Source-Changes-HG archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
[src/trunk]: src/sys/compat/netbsd32 Fix sizeof mismatch in copyin. This lead...
details: https://anonhg.NetBSD.org/src/rev/a023dc7f1565
branches: trunk
changeset: 1006066:a023dc7f1565
user: maxv <maxv%NetBSD.org@localhost>
date: Wed Jan 01 09:17:45 2020 +0000
description:
Fix sizeof mismatch in copyin. This leads to a user-triggerable stack
overflow. On my test build at least, by luck, the compiler orders the
variables in a way that the overflow hits only local structures which
haven't yet been initialized and used, so the overflow is harmless.
Very easily seeable with kASan - just invoke the syscall from a 32bit
binary.
diffstat:
sys/compat/netbsd32/netbsd32_compat_43.c | 8 ++++----
1 files changed, 4 insertions(+), 4 deletions(-)
diffs (36 lines):
diff -r 4bcacdd8403e -r a023dc7f1565 sys/compat/netbsd32/netbsd32_compat_43.c
--- a/sys/compat/netbsd32/netbsd32_compat_43.c Wed Jan 01 09:17:27 2020 +0000
+++ b/sys/compat/netbsd32/netbsd32_compat_43.c Wed Jan 01 09:17:45 2020 +0000
@@ -1,4 +1,4 @@
-/* $NetBSD: netbsd32_compat_43.c,v 1.58 2019/08/23 13:59:45 maxv Exp $ */
+/* $NetBSD: netbsd32_compat_43.c,v 1.59 2020/01/01 09:17:45 maxv Exp $ */
/*
* Copyright (c) 1998, 2001 Matthew R. Green
@@ -27,7 +27,7 @@
*/
#include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: netbsd32_compat_43.c,v 1.58 2019/08/23 13:59:45 maxv Exp $");
+__KERNEL_RCSID(0, "$NetBSD: netbsd32_compat_43.c,v 1.59 2020/01/01 09:17:45 maxv Exp $");
#if defined(_KERNEL_OPT)
#include "opt_compat_43.h"
@@ -433,7 +433,7 @@
struct iovec *iov, aiov[UIO_SMALLIOV];
int error;
- error = copyin(SCARG_P32(uap, msg), &omsg, sizeof (struct omsghdr));
+ error = copyin(SCARG_P32(uap, msg), &omsg, sizeof(omsg));
if (error)
return (error);
@@ -518,7 +518,7 @@
struct sockaddr *sa;
int error;
- error = copyin(SCARG_P32(uap, msg), &omsg, sizeof (struct omsghdr));
+ error = copyin(SCARG_P32(uap, msg), &omsg, sizeof(omsg));
if (error != 0)
return (error);
Home |
Main Index |
Thread Index |
Old Index