From 51ac419dc60d62d91189607ceae5fc011f049651 Mon Sep 17 00:00:00 2001 From: Tom Caputi Date: Wed, 21 Feb 2018 18:30:01 -0500 Subject: [PATCH] Fix bounds check in zio_crypt_do_objset_hmacs The current bounds check in zio_crypt_do_objset_hmacs() does not properly handle the possible sizes of the objset_phys_t and can therefore read outside the buffer's memory. If that memory happened to match what the check was actually looking for, the objset would fail to be owned, complaining that the MAC was invalid. Signed-off-by: Tom Caputi --- module/zfs/zio_crypt.c | 12 ++++++++---- 1 file changed, 8 insertions(+), 4 deletions(-) diff --git a/module/zfs/zio_crypt.c b/module/zfs/zio_crypt.c index 155bce9fb433..d0b39a3f206c 100644 --- a/module/zfs/zio_crypt.c +++ b/module/zfs/zio_crypt.c @@ -1196,13 +1196,17 @@ zio_crypt_do_objset_hmacs(zio_crypt_key_t *key, void *data, uint_t datalen, bcopy(raw_portable_mac, portable_mac, ZIO_OBJSET_MAC_LEN); /* - * The local MAC protects the user and group accounting. If these - * objects are not present, the local MAC is zeroed out. + * The local MAC protects the user, group and project accounting. + * If these objects are not present, the local MAC is zeroed out. */ - if (datalen >= OBJSET_PHYS_SIZE_V2 && + if ((datalen >= OBJSET_PHYS_SIZE_V3 && osp->os_userused_dnode.dn_type == DMU_OT_NONE && osp->os_groupused_dnode.dn_type == DMU_OT_NONE && - osp->os_projectused_dnode.dn_type == DMU_OT_NONE) { + osp->os_projectused_dnode.dn_type == DMU_OT_NONE) || + (datalen >= OBJSET_PHYS_SIZE_V2 && + osp->os_userused_dnode.dn_type == DMU_OT_NONE && + osp->os_groupused_dnode.dn_type == DMU_OT_NONE) || + (datalen <= OBJSET_PHYS_SIZE_V1)) { bzero(local_mac, ZIO_OBJSET_MAC_LEN); return (0); }