--Boundary-00=_b5QNCqq2LebaGL2
Content-Type: text/plain;
  charset="iso-8859-1"
Content-Transfer-Encoding: 7bit
Content-Disposition: inline

On Monday 14 March 2005 03:46, Sean Davis wrote:
> Okay, I recently read that there is an issue with copyout on i386 on
> FreeBSD and OpenBSD... looking at the patch, I think this probably
> applies to NetBSD as well. I've adapted this patch to our
> sys/arch/i386/i386/locore.S, and I haven't seen any problems. I
> personally have about zero knowledge of i386 assembly, so I think that
> perhaps somebody else should check this patch out.

I haven't tested it, but I think the problem is real.  The code attempts to 
bounds-check the length parameter, but it does not check that the input 
pointer is okay first.  I think a slightly simpler patch would be just as 
effective, and not add code to the inner copy loop.

--Boundary-00=_b5QNCqq2LebaGL2
Content-Type: text/x-diff;
  charset="iso-8859-1";
  name="locore.diff"
Content-Transfer-Encoding: 7bit
Content-Disposition: attachment;
	filename="locore.diff"

Index: locore.S
===================================================================
RCS file: /cvsroot/src/sys/arch/i386/i386/locore.S,v
retrieving revision 1.32
diff -u -r1.32 locore.S
--- locore.S	2 Mar 2005 12:00:25 -0000	1.32
+++ locore.S	14 Mar 2005 04:06:12 -0000
@@ -1162,6 +1162,7 @@
 	 */
 	movl	$VM_MAXUSER_ADDRESS,%eax
 	subl	%edi,%eax
+	jc	_C_LABEL(copystr_efault)
 	cmpl	%edx,%eax
 	jae	1f
 	movl	%eax,%edx
@@ -1216,6 +1217,7 @@
 	 */
 	movl	$VM_MAXUSER_ADDRESS,%eax
 	subl	%esi,%eax
+	jc	_C_LABEL(copystr_efault)
 	cmpl	%edx,%eax
 	jae	1f
 	movl	%eax,%edx

--Boundary-00=_b5QNCqq2LebaGL2--