HomeFreeBSD

Read past end of argv array in zpool_do_import()

Description

Read past end of argv array in zpool_do_import()

zpool_do_import() passes argv[0], (optionally) argv[1], and
pool_specified to import_pools(). If pool_specified==FALSE, the
argv[] arguments are not used. However, these values may be off the
end of the argv[] array, so loading them could dereference unmapped
memory. This error is reported by the asan build:

=================================================================
==6003==ERROR: AddressSanitizer: heap-buffer-overflow
READ of size 8 at 0x6030000004a8 thread T0
    #0 0x562a078b50eb in zpool_do_import zpool_main.c:3796
    #1 0x562a078858c5 in main zpool_main.c:10709
    #2 0x7f5115231bf6 in __libc_start_main
    #3 0x562a07885eb9 in _start

0x6030000004a8 is located 0 bytes to the right of 24-byte region
allocated by thread T0 here:
    #0 0x7f5116ac6b40 in __interceptor_malloc
    #1 0x562a07885770 in main zpool_main.c:10699
    #2 0x7f5115231bf6 in __libc_start_main

This commit passes NULL for these arguments if they are off the end
of the argv[] array.

Reviewed-by: George Wilson <gwilson@delphix.com>
Reviewed-by: John Kennedy <john.kennedy@delphix.com>
Reviewed-by: Brian Behlendorf <behlendorf1@llnl.gov>
Reviewed-by: Allan Jude <allan@klarasystems.com>
Signed-off-by: Matthew Ahrens <mahrens@delphix.com>
Closes #12339

Details

Provenance
mahrensAuthored on Jul 26 2021, 7:51 PM
GitHub <noreply@github.com>Committed on Jul 26 2021, 7:51 PM
Parents
rG31c41aea9cd4: Add missing properties to zfs allow manpage
Branches
Unknown
Tags
Unknown