeBSD.org/src/commit/?id=d78aee09c08b575c9bbc4c90a92f6253dfd8fa3b commit d78aee09c08b575c9bbc4c90a92f6253dfd8fa3b Author: Mark Johnston AuthorDate: 2020-12-23 16:13:00 +0000 Commit: Mark Johnston CommitDate: 2021-01-06 14:43:22 +0000 ffs: Avoid out-of-bounds accesses in the fs_active bitmap We use a bitmap to track which cylinder groups have changed between snapshot creation and filesystem suspension. The "legs" of the bitmap are four bytes wide (see ACTIVESET()) so we must round up the allocation size to a multiple of four bytes. I believe this bug is harmless since UMA/kmem_* will both pad the allocation and zero the full allocation. Note that malloc() does inline zeroing when the allocation size is known at compile-time. Reported by: pho (using KASAN) Reviewed by: kib, mckusick (cherry picked from commit ace3d9475ceecd9bcb766bb82a1c8f87e8f560be) --- sys/ufs/ffs/ffs_snapshot.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/sys/ufs/ffs/ffs_snapshot.c b/sys/ufs/ffs/ffs_snapshot.c index 3cb999a01c56..749ab28fab56 100644 --- a/sys/ufs/ffs/ffs_snapshot.c +++ b/sys/ufs/ffs/ffs_snapshot.c @@ -377,8 +377,8 @@ restart: * touch up the few cylinder groups that changed during * the suspension period. */ - len = howmany(fs->fs_ncg, NBBY); - space = malloc(len, M_DEVBUF, M_WAITOK|M_ZERO); + len = roundup2(howmany(fs->fs_ncg, NBBY), sizeof(int)); + space = malloc(len, M_DEVBUF, M_WAITOK | M_ZERO); UFS_LOCK(ump); fs->fs_active = space; UFS_UNLOCK(ump);