[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
kern/41070: bad adjustment of iov len in swcr_compdec can panic kernel
>Synopsis: bad adjustment of iov len in swcr_compdec can panic kernel
>Arrival-Date: Tue Mar 24 23:45:01 +0000 2009
>Originator: Thor Lancelot Simon
>Release: NetBSD 5.0_RC2
System: NetBSD panix5.panix.com 5.0_RC2 NetBSD 5.0_RC2 (PANIX-XEN3U-USER-pae)
#1: Sat Feb 21 20:24:11 EST 2009
In cryptosoft.c (the software backend for /dev/crypto), when
handling a request submitted in an iovec, the length field is
adjusted, analogously to the same operation for a request submitted
in an mbuf. When the requests were allocated with malloc, this was
mostly harmless. Now that they are allocated with kmem_alloc, it
can cause a kernel panic on request free (request completion).
This is an uncommon problem as few transforms can actually change
the result size, and the main one involved (deflate) is called in
the stock NetBSD kernel only from the IPcomp code, which submits
requests in mbufs. But it is still a bug, and is serious if one
Submit a compression request in an iovec.
Don't change the length to be freed!
Main Index |
Thread Index |