[src/trunk]: src/sys/miscfs/umapfs 1) 'error' is returned while it does not e...

To: source-changes-hg%NetBSD.org@localhost
Subject: [src/trunk]: src/sys/miscfs/umapfs 1) 'error' is returned while it does not e...
From: maxv <maxv%NetBSD.org@localhost>
Date: Tue, 31 Jul 2018 18:43:37 +0000

details:   https://anonhg.NetBSD.org/src/rev/12dad24b17bb
branches:  trunk
changeset: 331476:12dad24b17bb
user:      maxv <maxv%NetBSD.org@localhost>
date:      Mon Aug 11 14:02:14 2014 +0000

description:
1) 'error' is returned while it does not even hold an error code. Which
   means that zero is returned, and the kernel keeps mounting (and it
   probably ends up in a deadlock/memory corruption somewhere).
2) 'nentries' and 'gnentries' are int and user-controlled, and there's no
   check to ensure they are greater than zero. Since they are used to
   compute the size of two copyin's, a user can control the copied size
   by giving a negative value (like 128-2^29), and thus overwrite kernel
   memory.

Both triggerable from root only.

diffstat:

 sys/miscfs/umapfs/umap_vfsops.c |  9 +++++----
 1 files changed, 5 insertions(+), 4 deletions(-)

diffs (31 lines):

diff -r 2d33ce3b6c00 -r 12dad24b17bb sys/miscfs/umapfs/umap_vfsops.c
--- a/sys/miscfs/umapfs/umap_vfsops.c   Mon Aug 11 13:59:24 2014 +0000
+++ b/sys/miscfs/umapfs/umap_vfsops.c   Mon Aug 11 14:02:14 2014 +0000
@@ -1,4 +1,4 @@
-/*     $NetBSD: umap_vfsops.c,v 1.93 2014/05/25 13:51:25 hannken Exp $ */
+/*     $NetBSD: umap_vfsops.c,v 1.94 2014/08/11 14:02:14 maxv Exp $    */
 
 /*
  * Copyright (c) 1992, 1993
@@ -41,7 +41,7 @@
  */
 
 #include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: umap_vfsops.c,v 1.93 2014/05/25 13:51:25 hannken Exp $");
+__KERNEL_RCSID(0, "$NetBSD: umap_vfsops.c,v 1.94 2014/08/11 14:02:14 maxv Exp $");
 
 #include <sys/param.h>
 #include <sys/systm.h>
@@ -153,9 +153,10 @@
        /*
         * Now copy in the number of entries and maps for umap mapping.
         */
-       if (args->nentries > MAPFILEENTRIES || args->gnentries > GMAPFILEENTRIES) {
+       if (args->nentries < 0 || args->nentries > MAPFILEENTRIES ||
+           args->gnentries < 0 || args->gnentries > GMAPFILEENTRIES) {
                vput(lowerrootvp);
-               return (error);
+               return (EINVAL);
        }
 
        amp->info_nentries = args->nentries;

Prev by Date: [src/trunk]: src/sys/kern buf is not guaranteed to be aligned; don't *(uint32...
Next by Date: [src/trunk]: src/sys/kern done is not guaranteed to be aligned; don't *(uint3...
Previous by Thread: [src/trunk]: src/sys/kern buf is not guaranteed to be aligned; don't *(uint32...
Next by Thread: [src/trunk]: src/sys/kern done is not guaranteed to be aligned; don't *(uint3...
Indexes:

Home | Main Index | Thread Index | Old Index