OpenZFS 6876 - Stack corruption after importing a pool with a too-long name

Reviewed by: Prakash Surya <prakash.surya@delphix.com>
Reviewed by: Dan Kimmel <dan.kimmel@delphix.com>
Reviewed by: George Wilson <george.wilson@delphix.com>
Reviewed by: Yuri Pankov <yuri.pankov@nexenta.com>
Ported-by: Brian Behlendorf <behlendorf1@llnl.gov>
Calling dsl_dataset_name on a dataset with a 256 byte buffer is asking
for trouble. We should check every dataset on import, using a 1024 byte
buffer and checking each time to see if the dataset's new name is longer
than 256 bytes.

OpenZFS-issue: https://www.illumos.org/issues/6876
OpenZFS-commit: https://github.com/openzfs/openzfs/commit/ca8674e

diff --git a/lib/libzfs/libzfs_pool.c b/lib/libzfs/libzfs_pool.c
index 0a9780733fae85906fa5d7e5aedf963cb84e4278..2484ddc12a58b131855227bf77c45ea99080ada5 100644 (file)
--- a/lib/libzfs/libzfs_pool.c
+++ b/lib/libzfs/libzfs_pool.c
@@ -1907,7 +1907,12 @@ zpool_import_props(libzfs_handle_t *hdl, nvlist_t *config, const char *newname,
                            "one or more devices are already in use\n"));
                        (void) zfs_error(hdl, EZFS_BADDEV, desc);
                        break;
-
+               case ENAMETOOLONG:
+                       zfs_error_aux(hdl, dgettext(TEXT_DOMAIN,
+                           "new name of at least one dataset is longer than "
+                           "the maximum allowable length"));
+                       (void) zfs_error(hdl, EZFS_NAMETOOLONG, desc);
+                       break;
                default:
                        (void) zpool_standard_error(hdl, error, desc);
                        zpool_explain_recover(hdl,

diff --git a/module/zfs/spa.c b/module/zfs/spa.c
index 9570204f4274a5aa1a28921ef960ecaeb3480e36..26181af84fb9fbe9b0cf6bbc3c5982a51e00cc94 100644 (file)
--- a/module/zfs/spa.c
+++ b/module/zfs/spa.c
@@ -2016,6 +2016,16 @@ spa_load_verify_cb(spa_t *spa, zilog_t *zilog, const blkptr_t *bp,
        return (0);
 }
 
+/* ARGSUSED */
+int
+verify_dataset_name_len(dsl_pool_t *dp, dsl_dataset_t *ds, void *arg)
+{
+       if (dsl_dataset_namelen(ds) >= ZFS_MAX_DATASET_NAME_LEN)
+               return (SET_ERROR(ENAMETOOLONG));
+
+       return (0);
+}
+
 static int
 spa_load_verify(spa_t *spa)
 {
@@ -2030,6 +2040,14 @@ spa_load_verify(spa_t *spa)
        if (policy.zrp_request & ZPOOL_NEVER_REWIND)
                return (0);
 
+       dsl_pool_config_enter(spa->spa_dsl_pool, FTAG);
+       error = dmu_objset_find_dp(spa->spa_dsl_pool,
+           spa->spa_dsl_pool->dp_root_dir_obj, verify_dataset_name_len, NULL,
+           DS_FIND_CHILDREN);
+       dsl_pool_config_exit(spa->spa_dsl_pool, FTAG);
+       if (error != 0)
+               return (error);
+
        rio = zio_root(spa, NULL, &sle,
            ZIO_FLAG_CANFAIL | ZIO_FLAG_SPECULATIVE);
 

diff --git a/tests/zfs-tests/tests/functional/cli_root/zpool_import/zpool_import_rename_001_pos.ksh b/tests/zfs-tests/tests/functional/cli_root/zpool_import/zpool_import_rename_001_pos.ksh
index 60ccc0dd6006a346377a5b5a1a9dc43249225bcb..441f7a7ae036e01fad153dd8567bb56e83625d04 100755 (executable)
--- a/tests/zfs-tests/tests/functional/cli_root/zpool_import/zpool_import_rename_001_pos.ksh
+++ b/tests/zfs-tests/tests/functional/cli_root/zpool_import/zpool_import_rename_001_pos.ksh
@@ -26,7 +26,7 @@
 #
 
 #
-# Copyright (c) 2012 by Delphix. All rights reserved.
+# Copyright (c) 2012, 2015 by Delphix. All rights reserved.
 #
 
 . $STF_SUITE/include/libtest.shlib
@@ -92,6 +92,8 @@ function cleanup
 
        [[ -d $ALTER_ROOT ]] && \
                log_must $RM -rf $ALTER_ROOT
+       [[ -e $VDEV_FILE ]] && \
+               log_must $RM $VDEV_FILE
 }
 
 log_onexit cleanup
@@ -159,4 +161,13 @@ while (( i < ${#pools[*]} )); do
        ((i = i + 1))
 done
 
+VDEV_FILE=$(mktemp /tmp/tmp.XXXXXX)
+
+log_must $MKFILE -n 128M $VDEV_FILE
+log_must $ZPOOL create testpool $VDEV_FILE
+log_must $ZFS create testpool/testfs
+ID=$($ZPOOL get -Ho value guid testpool)
+log_must $ZPOOL export testpool
+log_mustnot $ZPOOL import $(echo $ID) $($PRINTF "%*s\n" 250 "" | $TR ' ' 'c')
+
 log_pass "Successfully imported and renamed a ZPOOL"