Date: Wed, 6 Jan 2021 14:57:52 GMT From: Mark Johnston <markj@FreeBSD.org> To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-branches@FreeBSD.org Subject: git: d78aee09c08b - stable/12 - ffs: Avoid out-of-bounds accesses in the fs_active bitmap Message-ID: <202101061457.106EvqsE047768@gitrepo.freebsd.org>
next in thread | raw e-mail | index | archive | help
The branch stable/12 has been updated by markj: URL: https://cgit.FreeBSD.org/src/commit/?id=d78aee09c08b575c9bbc4c90a92f6253dfd8fa3b commit d78aee09c08b575c9bbc4c90a92f6253dfd8fa3b Author: Mark Johnston <markj@FreeBSD.org> AuthorDate: 2020-12-23 16:13:00 +0000 Commit: Mark Johnston <markj@FreeBSD.org> CommitDate: 2021-01-06 14:43:22 +0000 ffs: Avoid out-of-bounds accesses in the fs_active bitmap We use a bitmap to track which cylinder groups have changed between snapshot creation and filesystem suspension. The "legs" of the bitmap are four bytes wide (see ACTIVESET()) so we must round up the allocation size to a multiple of four bytes. I believe this bug is harmless since UMA/kmem_* will both pad the allocation and zero the full allocation. Note that malloc() does inline zeroing when the allocation size is known at compile-time. Reported by: pho (using KASAN) Reviewed by: kib, mckusick (cherry picked from commit ace3d9475ceecd9bcb766bb82a1c8f87e8f560be) --- sys/ufs/ffs/ffs_snapshot.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/sys/ufs/ffs/ffs_snapshot.c b/sys/ufs/ffs/ffs_snapshot.c index 3cb999a01c56..749ab28fab56 100644 --- a/sys/ufs/ffs/ffs_snapshot.c +++ b/sys/ufs/ffs/ffs_snapshot.c @@ -377,8 +377,8 @@ restart: * touch up the few cylinder groups that changed during * the suspension period. */ - len = howmany(fs->fs_ncg, NBBY); - space = malloc(len, M_DEVBUF, M_WAITOK|M_ZERO); + len = roundup2(howmany(fs->fs_ncg, NBBY), sizeof(int)); + space = malloc(len, M_DEVBUF, M_WAITOK | M_ZERO); UFS_LOCK(ump); fs->fs_active = space; UFS_UNLOCK(ump);
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?202101061457.106EvqsE047768>