[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
CVS commit: src/sys/miscfs/umapfs
Module Name: src
Committed By: maxv
Date: Mon Aug 11 14:02:14 UTC 2014
1) 'error' is returned while it does not even hold an error code. Which
means that zero is returned, and the kernel keeps mounting (and it
probably ends up in a deadlock/memory corruption somewhere).
2) 'nentries' and 'gnentries' are int and user-controlled, and there's no
check to ensure they are greater than zero. Since they are used to
compute the size of two copyin's, a user can control the copied size
by giving a negative value (like 128-2^29), and thus overwrite kernel
Both triggerable from root only.
To generate a diff of this commit:
cvs rdiff -u -r1.93 -r1.94 src/sys/miscfs/umapfs/umap_vfsops.c
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
Main Index |
Thread Index |