Module Name: src
Committed By: martin
Date: Thu Aug 21 09:05:45 UTC 2014
Modified Files:
src/sys/miscfs/umapfs [netbsd-7]: umap_vfsops.c
Log Message:
Pull up following revision(s) (requested by maxv in ticket #43):
sys/miscfs/umapfs/umap_vfsops.c: revision 1.94
1) 'error' is returned while it does not even hold an error code. Which
means that zero is returned, and the kernel keeps mounting (and it
probably ends up in a deadlock/memory corruption somewhere).
2) 'nentries' and 'gnentries' are int and user-controlled, and there's no
check to ensure they are greater than zero. Since they are used to
compute the size of two copyin's, a user can control the copied size
by giving a negative value (like 128-2^29), and thus overwrite kernel
memory.
Both triggerable from root only.
To generate a diff of this commit:
cvs rdiff -u -r1.93 -r1.93.2.1 src/sys/miscfs/umapfs/umap_vfsops.c
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
