git.proxmox.com Git - mirror

author	Matthew Ahrens <mahrens@delphix.com>
	Wed, 13 Jan 2016 18:45:08 +0000 (10:45 -0800)
committer	Brian Behlendorf <behlendorf1@llnl.gov>
	Thu, 11 Aug 2016 22:58:03 +0000 (15:58 -0700)
commit	169ab07cc8b7417c4a93b4496ef4a11e049b5cdc
tree	b6d3ae065d91c7326803e5f4cd7d920816bac1ad	tree
parent	b320dd91a9262633200c9570442659989a677f0c	commit \| diff

OpenZFS 7263 - deeply nested nvlist can overflow stack

nvlist_pack() and nvlist_unpack are implemented recursively, which can
cause the stack to overflow with a deeply nested nvlist; i.e. an nvlist
which contains an nvlist, which contains an nvlist, which...

Unprivileged users can pass an nvlist to the kernel via certain ioctls
on /dev/zfs, which the kernel will unpack without additional permission
checking or validation. Therefore, an unprivileged user can cause the
kernel's stack to overflow and panic.

Ideally, these functions would be implemented non-recursively. As a
quick fix, this patch limits the depth of the recursion and returns an
error when attempting to pack and unpack a deeply-nested nvlist.

Signed-off-by: Adam Leventhal <ahl@delphix.com>
Signed-off-by: George Wilson <george.wilson@delphix.com>
Signed-off-by: Brian Behlendorf <behlendorf1@llnl.gov>
Ported-by: Prakash Surya <prakash.surya@delphix.com>
OpenZFS-issue: https://www.illumos.org/issues/7263
OpenZFS-commit: https://github.com/openzfs/openzfs/commit/0511d6d

-