git.proxmox.com Git - mirror_zfs.git/commit

author	Ned Bass <bass6@llnl.gov>
	Wed, 30 Dec 2015 02:41:22 +0000 (18:41 -0800)
committer	Brian Behlendorf <behlendorf1@llnl.gov>
	Wed, 30 Dec 2015 21:20:12 +0000 (13:20 -0800)
commit	43b4935e5358806de18461f3ee92e07c67071eb5
tree	a9e96aadde616d25cf0e9868ee5778f19efd5899	tree
parent	23de906c72946da56a54f75238693e186d44d6e2	commit \| diff

Prevent SA length overflow

The function sa_update() accepts a 32-bit length parameter and
assigns it to a 16-bit field in sa_bulk_attr_t, potentially
truncating the passed-in value. This could lead to corrupt system
attribute (SA) records getting written to the pool. Add a VERIFY to
sa_update() to detect cases where overflow would occur. The SA length
is limited to 16-bit values by the on-disk format defined by
sa_hdr_phys_t.

The function zfs_sa_set_xattr() is vulnerable to this bug if the
unpacked nvlist of xattrs is less than 64k in size but the packed
size is greater than 64k. Fix this by appropriately checking the
size of the packed nvlist before calling sa_update(). Add error
handling to zpl_xattr_set_sa() to keep the cached list of SA-based
xattrs consistent with the data on disk.

Lastly, zfs_sa_set_xattr() calls dmu_tx_abort() on an assigned
transaction if sa_update() returns an error, but the DMU only allows
unassigned transactions to be aborted. Wrap the sa_update() call in a
VERIFY0, remove the transaction abort, and call dmu_tx_commit()
unconditionally. This is consistent practice with other callers
of sa_update().

Signed-off-by: Ned Bass <bass6@llnl.gov>
Signed-off-by: Brian Behlendorf <behlendorf1@llnl.gov>
Signed-off-by: Richard Yao <ryao@gentoo.org>
Closes #4150

include/sys/sa.h		diff \| blob \| blame \| history
module/zfs/sa.c		diff \| blob \| blame \| history
module/zfs/zfs_sa.c		diff \| blob \| blame \| history
module/zfs/zpl_xattr.c		diff \| blob \| blame \| history