Re: [PATCH] netbsd32 swapctl, round 3

[David Laight <david%l8s.co.uk@localhost>]

On Sat, Feb 01, 2014 at 08:41:15AM +0000, Emmanuel Dreyfus wrote:
> Hi
> 
> Here is my latest attempt at netbsd32 swapctl. I had to make uvm_swap_stats()
> available to emul code, but that seems to be what it was intented for,
> according to comments in the code.
>  
> +#ifdef __amd64__
> +static int
> +netbsd32_swapctl_stats(struct lwp *l, struct sys_swapctl_args *uap, 
> register_t *retval)
> +{
> +     struct swapent *sep;
> +     struct netbsd32_swapent *sep32;
> +     int count = SCARG(uap, misc);
> +     int i, error;
> +
> +     sep = kmem_alloc(sizeof(*sep) * count, KM_SLEEP);
> +     sep32 = kmem_alloc(sizeof(*sep32) * count, KM_SLEEP);
> +
> +     uvm_swap_stats(SWAP_STATS, sep, count, retval);
> +     count = *retval;
> +
> +     if (count < 1)
> +             goto out;
> +
> +     for (i = 0; i < count; i++) {
> +             sep32[i].se_dev = sep[i].se_dev;
> +             sep32[i].se_flags = sep[i].se_flags;
> +             sep32[i].se_nblks = sep[i].se_nblks;
> +             sep32[i].se_inuse = sep[i].se_inuse;
> +             sep32[i].se_priority = sep[i].se_priority;
> +             strlcpy(sep32[i].se_path, sep[i].se_path,
> +                     sizeof(sep32[i].se_path));
> +     }
> +
> +     error = copyout(sep32, SCARG(uap, arg), sizeof(*sep32) * count);
> +     

You are leaking the contents of kernel memory to userspace.
Given that the se_path[] arrays are the same, just memcpy() them.
Alternatively move the copyout() into the loop and just copy the
struture upto (and including) se_path's terminating '\0'.

        David

-- 
David Laight: david%l8s.co.uk@localhost