Go to file
Richard Yao f33b298346 Illumos #15286: do_composition() needs sign awareness
Authored by: Dan McDonald <danmcd@mnx.io>
Reviewed by: Patrick Mooney <pmooney@pfmooney.com>
Reviewed by: Richard Lowe <richlowe@richlowe.net>
Approved by: Joshua M. Clulow <josh@sysmgr.org>
Ported-by: Richard Yao <richard.yao@alumni.stonybrook.edu>

Illumos-issue: https://www.illumos.org/issues/15286
Illumos-commit: f137b22e73

Porting Notes:

The patch in illumos did not have much of a commit message, and did not
provide attribution to the reporter, while original patch proposed to
OpenZFS did, so I am listing the reporter (myself) and original patch
author (also myself) below while including the original commit message
with some minor corrections as part of the porting notes:

In do_composition(), we have:

size = u8_number_of_bytes[*p];
if (size <= 1 || (p + size) > oslast)
	break;

There, we have type promotion from int8_t to size_t, which is unsigned.
C will sign extend the value as part of the widening before treating the
value as unsigned and the negative values we can counter are error
values from U8_ILLEGAL_CHAR and U8_OUT_OF_RANGE_CHAR, which are -1 and
-2 respectively. The unsigned versions of these under two's complement
are SIZE_MAX and SIZE_MAX-1 respectively.

The bounds check is written under the assumption that `size <= 1` does a
signed comparison. This is followed by a pointer comparison to see if
the string has the correct length, which is fine.

A little further down we have:

for (i = 0; i < size; i++)
	tc[i] = *p++;

When an error condition is encountered, this will attempt to iterate at
least SIZE_MAX-1 times, which will massively overflow the buffer, which
is not fine.

The kernel will kill the loop as soon as it hits the kernel stack guard
on Linux systems built with CONFIG_VMAP_STACK=y, which should be just
about all of them. That prevents arbitrary code execution and just about
any other bad thing that a black hat attacker might attempt with
knowledge of this buffer overflow. Other systems' kernels have
mitigations for unbounded in-kernel buffer overflows that will catch
this too.

Also, the patch in illumos-gate made an effort to fix C style issues
that had been fixed in the OpenZFS/ZFSOnLinux repository. Those issues
had been mentioned in the email that I originally sent them about this
issue. One of the fixes had not been already done, so it is included.
Another to collect_a_seq()'s arguments was handled differently in
OpenZFS. For the sake of avoiding unnecessary differences, it has been
adopted. This has the interesting effect that if you correct the paths
in the illumos-gate patch to match the current OpenZFS repository, you
can reverse apply it cleanly.

Original-patch-by: Richard Yao <richard.yao@alumni.stonybrook.edu>
Reported-by: Richard Yao <richard.yao@alumni.stonybrook.edu>
Co-authored-by: Dan McDonald <danmcd@mnx.io>
Closes #14318
Closes #14342
2023-01-19 12:50:42 -08:00
.github Use Ubuntu 20.04 and remove Ubuntu 18.04 from workflows 2022-12-09 10:57:10 -08:00
cmd Change ZEVENT_POOL_GUID to ZEVENT_POOL to display pool names 2023-01-19 12:50:36 -08:00
config removal of LegacyVersion broke ax_python_dev.m4 2023-01-19 12:50:42 -08:00
contrib dracut: fix typo in mount-zfs.sh.in 2023-01-19 12:50:42 -08:00
etc systemd: set restart=always for zfs-zed.service 2023-01-19 12:50:42 -08:00
include Add color output to zfs diff. 2023-01-19 12:50:36 -08:00
lib Add color output to zfs diff. 2023-01-19 12:50:36 -08:00
man Add color output to zfs diff. 2023-01-19 12:50:36 -08:00
module Illumos #15286: do_composition() needs sign awareness 2023-01-19 12:50:42 -08:00
rpm rpm: Silence "unversioned Obsoletes" warnings on EL 9 2022-09-13 17:50:59 -07:00
scripts scripts/enum-extract.pl should not hard code perl path 2022-12-01 12:39:41 -08:00
tests fgrep -> grep -F 2023-01-19 12:50:36 -08:00
udev Udev rules: use match (==) rather than assign (=) for PROGRAM 2021-09-14 12:23:10 -07:00
.editorconfig Add an .editorconfig; document git whitespace settings 2020-01-27 13:32:52 -08:00
.gitignore Add FreeBSD support to OpenZFS 2020-04-14 11:36:28 -07:00
.gitmodules .gitmodules: link to openzfs github repository 2021-04-14 13:23:08 -07:00
AUTHORS Add zstd support to zfs 2020-08-20 10:30:06 -07:00
autogen.sh Cause autogen.sh to fail if autoreconf fails 2018-07-06 09:27:37 -07:00
CODE_OF_CONDUCT.md Documentation corrections 2023-01-19 12:50:42 -08:00
configure.ac Linux 5.16 compat: don't use XSTATE_XSAVE to save FPU state 2022-02-16 17:58:55 -08:00
copy-builtin copy-builtin: posix conformance 2021-05-10 12:18:54 -07:00
COPYRIGHT Fix typos 2020-06-09 21:24:09 -07:00
LICENSE Update build system and packaging 2018-05-29 16:00:33 -07:00
Makefile.am config: check for parallel(1), use it for cstyle 2022-09-14 11:23:25 -07:00
META Update META to 6.1 kernel 2023-01-10 16:12:11 -08:00
NEWS Fix NEWS file 2020-08-26 21:44:41 -07:00
NOTICE Update build system and packaging 2018-05-29 16:00:33 -07:00
README.md README: Update OpenZFS website url 2022-02-16 17:58:55 -08:00
RELEASES.md Add RELEASES.md file 2021-04-07 13:26:58 -07:00
TEST Remove CI builder customization from TEST 2020-03-16 10:46:03 -07:00
zfs.release.in Move zfs.release generation to configure step 2012-07-12 12:22:51 -07:00

img

OpenZFS is an advanced file system and volume manager which was originally developed for Solaris and is now maintained by the OpenZFS community. This repository contains the code for running OpenZFS on Linux and FreeBSD.

codecov coverity

Official Resources

Installation

Full documentation for installing OpenZFS on your favorite operating system can be found at the Getting Started Page.

Contribute & Develop

We have a separate document with contribution guidelines.

We have a Code of Conduct.

Release

OpenZFS is released under a CDDL license. For more details see the NOTICE, LICENSE and COPYRIGHT files; UCRL-CODE-235197

Supported Kernels

  • The META file contains the officially recognized supported Linux kernel versions.
  • Supported FreeBSD versions are any supported branches and releases starting from 12.2-RELEASE.