Date: Mon, 18 Mar 2002 14:20:02 -0800 (PST) From: "Tim J. Robbins" <tim@robbins.dropbear.id.au> To: freebsd-bugs@FreeBSD.org Subject: Re: kern/36038: sendfile(2) on smbfs fails, exposes kernel memory to userspace Message-ID: <200203182220.g2IMK2S50958@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help
The following reply was made to PR kern/36038; it has been noted by GNATS. From: "Tim J. Robbins" <tim@robbins.dropbear.id.au> To: David Greenman <dg@root.com> Cc: FreeBSD-gnats-submit@FreeBSD.org Subject: Re: kern/36038: sendfile(2) on smbfs fails, exposes kernel memory to userspace Date: Tue, 19 Mar 2002 09:16:28 +1100 On Sun, Mar 17, 2002 at 11:12:28PM -0800, David Greenman wrote: > After a quick look at this, it appears that md_get_uio() (located in > kern/sysbr_mchain.c) doesn't support UIO_NOCOPY, which sendfile() requires. > This function (and it's children) appear to be only used by smbfs. Thanks for helping to track down the bug so quickly. md_get_uio() made the incorrect assumption that anything other than UIO_SYSSPACE was UIO_USER(I)SPACE. I'm not sure how to implement UIO_NOCOPY for mchain, so these patches just make it return an error instead of trying to copy bogus data, leading to EFAULT or revealing contents of kernel memory. Patch against HEAD: Index: subr_mchain.c =================================================================== RCS file: /home/ncvs/src/sys/kern/subr_mchain.c,v retrieving revision 1.4 diff -u -r1.4 subr_mchain.c --- subr_mchain.c 2002/02/21 16:23:38 1.4 +++ subr_mchain.c 2002/03/18 22:13:41 @@ -273,8 +273,21 @@ long left; int mtype, error; - mtype = (uiop->uio_segflg == UIO_SYSSPACE) ? MB_MSYSTEM : MB_MUSER; - + switch (uiop->uio_segflg) { + case UIO_USERSPACE: + case UIO_USERISPACE: + mtype = MB_MUSER; + break; + case UIO_SYSSPACE: + mtype = MB_MSYSTEM; + break; + case UIO_NOCOPY: + /* XXX Not supported */ + return EOPNOTSUPP; + default: + return EINVAL; + } + while (size > 0 && uiop->uio_resid) { if (uiop->uio_iovcnt <= 0 || uiop->uio_iov == NULL) return EFBIG; Patch against RELENG_4: Index: subr_mchain.c =================================================================== RCS file: /home/ncvs/src/sys/kern/subr_mchain.c,v retrieving revision 1.2.2.1 diff -u -r1.2.2.1 subr_mchain.c --- subr_mchain.c 2001/05/18 11:01:21 1.2.2.1 +++ subr_mchain.c 2002/03/18 22:10:40 @@ -525,7 +525,21 @@ long left; int mtype, error; - mtype = (uiop->uio_segflg == UIO_SYSSPACE) ? MB_MSYSTEM : MB_MUSER; + switch (uiop->uio_segflg) { + case UIO_USERSPACE: + case UIO_USERISPACE: + mtype = MB_MUSER; + break; + case UIO_SYSSPACE: + mtype = MB_MSYSTEM; + break; + case UIO_NOCOPY: + /* XXX Not supported */ + return EOPNOTSUPP; + default: + return EINVAL; + } + while (size > 0) { if (uiop->uio_iovcnt <= 0 || uiop->uio_iov == NULL) return EFBIG; Tim To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-bugs" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200203182220.g2IMK2S50958>