[src/trunk]: src/sys/arch/i386/i386 x86_copyargs takes as third argument a si...

[maxv <maxv%NetBSD.org@localhost>]

details:   https://anonhg.NetBSD.org/src/rev/97360a5fe5a7
branches:  trunk
changeset: 347782:97360a5fe5a7
user:      maxv <maxv%NetBSD.org@localhost>
date:      Fri Sep 16 12:28:41 2016 +0000

description:
x86_copyargs takes as third argument a size, but still copies two chunks of
16 and 24 bytes, without checking the userland<->kernel limit accordingly.
Fix it by just checking the maximum size direcly.

It means that even if 16 bytes are copied, the kernel now makes sure 40
bytes are in userland. We could make it more fine-grained, but it would
probably unoptimize the function, and we don't care enough.

diffstat:

 sys/arch/i386/i386/copy.S |  15 +++++++++------
 1 files changed, 9 insertions(+), 6 deletions(-)

diffs (39 lines):

diff -r b38f6bda58cb -r 97360a5fe5a7 sys/arch/i386/i386/copy.S
--- a/sys/arch/i386/i386/copy.S Fri Sep 16 11:48:10 2016 +0000
+++ b/sys/arch/i386/i386/copy.S Fri Sep 16 12:28:41 2016 +0000
@@ -1,4 +1,4 @@
-/*     $NetBSD: copy.S,v 1.24 2016/05/13 13:24:01 maxv Exp $   */
+/*     $NetBSD: copy.S,v 1.25 2016/09/16 12:28:41 maxv Exp $   */
 /*     NetBSD: locore.S,v 1.34 2005/04/01 11:59:31 yamt Exp $  */
 
 /*-
@@ -65,7 +65,7 @@
  */
 
 #include <machine/asm.h>
-__KERNEL_RCSID(0, "$NetBSD: copy.S,v 1.24 2016/05/13 13:24:01 maxv Exp $");
+__KERNEL_RCSID(0, "$NetBSD: copy.S,v 1.25 2016/09/16 12:28:41 maxv Exp $");
 
 #include "assym.h"
 
@@ -687,13 +687,16 @@
        movl    16(%esp),%ecx
 
        /*
-        * We check that the end of the destination buffer is not past the end
-        * of the user's address space.  If it's not, then we only need to
-        * check that each page is readable, and the CPU will do that for us.
+        * In this function, we may copy more than the size given in the third
+        * argument. In order to make sure the real end of the destination
+        * buffer is not past the end of the user's address space, we don't
+        * check the third argument but rather the largest possible size, which
+        * is:
+        *      (2 + SYS_MAXSYSARGS) * 4 = 10 * 4
         */
 .Lx86_copyargs_start:
        movl    %esi,%eax
-       addl    %ecx,%eax
+       addl    $(10 * 4),%eax
        jc      _C_LABEL(x86_copyargs_efault)
        cmpl    $VM_MAXUSER_ADDRESS,%eax
        ja      _C_LABEL(x86_copyargs_efault)