Module Name: src
Committed By: msaitoh
Date: Wed Aug 27 14:53:26 UTC 2014
Modified Files:
src/sys/fs/ptyfs [netbsd-6]: ptyfs_vfsops.c
src/sys/miscfs/umapfs [netbsd-6]: umap_vfsops.c
Log Message:
Pull up following revision(s) (requested by maxv in ticket #1115):
sys/miscfs/umapfs/umap_vfsops.c: revision 1.94
sys/fs/ptyfs/ptyfs_vfsops.c: revision 1.52
Overflow if *data_len == OSIZE and args->version >= PTYFS_ARGSVERSION.
Sent on tech-kern@, ok christos@
1) 'error' is returned while it does not even hold an error code. Which
means that zero is returned, and the kernel keeps mounting (and it
probably ends up in a deadlock/memory corruption somewhere).
2) 'nentries' and 'gnentries' are int and user-controlled, and there's no
check to ensure they are greater than zero. Since they are used to
compute the size of two copyin's, a user can control the copied size
by giving a negative value (like 128-2^29), and thus overwrite kernel
memory.
Both triggerable from root only.
To generate a diff of this commit:
cvs rdiff -u -r1.42.18.2 -r1.42.18.3 src/sys/fs/ptyfs/ptyfs_vfsops.c
cvs rdiff -u -r1.86.14.1 -r1.86.14.2 src/sys/miscfs/umapfs/umap_vfsops.c
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
Modified files:
Index: src/sys/fs/ptyfs/ptyfs_vfsops.c
diff -u src/sys/fs/ptyfs/ptyfs_vfsops.c:1.42.18.2 src/sys/fs/ptyfs/ptyfs_vfsops.c:1.42.18.3
--- src/sys/fs/ptyfs/ptyfs_vfsops.c:1.42.18.2 Mon Apr 21 10:14:18 2014
+++ src/sys/fs/ptyfs/ptyfs_vfsops.c Wed Aug 27 14:53:26 2014
@@ -1,4 +1,4 @@
-/* $NetBSD: ptyfs_vfsops.c,v 1.42.18.2 2014/04/21 10:14:18 bouyer Exp $ */
+/* $NetBSD: ptyfs_vfsops.c,v 1.42.18.3 2014/08/27 14:53:26 msaitoh Exp $ */
/*
* Copyright (c) 1992, 1993, 1995
@@ -38,7 +38,7 @@
*/
#include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: ptyfs_vfsops.c,v 1.42.18.2 2014/04/21 10:14:18 bouyer Exp $");
+__KERNEL_RCSID(0, "$NetBSD: ptyfs_vfsops.c,v 1.42.18.3 2014/08/27 14:53:26 msaitoh Exp $");
#include <sys/param.h>
#include <sys/systm.h>
@@ -220,8 +220,10 @@ ptyfs_mount(struct mount *mp, const char
if (args == NULL)
return EINVAL;
- if (*data_len != sizeof *args && *data_len != OSIZE)
- return EINVAL;
+ if (*data_len != sizeof *args) {
+ if (*data_len != OSIZE || args->version >= PTYFS_ARGSVERSION)
+ return EINVAL;
+ }
if (UIO_MX & (UIO_MX - 1)) {
log(LOG_ERR, "ptyfs: invalid directory entry size");
Index: src/sys/miscfs/umapfs/umap_vfsops.c
diff -u src/sys/miscfs/umapfs/umap_vfsops.c:1.86.14.1 src/sys/miscfs/umapfs/umap_vfsops.c:1.86.14.2
--- src/sys/miscfs/umapfs/umap_vfsops.c:1.86.14.1 Mon Apr 21 10:14:18 2014
+++ src/sys/miscfs/umapfs/umap_vfsops.c Wed Aug 27 14:53:26 2014
@@ -1,4 +1,4 @@
-/* $NetBSD: umap_vfsops.c,v 1.86.14.1 2014/04/21 10:14:18 bouyer Exp $ */
+/* $NetBSD: umap_vfsops.c,v 1.86.14.2 2014/08/27 14:53:26 msaitoh Exp $ */
/*
* Copyright (c) 1992, 1993
@@ -41,7 +41,7 @@
*/
#include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: umap_vfsops.c,v 1.86.14.1 2014/04/21 10:14:18 bouyer Exp $");
+__KERNEL_RCSID(0, "$NetBSD: umap_vfsops.c,v 1.86.14.2 2014/08/27 14:53:26 msaitoh Exp $");
#include <sys/param.h>
#include <sys/systm.h>
@@ -155,9 +155,10 @@ umapfs_mount(struct mount *mp, const cha
/*
* Now copy in the number of entries and maps for umap mapping.
*/
- if (args->nentries > MAPFILEENTRIES || args->gnentries > GMAPFILEENTRIES) {
+ if (args->nentries < 0 || args->nentries > MAPFILEENTRIES ||
+ args->gnentries < 0 || args->gnentries > GMAPFILEENTRIES) {
vput(lowerrootvp);
- return (error);
+ return (EINVAL);
}
amp->info_nentries = args->nentries;
