OpenSolaris

Printable Version Enter a New Search
Bug ID 6532979
Synopsis bad argument to ZFS_IOC_VDEV_ATTACH can panic system
State 10-Fix Delivered (Fix available in build)
Category:Subcategory kernel:zfs
Keywords
Responsible Engineer Eric Schrock
Reported Against
Duplicate Of
Introduced In solaris_nevada
Commit to Fix snv_68
Fixed In snv_68
Release Fixed solaris_nevada(snv_68) , solaris_10u6(s10u6_01) (Bug ID:2156319)
Related Bugs
Submit Date 9-March-2007
Last Update Date 29-April-2008
Description 
Passing a valid but malformed nvlist to ZFS_IOC_VDEV_ATTACH
can panic the system due to an uninitialized variable.  In
spa_vdev_attach(), we have:

        if ((error = spa_config_parse(spa, &newrootvd, nvroot, NULL, 0,
            VDEV_ALLOC_ADD)) != 0 || newrootvd->vdev_children != 1)
                return (spa_vdev_exit(spa, newrootvd, txg, EINVAL));

Here, 'newrootvd' is an unitialized variable on the stack.  However,
spa_config_parse() can return failure without changing 'newrootvd',
so we end up with whatever garbage is on the stack, and die in
spa_vdev_exit().  All consumers of spa_config_parse() should be
scrubbed for similar faulty logic.

Thankfully, PRIV_SYS_CONFIG is required to get to this point, so an
unprivileged user can't bring down the system.
Work Around 
N/A
Comments 
N/A