Module Name: src
Committed By: maxv
Date: Fri Sep 16 12:28:41 UTC 2016
x86_copyargs takes as third argument a size, but still copies two chunks of
16 and 24 bytes, without checking the userland<->kernel limit accordingly.
Fix it by just checking the maximum size direcly.
It means that even if 16 bytes are copied, the kernel now makes sure 40
bytes are in userland. We could make it more fine-grained, but it would
probably unoptimize the function, and we don't care enough.
To generate a diff of this commit:
cvs rdiff -u -r1.24 -r1.25 src/sys/arch/i386/i386/copy.S
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
diff -u src/sys/arch/i386/i386/copy.S:1.24 src/sys/arch/i386/i386/copy.S:1.25
--- src/sys/arch/i386/i386/copy.S:1.24 Fri May 13 13:24:01 2016
+++ src/sys/arch/i386/i386/copy.S Fri Sep 16 12:28:41 2016
@@ -1,4 +1,4 @@
-/* $NetBSD: copy.S,v 1.24 2016/05/13 13:24:01 maxv Exp $ */
+/* $NetBSD: copy.S,v 1.25 2016/09/16 12:28:41 maxv Exp $ */
/* NetBSD: locore.S,v 1.34 2005/04/01 11:59:31 yamt Exp $ */
@@ -65,7 +65,7 @@
-__KERNEL_RCSID(0, "$NetBSD: copy.S,v 1.24 2016/05/13 13:24:01 maxv Exp $");
+__KERNEL_RCSID(0, "$NetBSD: copy.S,v 1.25 2016/09/16 12:28:41 maxv Exp $");
@@ -687,13 +687,16 @@ ENTRY(x86_copyargs)
- * We check that the end of the destination buffer is not past the end
- * of the user's address space. If it's not, then we only need to
- * check that each page is readable, and the CPU will do that for us.
+ * In this function, we may copy more than the size given in the third
+ * argument. In order to make sure the real end of the destination
+ * buffer is not past the end of the user's address space, we don't
+ * check the third argument but rather the largest possible size, which
+ * is:
+ * (2 + SYS_MAXSYSARGS) * 4 = 10 * 4
- addl %ecx,%eax
+ addl $(10 * 4),%eax