Source-Changes-HG archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
[src/trunk]: src/sys/compat/sys Yet another idiotic compat syscall that was d...
details: https://anonhg.NetBSD.org/src/rev/f62361cca7a2
branches: trunk
changeset: 1011352:f62361cca7a2
user: maxv <maxv%NetBSD.org@localhost>
date: Sat Jun 27 07:00:43 2020 +0000
description:
Yet another idiotic compat syscall that was developed with literally zero
test made. Simply invoking this syscall with _valid parameters_ triggers a
fatal fault, because the kernel tries to write to userland addresses.
With specially-crafted parameters it is easy to completely escalate
privileges into the kernel.
Also the size of the allocation is just obviously wrong, but it looks like
the callers are even more wrong, so not gonna fix it for now.
Reported-by: syzbot+b05096f3114b2820d81c%syzkaller.appspotmail.com@localhost
diffstat:
sys/compat/sys/mount.h | 4 ++--
1 files changed, 2 insertions(+), 2 deletions(-)
diffs (18 lines):
diff -r e007ecd8e145 -r f62361cca7a2 sys/compat/sys/mount.h
--- a/sys/compat/sys/mount.h Sat Jun 27 06:57:44 2020 +0000
+++ b/sys/compat/sys/mount.h Sat Jun 27 07:00:43 2020 +0000
@@ -1,4 +1,4 @@
-/* $NetBSD: mount.h,v 1.11 2019/10/04 01:28:02 christos Exp $ */
+/* $NetBSD: mount.h,v 1.12 2020/06/27 07:00:43 maxv Exp $ */
/*
* Copyright (c) 1989, 1991, 1993
@@ -140,7 +140,7 @@
struct statfs12 *s12 = STATVFSBUF_GET();
int error;
- statvfs_to_statfs12(vs, vs12);
+ statvfs_to_statfs12(vs, s12);
error = copyout(s12, vs12, l);
STATVFSBUF_PUT(s12);
Home |
Main Index |
Thread Index |
Old Index