Page MenuHomeFreeBSD

nandfs: avoid integer overflow in nandfs_get_dat_bdescs_ioctl
ClosedPublic

Authored by emaste on Mon, Aug 12, 4:56 PM.

Details

Summary

nandfs removed from head in rS349352 but it's still in stable/12 and stable/11

Reported by: Ilja Van Sprundel <ivansprundel@ioactive.com>

Diff Detail

Repository
rS FreeBSD src repository
Lint
Automatic diff as part of commit; lint not applicable.
Unit
Automatic diff as part of commit; unit tests not applicable.

Event Timeline

emaste created this revision.Mon, Aug 12, 4:56 PM
imp accepted this revision.Mon, Aug 12, 5:09 PM

These are fine but (a) you need to have mount privs to execute this ioctl; (b) nandfs is a panic trap due to bad locking and the system can't stay up once there's any vnode pressure at all; and (c) the set of nandfs users is the empty set due to (b). This is not exploitable in any meaningful way.

This revision is now accepted and ready to land.Mon, Aug 12, 5:09 PM
In D21232#461469, @imp wrote:

These are fine but (a) you need to have mount privs to execute this ioctl; (b) nandfs is a panic trap due to bad locking and the system can't stay up once there's any vnode pressure at all; and (c) the set of nandfs users is the empty set due to (b). This is not exploitable in any meaningful way.

and you have to go out of your way to build and run it. But the fix is easier than explaining that we don't care about nandfs.

This revision was automatically updated to reflect the committed changes.
imp added a comment.Mon, Aug 12, 5:32 PM
In D21232#461469, @imp wrote:

These are fine but (a) you need to have mount privs to execute this ioctl; (b) nandfs is a panic trap due to bad locking and the system can't stay up once there's any vnode pressure at all; and (c) the set of nandfs users is the empty set due to (b). This is not exploitable in any meaningful way.

and you have to go out of your way to build and run it. But the fix is easier than explaining that we don't care about nandfs.

Yup. My feedback was to strongly bias against a SA for this :)