ffs: Avoid out-of-bounds accesses in the fs_active bitmap

We use a bitmap to track which cylinder groups have changed between snapshot creation and filesystem suspension. The "legs" of the bitmap are four bytes wide (see ACTIVESET()) so we must round up the allocation size to a multiple of four bytes. I believe this bug is harmless since UMA/kmem_* will both pad the allocation and zero the full allocation. Note that malloc() does inline zeroing when the allocation size is known at compile-time. Reported by: pho (using KASAN) Reviewed by: kib, mckusick MFC after: 1 week Sponsored by: The FreeBSD Foundation Differential Revision: https://reviews.freebsd.org/D27731
2020-12-23 11:13:00 -05:00 · 2020-12-23 11:13:00 -05:00 · ace3d9475c
commit ace3d9475c
parent 0120603891
1 changed files with 2 additions and 2 deletions
--- a/sys/ufs/ffs/ffs_snapshot.c
+++ b/sys/ufs/ffs/ffs_snapshot.c
@ -385,8 +385,8 @@ restart:
 	 * touch up the few cylinder groups that changed during
 	 * the suspension period.
 	 */
-	len = howmany(fs->fs_ncg, NBBY);
-	space = malloc(len, M_DEVBUF, M_WAITOK|M_ZERO);
+	len = roundup2(howmany(fs->fs_ncg, NBBY), sizeof(int));
+	space = malloc(len, M_DEVBUF, M_WAITOK | M_ZERO);
 	UFS_LOCK(ump);
 	fs->fs_active = space;
 	UFS_UNLOCK(ump);