NetBSD-Bugs archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

kern/50573: puffs can crash kernel for lack of argument checking

>Number:         50573
>Category:       kern
>Synopsis:       puffs can crash kernel for lack of argument checking
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    kern-bug-people
>State:          open
>Class:          sw-bug
>Submitter-Id:   net
>Arrival-Date:   Sat Dec 19 20:00:00 +0000 2015
>Originator:     Andreas Gustafsson
>Release:        NetBSD-current, source date >= 2015.
System: NetBSD
Architecture: x86_64
Machine: amd64

I noticed that the mountfuzz8 test case of the fs/puffs/t_fuzz
test had been failing on amd64 (but not i386 nor sparc)
since the commit of uvm_vnode.c 1.101 by mlelstv on December 6.

The test is failing with:

  panic: kernel diagnostic assertion "newsize != VSIZENOTSET && newsize >= 0" failed: file "/tmp/bracket/build/2015.", line 351 

The full test log is at:

mlelstv pointed out that the bug triggering this is is the lack
of parameter checking in fs/puffs/puffs_vfsops.c line 270ff
(marked with an XXX, no less):

 	/* XXX: check parameters */
 	pmp->pmp_root_cookie = args->pa_root_cookie;
 	pmp->pmp_root_vtype = args->pa_root_vtype; 
 	pmp->pmp_root_vsize = args->pa_root_vsize;
 	pmp->pmp_root_rdev = args->pa_root_rdev;
 	pmp->pmp_docompat = args->pa_time32;
where pa_root_vsize seems to have a negative value.

I also verified that this problem affects the real kernel and not just
the rump kernel by replacing every instance of "sys_rump_" in t_fuzz.c
by the empty string, rebuilding, and rerunning the test.  As expected,
this triggered a kernel panic.


On amd64,

  cd /usr/tests/fs/puffs
  atf-run t_fuzz


Home | Main Index | Thread Index | Old Index