Source-Changes-HG archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
[src/netbsd-9]: src/sys/compat Pull up following revision(s) (requested by ma...
details: https://anonhg.NetBSD.org/src/rev/b451b148a75d
branches: netbsd-9
changeset: 466787:b451b148a75d
user: martin <martin%NetBSD.org@localhost>
date: Thu Jan 02 09:50:34 2020 +0000
description:
Pull up following revision(s) (requested by maxv in ticket #597):
sys/compat/common/kern_sig_43.c: revision 1.36
sys/compat/netbsd32/netbsd32_compat_20.c: revision 1.39
sys/compat/netbsd32/netbsd32_compat_43.c: revision 1.59
sys/compat/netbsd32/netbsd32_compat_50.c: revision 1.44
Fix sizeof mismatch in copyin. This leads to a user-triggerable stack
overflow. On my test build at least, by luck, the compiler orders the
variables in a way that the overflow hits only local structures which
haven't yet been initialized and used, so the overflow is harmless.
Very easily seeable with kASan - just invoke the syscall from a 32bit
binary.
Fix three stack info leaks, found by kMSan when just invoking all syscalls
with a zero page as argument.
MSan: Uninitialized Stack Memory In copyout() At Offset 0, Variable 'sb32' From compat_20_netbsd32_getfsstat()
MSan: Uninitialized Stack Memory In copyout() At Offset 12, Variable 'oss' From compat_43_sys_sigstack()
MSan: Uninitialized Stack Memory In copyout() At Offset 0, Variable 'sb' From compat_50_netbsd32___fhstat40()
diffstat:
sys/compat/common/kern_sig_43.c | 5 +++--
sys/compat/netbsd32/netbsd32_compat_20.c | 5 +++--
sys/compat/netbsd32/netbsd32_compat_43.c | 8 ++++----
sys/compat/netbsd32/netbsd32_compat_50.c | 8 ++++----
4 files changed, 14 insertions(+), 12 deletions(-)
diffs (118 lines):
diff -r 36d3c3855f4d -r b451b148a75d sys/compat/common/kern_sig_43.c
--- a/sys/compat/common/kern_sig_43.c Thu Jan 02 09:47:05 2020 +0000
+++ b/sys/compat/common/kern_sig_43.c Thu Jan 02 09:50:34 2020 +0000
@@ -1,4 +1,4 @@
-/* $NetBSD: kern_sig_43.c,v 1.35 2019/01/27 02:08:39 pgoyette Exp $ */
+/* $NetBSD: kern_sig_43.c,v 1.35.4.1 2020/01/02 09:50:34 martin Exp $ */
/*-
* Copyright (c) 1998 The NetBSD Foundation, Inc.
@@ -30,7 +30,7 @@
*/
#include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: kern_sig_43.c,v 1.35 2019/01/27 02:08:39 pgoyette Exp $");
+__KERNEL_RCSID(0, "$NetBSD: kern_sig_43.c,v 1.35.4.1 2020/01/02 09:50:34 martin Exp $");
#if defined(_KERNEL_OPT)
#include "opt_compat_netbsd.h"
@@ -128,6 +128,7 @@
void
compat_43_sigaltstack_to_sigstack(const struct sigaltstack *sa, struct sigstack *ss)
{
+ memset(ss, 0, sizeof(*ss));
ss->ss_sp = sa->ss_sp;
if (sa->ss_flags & SS_ONSTACK)
ss->ss_onstack = 1;
diff -r 36d3c3855f4d -r b451b148a75d sys/compat/netbsd32/netbsd32_compat_20.c
--- a/sys/compat/netbsd32/netbsd32_compat_20.c Thu Jan 02 09:47:05 2020 +0000
+++ b/sys/compat/netbsd32/netbsd32_compat_20.c Thu Jan 02 09:50:34 2020 +0000
@@ -1,4 +1,4 @@
-/* $NetBSD: netbsd32_compat_20.c,v 1.38 2019/01/27 02:08:40 pgoyette Exp $ */
+/* $NetBSD: netbsd32_compat_20.c,v 1.38.4.1 2020/01/02 09:50:34 martin Exp $ */
/*
* Copyright (c) 1998, 2001 Matthew R. Green
@@ -27,7 +27,7 @@
*/
#include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: netbsd32_compat_20.c,v 1.38 2019/01/27 02:08:40 pgoyette Exp $");
+__KERNEL_RCSID(0, "$NetBSD: netbsd32_compat_20.c,v 1.38.4.1 2020/01/02 09:50:34 martin Exp $");
#include <sys/param.h>
#include <sys/systm.h>
@@ -57,6 +57,7 @@
static inline void
compat_20_netbsd32_from_statvfs(struct statvfs *sbp, struct netbsd32_statfs *sb32p)
{
+ sb32p->f_type = 0; /* XXX Put an actual value? */
sb32p->f_flags = sbp->f_flag;
sb32p->f_bsize = (netbsd32_long)sbp->f_bsize;
sb32p->f_iosize = (netbsd32_long)sbp->f_iosize;
diff -r 36d3c3855f4d -r b451b148a75d sys/compat/netbsd32/netbsd32_compat_43.c
--- a/sys/compat/netbsd32/netbsd32_compat_43.c Thu Jan 02 09:47:05 2020 +0000
+++ b/sys/compat/netbsd32/netbsd32_compat_43.c Thu Jan 02 09:50:34 2020 +0000
@@ -1,4 +1,4 @@
-/* $NetBSD: netbsd32_compat_43.c,v 1.57.4.1 2019/09/13 06:25:26 martin Exp $ */
+/* $NetBSD: netbsd32_compat_43.c,v 1.57.4.2 2020/01/02 09:50:34 martin Exp $ */
/*
* Copyright (c) 1998, 2001 Matthew R. Green
@@ -27,7 +27,7 @@
*/
#include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: netbsd32_compat_43.c,v 1.57.4.1 2019/09/13 06:25:26 martin Exp $");
+__KERNEL_RCSID(0, "$NetBSD: netbsd32_compat_43.c,v 1.57.4.2 2020/01/02 09:50:34 martin Exp $");
#if defined(_KERNEL_OPT)
#include "opt_compat_43.h"
@@ -433,7 +433,7 @@
struct iovec *iov, aiov[UIO_SMALLIOV];
int error;
- error = copyin(SCARG_P32(uap, msg), &omsg, sizeof (struct omsghdr));
+ error = copyin(SCARG_P32(uap, msg), &omsg, sizeof(omsg));
if (error)
return (error);
@@ -518,7 +518,7 @@
struct sockaddr *sa;
int error;
- error = copyin(SCARG_P32(uap, msg), &omsg, sizeof (struct omsghdr));
+ error = copyin(SCARG_P32(uap, msg), &omsg, sizeof(omsg));
if (error != 0)
return (error);
diff -r 36d3c3855f4d -r b451b148a75d sys/compat/netbsd32/netbsd32_compat_50.c
--- a/sys/compat/netbsd32/netbsd32_compat_50.c Thu Jan 02 09:47:05 2020 +0000
+++ b/sys/compat/netbsd32/netbsd32_compat_50.c Thu Jan 02 09:50:34 2020 +0000
@@ -1,4 +1,4 @@
-/* $NetBSD: netbsd32_compat_50.c,v 1.39.2.1 2019/12/18 20:04:32 martin Exp $ */
+/* $NetBSD: netbsd32_compat_50.c,v 1.39.2.2 2020/01/02 09:50:34 martin Exp $ */
/*-
* Copyright (c) 2008 The NetBSD Foundation, Inc.
@@ -29,7 +29,7 @@
* POSSIBILITY OF SUCH DAMAGE.
*/
#include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: netbsd32_compat_50.c,v 1.39.2.1 2019/12/18 20:04:32 martin Exp $");
+__KERNEL_RCSID(0, "$NetBSD: netbsd32_compat_50.c,v 1.39.2.2 2020/01/02 09:50:34 martin Exp $");
#if defined(_KERNEL_OPT)
#include "opt_compat_netbsd.h"
@@ -795,9 +795,9 @@
int error;
error = do_fhstat(l, SCARG_P32(uap, fhp), SCARG(uap, fh_size), &sb);
- if (error != 0) {
+ if (error == 0) {
netbsd32_from___stat50(&sb, &sb32);
- error = copyout(&sb32, SCARG_P32(uap, sb), sizeof(sb));
+ error = copyout(&sb32, SCARG_P32(uap, sb), sizeof(sb32));
}
return error;
}
Home |
Main Index |
Thread Index |
Old Index