Subject: Re: kern/35278: veriexec sometimes feeds user va to log(9)
To: None <kern-bug-people@netbsd.org, gnats-admin@netbsd.org,>
From: Elad Efrat <elad@NetBSD.org>
List: netbsd-bugs
Date: 12/19/2006 06:20:05
The following reply was made to PR kern/35278; it has been noted by GNATS.

From: Elad Efrat <elad@NetBSD.org>
To: gnats-bugs@NetBSD.org
Cc: YAMAMOTO Takashi <yamt@mwd.biglobe.ne.jp>
Subject: Re: kern/35278: veriexec sometimes feeds user va to log(9)
Date: Tue, 19 Dec 2006 08:16:26 +0200

 this is probably because we pass 'ni_dirp' in sys_unlink; possibly other
 places too.
 
 -e.
 
 yamt@mwd.biglobe.ne.jp wrote:
 >> Number:         35278
 >> Category:       kern
 >> Synopsis:       veriexec sometimes feeds user va to log(9)
 >> Confidential:   no
 >> Severity:       critical
 >> Priority:       medium
 >> Responsible:    kern-bug-people
 >> State:          open
 >> Class:          sw-bug
 >> Submitter-Id:   net
 >> Arrival-Date:   Tue Dec 19 06:05:00 +0000 2006
 >> Originator:     YAMAMOTO Takashi <yamt@mwd.biglobe.ne.jp>
 >> Release:        NetBSD 4.99.6
 >> Organization:
 > 	
 >> Environment:
 > 	
 > 	
 > System: NetBSD bear.yamanet 4.99.6 NetBSD 4.99.6 (build.bear3) #3: Sat Dec 16 01:25:17 JST 2006 takashi@kaeru:/usr/home/takashi/work/kernel/build.bear3 i386
 > Architecture: i386
 > Machine: i386
 >> Description:
 > 	veriexec sometimes feeds user va to log(9).
 > 
 >> How-To-Repeat:
 > 	run it on m68k?  or run it on i386 with the following patch.
 > 
 > Index: subr_prf.c
 > ===================================================================
 > --- subr_prf.c	(revision 1785)
 > +++ subr_prf.c	(working copy)
 > @@ -1238,6 +1238,9 @@ reswitch:	switch (ch) {
 >  			if ((cp = va_arg(ap, char *)) == NULL)
 >  				/*XXXUNCONST*/
 >  				cp = __UNCONST("(null)");
 > +#if defined(__i386__)
 > +			KASSERT(VM_MIN_KERNEL_ADDRESS <= (vaddr_t)cp);
 > +#endif
 >  			if (prec >= 0) {
 >  				/*
 >  				 * can't use strlen; can only look for the
 >> Fix:
 > 	
 > 
 >> Unformatted:
 >  	
 >  	
 > 
 
 
 -- 
 Elad Efrat