Re: port-amd64/55816: mdopen() kills the kernel

To: port-amd64-maintainer%netbsd.org@localhost,gnats-admin%netbsd.org@localhost,netbsd-bugs%netbsd.org@localhost,martin%NetBSD.org@localhost
Subject: Re: port-amd64/55816: mdopen() kills the kernel
From: mlelstv%serpens.de@localhost (Michael van Elst)
Date: Sun, 22 Nov 2020 14:40:02 +0000 (UTC)

The following reply was made to PR port-amd64/55816; it has been noted by GNATS.

From: mlelstv%serpens.de@localhost (Michael van Elst)
To: gnats-bugs%netbsd.org@localhost
Cc: 
Subject: Re: port-amd64/55816: mdopen() kills the kernel
Date: Sun, 22 Nov 2020 14:39:08 -0000 (UTC)

 martin%duskware.de@localhost (Martin Husemann) writes:

 >The following reply was made to PR port-amd64/55816; it has been noted by GNATS.

 >From: Martin Husemann <martin%duskware.de@localhost>
 >To: gnats-bugs%netbsd.org@localhost
 >Cc: 
 >Subject: Re: port-amd64/55816: mdopen() kills the kernel
 >Date: Sun, 22 Nov 2020 14:39:10 +0100

 > The /dev to be backed up has:
 > 
 > crw-r-----  1 root  operator   24,  524289 Mar 22  2017 rsd0j
 > crw-r-----  1 root  operator   24,  524290 Mar 22  2017 rsd0k
 > crw-r-----  1 root  operator   24,  524291 Mar 22  2017 rsd0l
 > 
 > which on amd64 maps to some rmd:
 > 
 > crw-r-----  1 root    operator   24,       3 Oct 12  2019 rmd0
 > crw-r-----  1 root    operator   24,       0 Jul 18  2011 rmd0a
 > crw-r-----  1 root    operator   24,       3 Jul 18  2011 rmd0d
 > crw-r-----  1 root    operator   24,      19 Oct 12  2019 rmd1
 > crw-r-----  1 root    operator   24,      16 Jul 18  2011 rmd1a
 > crw-r-----  1 root    operator   24,      19 Jul 18  2011 rmd1d
 > 
 > ... and of course the currently running kernel has no md(4) at all.

 The crash occurs when dereferencing cd->cd_devs[unit] with
 a negative unit fetched from cf->cf_unit.

 minor(x) is a 20bit unsigned integer.

 DISKUNIT is minor(x)/MAXPARTITIONS. On amd64 this yields a
 16bit unsigned integer.

 cf_unit is used by autoconf to store this unit number but
 is a 16bit _signed_ integer. A minor of 524289 gives a unit
 of 32768 which is interpreted as -32768.

 The code assumes that any unit number < cd_ndevs is valid
 and dereferences cd_devs.

 Initially cd_ndevs is 0 and cd_devs is NULL (that's the %rcx
 value). But even when an initial array would have been allocated
 the negative unit number would cause havoc.

 If cf_unit is expanded to hold a >20bit signed integer (-1 is
 used as an invalid unit in some places), this might not fail.
 But the allocated array could be too large on some systems.

 -- 
 -- 
                                 Michael van Elst
 Internet: mlelstv%serpens.de@localhost
                                 "A potential Snark may lurk in every tree."

Follow-Ups:
- Re: port-amd64/55816: mdopen() kills the kernel
  - From: Christos Zoulas

Prev by Date: Re: port-amd64/55816: mdopen() kills the kernel
Next by Date: Re: port-amd64/55816: mdopen() kills the kernel
Previous by Thread: Re: port-amd64/55816: mdopen() kills the kernel
Next by Thread: Re: port-amd64/55816: mdopen() kills the kernel
Indexes:

Home | Main Index | Thread Index | Old Index