Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

7263 deeply nested nvlist can overflow stack #4924

Closed
wants to merge 1 commit into from
Closed

7263 deeply nested nvlist can overflow stack #4924

wants to merge 1 commit into from

Conversation

prakashsurya
Copy link
Member

nvlist_pack() and nvlist_unpack are implemented recursively, which can
cause the stack to overflow with a deeply nested nvlist; i.e. an nvlist
which contains an nvlist, which contains an nvlist, which...

Unprivileged users can pass an nvlist to the kernel via certain ioctls
on /dev/zfs, which the kernel will unpack without additional permission
checking or validation. Therefore, an unprivileged user can cause the
kernel's stack to overflow and panic.

Ideally, these functions would be implemented non-recursively. As a
quick fix, this patch limits the depth of the recursion and returns an
error when attempting to pack and unpack a deeply-nested nvlist.

Signed-off-by: Adam Leventhal [email protected]
Signed-off-by: George Wilson [email protected]

nvlist_pack() and nvlist_unpack are implemented recursively, which can
cause the stack to overflow with a deeply nested nvlist; i.e. an nvlist
which contains an nvlist, which contains an nvlist, which...

Unprivileged users can pass an nvlist to the kernel via certain ioctls
on /dev/zfs, which the kernel will unpack without additional permission
checking or validation. Therefore, an unprivileged user can cause the
kernel's stack to overflow and panic.

Ideally, these functions would be implemented non-recursively. As a
quick fix, this patch limits the depth of the recursion and returns an
error when attempting to pack and unpack a deeply-nested nvlist.

Signed-off-by: Adam Leventhal <[email protected]>
Signed-off-by: George Wilson <[email protected]>
@prakashsurya
Copy link
Member Author

This is a clean cherry pick (apart from using the zfs2zol-patch.sed script to fix paths) of the upstream PR here: openzfs/openzfs#166

@behlendorf
Copy link
Contributor

Thanks!

@behlendorf
Copy link
Contributor

Merged as:

169ab07 OpenZFS 7263 - deeply nested nvlist can overflow stack

@behlendorf behlendorf closed this Aug 11, 2016
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

3 participants