HomeFreeBSD

MFC r361748:

Description

MFC r361748:

tmpfs: Preserve alignment of struct fid fields

On 64-bit platforms, the two short fields in struct tmpfs_fid are padded to
the 64-bit alignment of the long field. This pushes the offsets of the
subsequent fields by 4 bytes and makes struct tmpfs_fid bigger than
struct fid. tmpfs_vptofh() casts a struct fid * to struct tmpfs_fid *,
causing 4 bytes of adjacent memory to be overwritten when the struct fields are
set. Through several layers of indirection and embedded structs, the adjacent
memory for one particular call to tmpfs_vptofh() happens to be the stack
canary for nfsrvd_compound(). Half of the canary ends up being clobbered,
going unnoticed until eventually the stack check fails when nfsrvd_compound()
returns and a panic is triggered.

Instead of duplicating fields of struct fid in struct tmpfs_fid, narrow the
struct to cover only the unique fields for tmpfs and assert at compile time
that the struct fits in the allotted space. This way we don't have to
replicate the offsets of struct fid fields, we just use them directly.

Reviewed by: kib, mav, rmacklem
Approved by: mav (mentor)
Sponsored by: iXsystems, Inc.
Differential Revision: https://reviews.freebsd.org/D25077

Details

Provenance
freqlabsAuthored on
Reviewer
kib
Differential Revision
D25077: tmpfs: Preserve alignment of struct fid fields
Parents
rS362000: Fixup r361997 by balancing parens. Duh.
Branches
Unknown
Tags
Unknown