kern/41070: bad adjustment of iov len in swcr_compdec can panic kernel

[tls%NetBSD.ORG@localhost]

>Number:         41070
>Category:       kern
>Synopsis:       bad adjustment of iov len in swcr_compdec can panic kernel
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    kern-bug-people
>State:          open
>Class:          sw-bug
>Submitter-Id:   net
>Arrival-Date:   Tue Mar 24 23:45:01 +0000 2009
>Originator:     Thor Lancelot Simon
>Release:        NetBSD 5.0_RC2
>Organization:
>Environment:
        
        
System: NetBSD panix5.panix.com 5.0_RC2 NetBSD 5.0_RC2 (PANIX-XEN3U-USER-pae) 
#1: Sat Feb 21 20:24:11 EST 2009 
root%juggler.panix.com@localhost:/misc1/obj/misc2/devel/netbsd/5.0-RC2/src/sys/arch/i386/compile/PANIX-XEN3U-USER-pae
 i386
Architecture: i386
Machine: i386
>Description:
        In cryptosoft.c (the software backend for /dev/crypto), when
        handling a request submitted in an iovec, the length field is
        adjusted, analogously to the same operation for a request submitted
        in an mbuf.  When the requests were allocated with malloc, this was
        mostly harmless.  Now that they are allocated with kmem_alloc, it
        can cause a kernel panic on request free (request completion).

        This is an uncommon problem as few transforms can actually change
        the result size, and the main one involved (deflate) is called in
        the stock NetBSD kernel only from the IPcomp code, which submits
        requests in mbufs.  But it is still a bug, and is serious if one
        encounters it.

>How-To-Repeat:
        Submit a compression request in an iovec.
>Fix:
        Don't change the length to be freed!