svn commit: r311964 - head/sys/geom/raid

Conrad E. Meyer cem at FreeBSD.org
Thu Jan 12 06:58:33 UTC 2017 

Author: cem
Date: Thu Jan 12 06:58:31 2017
New Revision: 311964
URL: https://svnweb.freebsd.org/changeset/base/311964

Log:
  g_raid: Prevent tasters from attempting excessively large reads
  
  Some g_raid tasters attempt metadata reads in multiples of the provider
  sectorsize.  Reads larger than MAXPHYS are invalid, so detect and abort
  in such situations.
  
  Spiritually similar to r217305 / PR 147851.
  
  PR:		214721
  Sponsored by:	Dell EMC Isilon

Modified:
  head/sys/geom/raid/md_ddf.c
  head/sys/geom/raid/md_promise.c

Modified: head/sys/geom/raid/md_ddf.c
==============================================================================
--- head/sys/geom/raid/md_ddf.c	Thu Jan 12 06:38:03 2017	(r311963)
+++ head/sys/geom/raid/md_ddf.c	Thu Jan 12 06:58:31 2017	(r311964)
@@ -1161,6 +1161,16 @@ hdrerror:
 		    (GET16(meta, hdr->Configuration_Record_Length) * ss - 512) / 12));
 	}
 
+	if (GET32(meta, hdr->cd_length) * ss >= MAXPHYS ||
+	    GET32(meta, hdr->pdr_length) * ss >= MAXPHYS ||
+	    GET32(meta, hdr->vdr_length) * ss >= MAXPHYS ||
+	    GET32(meta, hdr->cr_length) * ss >= MAXPHYS ||
+	    GET32(meta, hdr->pdd_length) * ss >= MAXPHYS ||
+	    GET32(meta, hdr->bbmlog_length) * ss >= MAXPHYS) {
+		G_RAID_DEBUG(1, "%s: Blocksize is too big.", pp->name);
+		goto hdrerror;
+	}
+
 	/* Read controller data. */
 	buf = g_read_data(cp, (lba + GET32(meta, hdr->cd_section)) * ss,
 	    GET32(meta, hdr->cd_length) * ss, &error);

Modified: head/sys/geom/raid/md_promise.c
==============================================================================
--- head/sys/geom/raid/md_promise.c	Thu Jan 12 06:38:03 2017	(r311963)
+++ head/sys/geom/raid/md_promise.c	Thu Jan 12 06:58:31 2017	(r311964)
@@ -341,6 +341,11 @@ promise_meta_read(struct g_consumer *cp,
 
 	pp = cp->provider;
 	subdisks = 0;
+
+	if (pp->sectorsize * 4 > MAXPHYS) {
+		G_RAID_DEBUG(1, "%s: Blocksize is too big.", pp->name);
+		return (subdisks);
+	}
 next:
 	/* Read metadata block. */
 	buf = g_read_data(cp, pp->mediasize - pp->sectorsize *

More information about the svn-src-all mailing list