Date: Mon, 18 Mar 2002 14:20:02 -0800 (PST) From: "Tim J. Robbins" <tim@robbins.dropbear.id.au> To: freebsd-bugs@FreeBSD.org Subject: Re: kern/36038: sendfile(2) on smbfs fails, exposes kernel memory to userspace Message-ID: <200203182220.g2IMK2S50958@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help
The following reply was made to PR kern/36038; it has been noted by GNATS.
From: "Tim J. Robbins" <tim@robbins.dropbear.id.au>
To: David Greenman <dg@root.com>
Cc: FreeBSD-gnats-submit@FreeBSD.org
Subject: Re: kern/36038: sendfile(2) on smbfs fails, exposes kernel memory to userspace
Date: Tue, 19 Mar 2002 09:16:28 +1100
On Sun, Mar 17, 2002 at 11:12:28PM -0800, David Greenman wrote:
> After a quick look at this, it appears that md_get_uio() (located in
> kern/sysbr_mchain.c) doesn't support UIO_NOCOPY, which sendfile() requires.
> This function (and it's children) appear to be only used by smbfs.
Thanks for helping to track down the bug so quickly.
md_get_uio() made the incorrect assumption that anything other than
UIO_SYSSPACE was UIO_USER(I)SPACE.
I'm not sure how to implement UIO_NOCOPY for mchain, so these patches
just make it return an error instead of trying to copy bogus data,
leading to EFAULT or revealing contents of kernel memory.
Patch against HEAD:
Index: subr_mchain.c
===================================================================
RCS file: /home/ncvs/src/sys/kern/subr_mchain.c,v
retrieving revision 1.4
diff -u -r1.4 subr_mchain.c
--- subr_mchain.c 2002/02/21 16:23:38 1.4
+++ subr_mchain.c 2002/03/18 22:13:41
@@ -273,8 +273,21 @@
long left;
int mtype, error;
- mtype = (uiop->uio_segflg == UIO_SYSSPACE) ? MB_MSYSTEM : MB_MUSER;
-
+ switch (uiop->uio_segflg) {
+ case UIO_USERSPACE:
+ case UIO_USERISPACE:
+ mtype = MB_MUSER;
+ break;
+ case UIO_SYSSPACE:
+ mtype = MB_MSYSTEM;
+ break;
+ case UIO_NOCOPY:
+ /* XXX Not supported */
+ return EOPNOTSUPP;
+ default:
+ return EINVAL;
+ }
+
while (size > 0 && uiop->uio_resid) {
if (uiop->uio_iovcnt <= 0 || uiop->uio_iov == NULL)
return EFBIG;
Patch against RELENG_4:
Index: subr_mchain.c
===================================================================
RCS file: /home/ncvs/src/sys/kern/subr_mchain.c,v
retrieving revision 1.2.2.1
diff -u -r1.2.2.1 subr_mchain.c
--- subr_mchain.c 2001/05/18 11:01:21 1.2.2.1
+++ subr_mchain.c 2002/03/18 22:10:40
@@ -525,7 +525,21 @@
long left;
int mtype, error;
- mtype = (uiop->uio_segflg == UIO_SYSSPACE) ? MB_MSYSTEM : MB_MUSER;
+ switch (uiop->uio_segflg) {
+ case UIO_USERSPACE:
+ case UIO_USERISPACE:
+ mtype = MB_MUSER;
+ break;
+ case UIO_SYSSPACE:
+ mtype = MB_MSYSTEM;
+ break;
+ case UIO_NOCOPY:
+ /* XXX Not supported */
+ return EOPNOTSUPP;
+ default:
+ return EINVAL;
+ }
+
while (size > 0) {
if (uiop->uio_iovcnt <= 0 || uiop->uio_iov == NULL)
return EFBIG;
Tim
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-bugs" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200203182220.g2IMK2S50958>