CVS commit: [netbsd-5] src/sys/miscfs/umapfs

2014-08-27 Thread SAITOH Masanobu 
Module Name:src
Committed By:   msaitoh
Date:   Wed Aug 27 06:02:48 UTC 2014

Modified Files:
src/sys/miscfs/umapfs [netbsd-5]: umap_vfsops.c

Log Message:
Pull up following revision(s) (requested by maxv in ticket #1921):
sys/miscfs/umapfs/umap_vfsops.c: revision 1.94
1) 'error' is returned while it does not even hold an error code. Which
   means that zero is returned, and the kernel keeps mounting (and it
   probably ends up in a deadlock/memory corruption somewhere).
2) 'nentries' and 'gnentries' are int and user-controlled, and there's no
   check to ensure they are greater than zero. Since they are used to
   compute the size of two copyin's, a user can control the copied size
   by giving a negative value (like 128-2^29), and thus overwrite kernel
   memory.
Both triggerable from root only.


To generate a diff of this commit:
cvs rdiff -u -r1.80.6.1 -r1.80.6.2 src/sys/miscfs/umapfs/umap_vfsops.c

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: src/sys/miscfs/umapfs/umap_vfsops.c
diff -u src/sys/miscfs/umapfs/umap_vfsops.c:1.80.6.1 src/sys/miscfs/umapfs/umap_vfsops.c:1.80.6.2
--- src/sys/miscfs/umapfs/umap_vfsops.c:1.80.6.1	Fri Apr 25 15:43:51 2014
+++ src/sys/miscfs/umapfs/umap_vfsops.c	Wed Aug 27 06:02:48 2014
@@ -1,4 +1,4 @@
-/*	$NetBSD: umap_vfsops.c,v 1.80.6.1 2014/04/25 15:43:51 sborrill Exp $	*/
+/*	$NetBSD: umap_vfsops.c,v 1.80.6.2 2014/08/27 06:02:48 msaitoh Exp $	*/
 
 /*
  * Copyright (c) 1992, 1993
@@ -41,7 +41,7 @@
  */
 
 #include sys/cdefs.h
-__KERNEL_RCSID(0, $NetBSD: umap_vfsops.c,v 1.80.6.1 2014/04/25 15:43:51 sborrill Exp $);
+__KERNEL_RCSID(0, $NetBSD: umap_vfsops.c,v 1.80.6.2 2014/08/27 06:02:48 msaitoh Exp $);
 
 #include sys/param.h
 #include sys/systm.h
@@ -152,9 +152,10 @@ umapfs_mount(mp, path, data, data_len)
 	/*
 	 * Now copy in the number of entries and maps for umap mapping.
 	 */
-	if (args-nentries  MAPFILEENTRIES || args-gnentries  GMAPFILEENTRIES) {
+	if (args-nentries  0 || args-nentries  MAPFILEENTRIES ||
+	args-gnentries  0 || args-gnentries  GMAPFILEENTRIES) {
 		vput(lowerrootvp);
-		return (error);
+		return (EINVAL);
 	}
 
 	amp-info_nentries = args-nentries;

CVS commit: [netbsd-5] src/sys/miscfs/umapfs

2014-08-27 Thread SAITOH Masanobu 
Module Name:src
Committed By:   msaitoh
Date:   Wed Aug 27 06:02:48 UTC 2014

Modified Files:
src/sys/miscfs/umapfs [netbsd-5]: umap_vfsops.c

Log Message:
Pull up following revision(s) (requested by maxv in ticket #1921):
sys/miscfs/umapfs/umap_vfsops.c: revision 1.94
1) 'error' is returned while it does not even hold an error code. Which
   means that zero is returned, and the kernel keeps mounting (and it
   probably ends up in a deadlock/memory corruption somewhere).
2) 'nentries' and 'gnentries' are int and user-controlled, and there's no
   check to ensure they are greater than zero. Since they are used to
   compute the size of two copyin's, a user can control the copied size
   by giving a negative value (like 128-2^29), and thus overwrite kernel
   memory.
Both triggerable from root only.


To generate a diff of this commit:
cvs rdiff -u -r1.80.6.1 -r1.80.6.2 src/sys/miscfs/umapfs/umap_vfsops.c

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.