svn commit: r353104 - releng/12.1/sys/kern

[Andrew Turner]

Author: andrew
Date: Fri Oct  4 14:10:56 2019
New Revision: 353104
URL: https://svnweb.freebsd.org/changeset/base/353104

Log:
  MFS r353032:
  
  Check the vfs option length is valid before accessing through
  
  When a VFS option passed to nmount is present but NULL the kernel will
  place an empty option in its internal list. This will have a NULL
  pointer and a length of 0. When we come to read one of these the kernel
  will try to load from the last address of virtual memory. This is
  normally invalid so will fault resulting in a kernel panic.
  
  Fix this by checking if the length is valid before dereferencing.
  
  Approved by:	re (kib)
  Sponsored by:	DARPA, AFRL

Modified:
  releng/12.1/sys/kern/vfs_mount.c
Directory Properties:
  releng/12.1/   (props changed)

Modified: releng/12.1/sys/kern/vfs_mount.c
==============================================================================
--- releng/12.1/sys/kern/vfs_mount.c	Fri Oct  4 13:43:07 2019	(r353103)
+++ releng/12.1/sys/kern/vfs_mount.c	Fri Oct  4 14:10:56 2019	(r353104)
@@ -603,7 +603,7 @@ vfs_donmount(struct thread *td, uint64_t fsflags, stru
 	 */
 	fstypelen = 0;
 	error = vfs_getopt(optlist, "fstype", (void **)&fstype, &fstypelen);
-	if (error || fstype[fstypelen - 1] != '\0') {
+	if (error || fstypelen <= 0 || fstype[fstypelen - 1] != '\0') {
 		error = EINVAL;
 		if (errmsg != NULL)
 			strncpy(errmsg, "Invalid fstype", errmsg_len);
@@ -611,7 +611,7 @@ vfs_donmount(struct thread *td, uint64_t fsflags, stru
 	}
 	fspathlen = 0;
 	error = vfs_getopt(optlist, "fspath", (void **)&fspath, &fspathlen);
-	if (error || fspath[fspathlen - 1] != '\0') {
+	if (error || fspathlen <= 0 || fspath[fspathlen - 1] != '\0') {
 		error = EINVAL;
 		if (errmsg != NULL)
 			strncpy(errmsg, "Invalid fspath", errmsg_len);