From c9520ecc0f4693cf6fbc3f678555268dc2b91089 Mon Sep 17 00:00:00 2001 From: Jason Zaman Date: Thu, 30 Apr 2015 16:20:38 +0400 Subject: dmu: fix integer overflows The params to the functions are uint64_t, but the offsets to memcpy / bcopy are calculated using 32bit ints. This patch changes them to also be uint64_t so there isnt an overflow. PaX's Size Overflow caught this when formatting a zvol. Gentoo bug: #546490 PAX: offset: 1ffffb000 db->db_offset: 1ffffa000 db->db_size: 2000 size: 5000 PAX: size overflow detected in function dmu_read /var/tmp/portage/sys-fs/zfs-kmod-0.6.3-r1/work/zfs-zfs-0.6.3/module/zfs/../../module/zfs/dmu.c:781 cicus.366_146 max, count: 15 CPU: 1 PID: 2236 Comm: zvol/10 Tainted: P O 3.17.7-hardened-r1 #1 Call Trace: [] ? dsl_dataset_get_holds+0x9d58/0x343ce [zfs] [] dump_stack+0x4e/0x7a [] ? dsl_dataset_get_holds+0x1aa9a/0x343ce [zfs] [] report_size_overflow+0x36/0x40 [] dmu_read+0x52b/0x920 [zfs] [] zrl_is_locked+0x7d1/0x1ce0 [zfs] [] zil_clean+0x9d2/0xc00 [zfs] [] zil_commit+0x21/0x30 [zfs] [] zrl_is_locked+0xce1/0x1ce0 [zfs] [] ? __schedule+0x547/0xbc0 [] taskq_cancel_id+0x2a6/0x5b0 [spl] [] ? wake_up_state+0x20/0x20 [] ? taskq_cancel_id+0x110/0x5b0 [spl] [] kthread+0xc4/0xe0 [] ? kthread_create_on_node+0x170/0x170 [] ret_from_fork+0x74/0xa0 [] ? kthread_create_on_node+0x170/0x170 Signed-off-by: Jason Zaman Signed-off-by: Brian Behlendorf Closes #3333 --- module/zfs/dmu.c | 40 ++++++++++++++++++++++------------------ 1 file changed, 22 insertions(+), 18 deletions(-) (limited to 'module/zfs/dmu.c') diff --git a/module/zfs/dmu.c b/module/zfs/dmu.c index 3b7bbefc2..fc1dcd0de 100644 --- a/module/zfs/dmu.c +++ b/module/zfs/dmu.c @@ -764,7 +764,7 @@ dmu_read(objset_t *os, uint64_t object, uint64_t offset, uint64_t size, * handle that here as well. */ if (dn->dn_maxblkid == 0) { - int newsz = offset > dn->dn_datablksz ? 0 : + uint64_t newsz = offset > dn->dn_datablksz ? 0 : MIN(size, dn->dn_datablksz - offset); bzero((char *)buf + newsz, size - newsz); size = newsz; @@ -784,16 +784,16 @@ dmu_read(objset_t *os, uint64_t object, uint64_t offset, uint64_t size, break; for (i = 0; i < numbufs; i++) { - int tocpy; - int bufoff; + uint64_t tocpy; + int64_t bufoff; dmu_buf_t *db = dbp[i]; ASSERT(size > 0); bufoff = offset - db->db_offset; - tocpy = (int)MIN(db->db_size - bufoff, size); + tocpy = MIN(db->db_size - bufoff, size); - bcopy((char *)db->db_data + bufoff, buf, tocpy); + (void) memcpy(buf, (char *)db->db_data + bufoff, tocpy); offset += tocpy; size -= tocpy; @@ -819,14 +819,14 @@ dmu_write(objset_t *os, uint64_t object, uint64_t offset, uint64_t size, FALSE, FTAG, &numbufs, &dbp)); for (i = 0; i < numbufs; i++) { - int tocpy; - int bufoff; + uint64_t tocpy; + int64_t bufoff; dmu_buf_t *db = dbp[i]; ASSERT(size > 0); bufoff = offset - db->db_offset; - tocpy = (int)MIN(db->db_size - bufoff, size); + tocpy = MIN(db->db_size - bufoff, size); ASSERT(i == 0 || i == numbufs-1 || tocpy == db->db_size); @@ -1108,13 +1108,15 @@ dmu_read_req(objset_t *os, uint64_t object, struct request *req) req_offset = 0; for (i = 0; i < numbufs; i++) { - int tocpy, didcpy, bufoff; + uint64_t tocpy; + int64_t bufoff; + int didcpy; dmu_buf_t *db = dbp[i]; bufoff = offset - db->db_offset; ASSERT3S(bufoff, >=, 0); - tocpy = (int)MIN(db->db_size - bufoff, size); + tocpy = MIN(db->db_size - bufoff, size); if (tocpy == 0) break; @@ -1156,13 +1158,15 @@ dmu_write_req(objset_t *os, uint64_t object, struct request *req, dmu_tx_t *tx) req_offset = 0; for (i = 0; i < numbufs; i++) { - int tocpy, didcpy, bufoff; + uint64_t tocpy; + int64_t bufoff; + int didcpy; dmu_buf_t *db = dbp[i]; bufoff = offset - db->db_offset; ASSERT3S(bufoff, >=, 0); - tocpy = (int)MIN(db->db_size - bufoff, size); + tocpy = MIN(db->db_size - bufoff, size); if (tocpy == 0) break; @@ -1212,14 +1216,14 @@ dmu_read_uio(objset_t *os, uint64_t object, uio_t *uio, uint64_t size) return (err); for (i = 0; i < numbufs; i++) { - int tocpy; - int bufoff; + uint64_t tocpy; + int64_t bufoff; dmu_buf_t *db = dbp[i]; ASSERT(size > 0); bufoff = uio->uio_loffset - db->db_offset; - tocpy = (int)MIN(db->db_size - bufoff, size); + tocpy = MIN(db->db_size - bufoff, size); if (xuio) { dmu_buf_impl_t *dbi = (dmu_buf_impl_t *)db; @@ -1263,14 +1267,14 @@ dmu_write_uio_dnode(dnode_t *dn, uio_t *uio, uint64_t size, dmu_tx_t *tx) return (err); for (i = 0; i < numbufs; i++) { - int tocpy; - int bufoff; + uint64_t tocpy; + int64_t bufoff; dmu_buf_t *db = dbp[i]; ASSERT(size > 0); bufoff = uio->uio_loffset - db->db_offset; - tocpy = (int)MIN(db->db_size - bufoff, size); + tocpy = MIN(db->db_size - bufoff, size); ASSERT(i == 0 || i == numbufs-1 || tocpy == db->db_size); -- cgit v1.2.3