CVS commit: [netbsd-6] src/sys

To: source-changes%NetBSD.org@localhost
Subject: CVS commit: [netbsd-6] src/sys
From: "SAITOH Masanobu" <msaitoh%netbsd.org@localhost>
Date: Wed, 27 Aug 2014 14:53:26 +0000

Module Name:    src
Committed By:   msaitoh
Date:           Wed Aug 27 14:53:26 UTC 2014

Modified Files:
        src/sys/fs/ptyfs [netbsd-6]: ptyfs_vfsops.c
        src/sys/miscfs/umapfs [netbsd-6]: umap_vfsops.c

Log Message:
Pull up following revision(s) (requested by maxv in ticket #1115):
        sys/miscfs/umapfs/umap_vfsops.c: revision 1.94
        sys/fs/ptyfs/ptyfs_vfsops.c: revision 1.52
Overflow if *data_len == OSIZE and args->version >= PTYFS_ARGSVERSION.
Sent on tech-kern@, ok christos@
1) 'error' is returned while it does not even hold an error code. Which
   means that zero is returned, and the kernel keeps mounting (and it
   probably ends up in a deadlock/memory corruption somewhere).
2) 'nentries' and 'gnentries' are int and user-controlled, and there's no
   check to ensure they are greater than zero. Since they are used to
   compute the size of two copyin's, a user can control the copied size
   by giving a negative value (like 128-2^29), and thus overwrite kernel
   memory.
Both triggerable from root only.


To generate a diff of this commit:
cvs rdiff -u -r1.42.18.2 -r1.42.18.3 src/sys/fs/ptyfs/ptyfs_vfsops.c
cvs rdiff -u -r1.86.14.1 -r1.86.14.2 src/sys/miscfs/umapfs/umap_vfsops.c

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Prev by Date: CVS commit: [netbsd-6-0] src/sys/netinet6
Next by Date: CVS commit: [netbsd-6-1] src/sys
Previous by Thread: CVS commit: [netbsd-6-0] src/sys/netinet6
Next by Thread: CVS commit: [netbsd-6-1] src/sys
Indexes:

Home | Main Index | Thread Index | Old Index