Fix sizeof mismatch in copyin. This leads to a user-triggerable stack
overflow. On my test build at least, by luck, the compiler orders the variables in a way that the overflow hits only local structures which haven't yet been initialized and used, so the overflow is harmless. Very easily seeable with kASan - just invoke the syscall from a 32bit binary.
This commit is contained in:
parent
442ef904f9
commit
046ef0bd0f
@ -1,4 +1,4 @@
|
|||||||
/* $NetBSD: netbsd32_compat_43.c,v 1.58 2019/08/23 13:59:45 maxv Exp $ */
|
/* $NetBSD: netbsd32_compat_43.c,v 1.59 2020/01/01 09:17:45 maxv Exp $ */
|
||||||
|
|
||||||
/*
|
/*
|
||||||
* Copyright (c) 1998, 2001 Matthew R. Green
|
* Copyright (c) 1998, 2001 Matthew R. Green
|
||||||
@ -27,7 +27,7 @@
|
|||||||
*/
|
*/
|
||||||
|
|
||||||
#include <sys/cdefs.h>
|
#include <sys/cdefs.h>
|
||||||
__KERNEL_RCSID(0, "$NetBSD: netbsd32_compat_43.c,v 1.58 2019/08/23 13:59:45 maxv Exp $");
|
__KERNEL_RCSID(0, "$NetBSD: netbsd32_compat_43.c,v 1.59 2020/01/01 09:17:45 maxv Exp $");
|
||||||
|
|
||||||
#if defined(_KERNEL_OPT)
|
#if defined(_KERNEL_OPT)
|
||||||
#include "opt_compat_43.h"
|
#include "opt_compat_43.h"
|
||||||
@ -433,7 +433,7 @@ compat_43_netbsd32_orecvmsg(struct lwp *l, const struct compat_43_netbsd32_orecv
|
|||||||
struct iovec *iov, aiov[UIO_SMALLIOV];
|
struct iovec *iov, aiov[UIO_SMALLIOV];
|
||||||
int error;
|
int error;
|
||||||
|
|
||||||
error = copyin(SCARG_P32(uap, msg), &omsg, sizeof (struct omsghdr));
|
error = copyin(SCARG_P32(uap, msg), &omsg, sizeof(omsg));
|
||||||
if (error)
|
if (error)
|
||||||
return (error);
|
return (error);
|
||||||
|
|
||||||
@ -518,7 +518,7 @@ compat_43_netbsd32_osendmsg(struct lwp *l, const struct compat_43_netbsd32_osend
|
|||||||
struct sockaddr *sa;
|
struct sockaddr *sa;
|
||||||
int error;
|
int error;
|
||||||
|
|
||||||
error = copyin(SCARG_P32(uap, msg), &omsg, sizeof (struct omsghdr));
|
error = copyin(SCARG_P32(uap, msg), &omsg, sizeof(omsg));
|
||||||
if (error != 0)
|
if (error != 0)
|
||||||
return (error);
|
return (error);
|
||||||
|
|
||||||
|
Loading…
Reference in New Issue
Block a user