Check the passed in address as well as determining the maximum length

using VM_MAXUSER_ADDRESS in copyinstr and copyoutstr. Problem originally fixed in OpenBSD/i386. This fix suggested by Charles Hannum (mycroft at netbsd dot org).
2005-03-14 21:50:59 +00:00 · 2005-03-14 21:50:59 +00:00 · 486492d83a
commit 486492d83a
parent 3650a70127
2 changed files with 6 additions and 2 deletions
--- a/sys/arch/amd64/amd64/copy.S
+++ b/sys/arch/amd64/amd64/copy.S
@ -1,4 +1,4 @@
-/*	$NetBSD: copy.S,v 1.1 2003/04/26 18:39:26 fvdl Exp $	*/
+/*	$NetBSD: copy.S,v 1.2 2005/03/14 21:50:59 fvdl Exp $	*/

 /*
 * Copyright (c) 2001 Wasabi Systems, Inc.
@ -207,6 +207,7 @@ ENTRY(copyoutstr)
 	 */
 	movq	$VM_MAXUSER_ADDRESS,%rax
 	subq	%rdi,%rax
+	jc	_C_LABEL(copystr_efault)
 	cmpq	%rdx,%rax
 	jae	1f
 	movq	%rax,%rdx
@ -248,6 +249,7 @@ ENTRY(copyinstr)
 	 */
 	movq	$VM_MAXUSER_ADDRESS,%rax
 	subq	%rsi,%rax
+	jc	_C_LABEL(copystr_efault)
 	cmpq	%rdx,%rax
 	jae	1f
 	movq	%rax,%rdx
--- a/sys/arch/i386/i386/locore.S
+++ b/sys/arch/i386/i386/locore.S
@ -1,4 +1,4 @@
-/*	$NetBSD: locore.S,v 1.32 2005/03/02 12:00:25 mycroft Exp $	*/
+/*	$NetBSD: locore.S,v 1.33 2005/03/14 21:50:59 fvdl Exp $	*/

 /*-
 * Copyright (c) 1998, 2000, 2004 The NetBSD Foundation, Inc.
@ -1162,6 +1162,7 @@ ENTRY(copyoutstr)
 	 */
 	movl	$VM_MAXUSER_ADDRESS,%eax
 	subl	%edi,%eax
+	jc	_C_LABEL(copystr_efault)
 	cmpl	%edx,%eax
 	jae	1f
 	movl	%eax,%edx
@ -1216,6 +1217,7 @@ ENTRY(copyinstr)
 	 */
 	movl	$VM_MAXUSER_ADDRESS,%eax
 	subl	%esi,%eax
+	jc	_C_LABEL(copystr_efault)
 	cmpl	%edx,%eax
 	jae	1f
 	movl	%eax,%edx