Page MenuHomeFreeBSD

nandfs: avoid integer overflow in nandfs_get_dat_bdescs_ioctl
ClosedPublic

Authored by emaste on Aug 12 2019, 4:56 PM.
Tags
None
Referenced Files
Unknown Object (File)
Fri, Nov 22, 2:25 PM
Unknown Object (File)
Mon, Nov 18, 12:48 AM
Unknown Object (File)
Mon, Nov 11, 5:55 AM
Unknown Object (File)
Mon, Nov 11, 5:53 AM
Unknown Object (File)
Mon, Nov 11, 2:37 AM
Unknown Object (File)
Mon, Nov 11, 1:56 AM
Unknown Object (File)
Mon, Nov 11, 1:42 AM
Unknown Object (File)
Oct 20 2024, 3:01 AM
Subscribers
None

Details

Summary

nandfs removed from head in rS349352 but it's still in stable/12 and stable/11

Reported by: Ilja Van Sprundel <ivansprundel@ioactive.com>

Diff Detail

Lint
Lint Skipped
Unit
Tests Skipped

Event Timeline

These are fine but (a) you need to have mount privs to execute this ioctl; (b) nandfs is a panic trap due to bad locking and the system can't stay up once there's any vnode pressure at all; and (c) the set of nandfs users is the empty set due to (b). This is not exploitable in any meaningful way.

This revision is now accepted and ready to land.Aug 12 2019, 5:09 PM
In D21232#461469, @imp wrote:

These are fine but (a) you need to have mount privs to execute this ioctl; (b) nandfs is a panic trap due to bad locking and the system can't stay up once there's any vnode pressure at all; and (c) the set of nandfs users is the empty set due to (b). This is not exploitable in any meaningful way.

and you have to go out of your way to build and run it. But the fix is easier than explaining that we don't care about nandfs.

In D21232#461469, @imp wrote:

These are fine but (a) you need to have mount privs to execute this ioctl; (b) nandfs is a panic trap due to bad locking and the system can't stay up once there's any vnode pressure at all; and (c) the set of nandfs users is the empty set due to (b). This is not exploitable in any meaningful way.

and you have to go out of your way to build and run it. But the fix is easier than explaining that we don't care about nandfs.

Yup. My feedback was to strongly bias against a SA for this :)