Aren/NetBSD
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Fix sizeof mismatch in copyin. This leads to a user-triggerable stack

Browse Source 
overflow. On my test build at least, by luck, the compiler orders the
variables in a way that the overflow hits only local structures which
haven't yet been initialized and used, so the overflow is harmless.

Very easily seeable with kASan - just invoke the syscall from a 32bit
binary.
This commit is contained in:
maxv 2020-01-01 09:17:45 +00:00
parent 442ef904f9
commit 046ef0bd0f
1 changed files with 4 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

8
sys/compat/netbsd32/netbsd32_compat_43.c
View File

@ -1,4 +1,4 @@
/* $NetBSD: netbsd32_compat_43.c,v 1.58 2019/08/23 13:59:45 maxv Exp $ */
/* $NetBSD: netbsd32_compat_43.c,v 1.59 2020/01/01 09:17:45 maxv Exp $ */
/*
* Copyright (c) 1998, 2001 Matthew R. Green
@ -27,7 +27,7 @@
*/
#include <sys/cdefs.h>
__KERNEL_RCSID(0, "$NetBSD: netbsd32_compat_43.c,v 1.58 2019/08/23 13:59:45 maxv Exp $");
__KERNEL_RCSID(0, "$NetBSD: netbsd32_compat_43.c,v 1.59 2020/01/01 09:17:45 maxv Exp $");
#if defined(_KERNEL_OPT)
#include "opt_compat_43.h"
@ -433,7 +433,7 @@ compat_43_netbsd32_orecvmsg(struct lwp *l, const struct compat_43_netbsd32_orecv
struct iovec *iov, aiov[UIO_SMALLIOV];
int error;
error = copyin(SCARG_P32(uap, msg), &omsg, sizeof (struct omsghdr));
error = copyin(SCARG_P32(uap, msg), &omsg, sizeof(omsg));
if (error)
return (error);
@ -518,7 +518,7 @@ compat_43_netbsd32_osendmsg(struct lwp *l, const struct compat_43_netbsd32_osend
struct sockaddr *sa;
int error;
error = copyin(SCARG_P32(uap, msg), &omsg, sizeof (struct omsghdr));
error = copyin(SCARG_P32(uap, msg), &omsg, sizeof(omsg));
if (error != 0)
return (error);