Yet another idiotic compat syscall that was developed with literally zero

test made. Simply invoking this syscall with _valid parameters_ triggers a fatal fault, because the kernel tries to write to userland addresses. With specially-crafted parameters it is easy to completely escalate privileges into the kernel. Also the size of the allocation is just obviously wrong, but it looks like the callers are even more wrong, so not gonna fix it for now. Reported-by: syzbot+b05096f3114b2820d81c@syzkaller.appspotmail.com
2020-06-27 07:00:43 +00:00 · 2020-06-27 07:00:43 +00:00 · f2af77cb3a
commit f2af77cb3a
parent b61f0fee17
1 changed files with 2 additions and 2 deletions
--- a/sys/compat/sys/mount.h
+++ b/sys/compat/sys/mount.h
@ -1,4 +1,4 @@
-/*	$NetBSD: mount.h,v 1.11 2019/10/04 01:28:02 christos Exp $	*/
+/*	$NetBSD: mount.h,v 1.12 2020/06/27 07:00:43 maxv Exp $	*/

 /*
 * Copyright (c) 1989, 1991, 1993
@ -140,7 +140,7 @@ statvfs_to_statfs12_copy(const void *vs, void *vs12, size_t l)
 	struct statfs12 *s12 = STATVFSBUF_GET();
 	int error;

-	statvfs_to_statfs12(vs, vs12);
+	statvfs_to_statfs12(vs, s12);
 	error = copyout(s12, vs12, l);
 	STATVFSBUF_PUT(s12);