83fce8c371
means that zero is returned, and the kernel keeps mounting (and it probably ends up in a deadlock/memory corruption somewhere). 2) 'nentries' and 'gnentries' are int and user-controlled, and there's no check to ensure they are greater than zero. Since they are used to compute the size of two copyin's, a user can control the copied size by giving a negative value (like 128-2^29), and thus overwrite kernel memory. Both triggerable from root only. |
||
|---|---|---|
| .. | ||
| files.umapfs | ||
| Makefile | ||
| umap_subr.c | ||
| umap_vfsops.c | ||
| umap_vnops.c | ||
| umap.h | ||