svn commit: r344305 - head/sys/geom
Mark Johnston
markj at freebsd.org
Wed Feb 20 15:49:36 UTC 2019
On Wed, Feb 20, 2019 at 09:40:45PM +0700, Eugene Grosbein wrote:
> 20.02.2019 4:22, Mark Johnston wrote:
>
> > Author: markj
> > Date: Tue Feb 19 21:22:22 2019
> > New Revision: 344305
> > URL: https://svnweb.freebsd.org/changeset/base/344305
> >
> > Log:
> > Impose a limit on the number of GEOM_CTL arguments.
> >
> > Otherwise a privileged user can trigger a memory allocation of
> > unbounded size, or an integer overflow in the subsequent
> > geom_alloc_copyin() call, leading to out-of-bounds accesses.
> >
> > Hard-code a large limit to circumvent this problem.
> >
> > admbug: 854
> > Reported by: Anonymous of the Shellphish Grill Team
> > Reviewed by: ae
> > MFC after: 1 week
> > Sponsored by: The FreeBSD Foundation
> > Differential Revision: https://reviews.freebsd.org/D19251
> >
> > Modified:
> > head/sys/geom/geom_ctl.c
> >
> > Modified: head/sys/geom/geom_ctl.c
> > ==============================================================================
> > --- head/sys/geom/geom_ctl.c Tue Feb 19 21:20:50 2019 (r344304)
> > +++ head/sys/geom/geom_ctl.c Tue Feb 19 21:22:22 2019 (r344305)
> > @@ -139,6 +139,12 @@ gctl_copyin(struct gctl_req *req)
> > char *p;
> > u_int i;
> >
> > + if (req->narg > 2048) {
> > + gctl_error(req, "too many arguments");
> > + req->arg = NULL;
> > + return;
> > + }
> > +
>
> Could you replace magic constant 2048 with #define symbol, please?
> Something like GEOM_ARG_MAX in sys/sys/limits.h or similar.
Sure. Here is the proposed diff: https://reviews.freebsd.org/D19271
More information about the svn-src-all
mailing list