Source-Changes-HG archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

[src/trunk]: src/sys/compat/netbsd32 Fix sizeof mismatch in copyin. This lead...



details:   https://anonhg.NetBSD.org/src/rev/509d53d3a2dc
branches:  trunk
changeset: 968031:509d53d3a2dc
user:      maxv <maxv%NetBSD.org@localhost>
date:      Wed Jan 01 09:17:45 2020 +0000

description:
Fix sizeof mismatch in copyin. This leads to a user-triggerable stack
overflow. On my test build at least, by luck, the compiler orders the
variables in a way that the overflow hits only local structures which
haven't yet been initialized and used, so the overflow is harmless.

Very easily seeable with kASan - just invoke the syscall from a 32bit
binary.

diffstat:

 sys/compat/netbsd32/netbsd32_compat_43.c |  8 ++++----
 1 files changed, 4 insertions(+), 4 deletions(-)

diffs (36 lines):

diff -r 1faa2a2a41c3 -r 509d53d3a2dc sys/compat/netbsd32/netbsd32_compat_43.c
--- a/sys/compat/netbsd32/netbsd32_compat_43.c  Wed Jan 01 09:17:27 2020 +0000
+++ b/sys/compat/netbsd32/netbsd32_compat_43.c  Wed Jan 01 09:17:45 2020 +0000
@@ -1,4 +1,4 @@
-/*     $NetBSD: netbsd32_compat_43.c,v 1.58 2019/08/23 13:59:45 maxv Exp $     */
+/*     $NetBSD: netbsd32_compat_43.c,v 1.59 2020/01/01 09:17:45 maxv Exp $     */
 
 /*
  * Copyright (c) 1998, 2001 Matthew R. Green
@@ -27,7 +27,7 @@
  */
 
 #include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: netbsd32_compat_43.c,v 1.58 2019/08/23 13:59:45 maxv Exp $");
+__KERNEL_RCSID(0, "$NetBSD: netbsd32_compat_43.c,v 1.59 2020/01/01 09:17:45 maxv Exp $");
 
 #if defined(_KERNEL_OPT)
 #include "opt_compat_43.h"
@@ -433,7 +433,7 @@
        struct iovec *iov, aiov[UIO_SMALLIOV];
        int error;
 
-       error = copyin(SCARG_P32(uap, msg), &omsg, sizeof (struct omsghdr));
+       error = copyin(SCARG_P32(uap, msg), &omsg, sizeof(omsg));
        if (error)
                return (error);
 
@@ -518,7 +518,7 @@
        struct sockaddr *sa;
        int error;
 
-       error = copyin(SCARG_P32(uap, msg), &omsg, sizeof (struct omsghdr));
+       error = copyin(SCARG_P32(uap, msg), &omsg, sizeof(omsg));
        if (error != 0)
                return (error);
 



Home | Main Index | Thread Index | Old Index