kern/50573: puffs can crash kernel for lack of argument checking

[gson%gson.org@localhost (Andreas Gustafsson)]

>Number:         50573
>Category:       kern
>Synopsis:       puffs can crash kernel for lack of argument checking
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    kern-bug-people
>State:          open
>Class:          sw-bug
>Submitter-Id:   net
>Arrival-Date:   Sat Dec 19 20:00:00 +0000 2015
>Originator:     Andreas Gustafsson
>Release:        NetBSD-current, source date >= 2015.12.06.08.53.22
>Organization:
>Environment:
System: NetBSD
Architecture: x86_64
Machine: amd64
>Description:

I noticed that the mountfuzz8 test case of the fs/puffs/t_fuzz
test had been failing on amd64 (but not i386 nor sparc)
since the commit of uvm_vnode.c 1.101 by mlelstv on December 6.

The test is failing with:

  panic: kernel diagnostic assertion "newsize != VSIZENOTSET && newsize >= 0" failed: file "/tmp/bracket/build/2015.12.06.08.53.22-amd64/src/lib/librumpvfs/../../sys/rump/../uvm/uvm_vnode.c", line 351 

The full test log is at:

  http://releng.netbsd.org/b5reports/amd64/build/2015.12.06.08.53.22/test.html#fs_puffs_t_fuzz_mountfuzz8

mlelstv pointed out that the bug triggering this is is the lack
of parameter checking in fs/puffs/puffs_vfsops.c line 270ff
(marked with an XXX, no less):

 	/* XXX: check parameters */
 	pmp->pmp_root_cookie = args->pa_root_cookie;
 	pmp->pmp_root_vtype = args->pa_root_vtype; 
 	pmp->pmp_root_vsize = args->pa_root_vsize;
 	pmp->pmp_root_rdev = args->pa_root_rdev;
 	pmp->pmp_docompat = args->pa_time32;
 
where pa_root_vsize seems to have a negative value.

I also verified that this problem affects the real kernel and not just
the rump kernel by replacing every instance of "sys_rump_" in t_fuzz.c
by the empty string, rebuilding, and rerunning the test.  As expected,
this triggered a kernel panic.

>How-To-Repeat:

On amd64,

  cd /usr/tests/fs/puffs
  atf-run t_fuzz

>Fix: