Date: Sun, 17 Mar 2002 23:20:04 -0800 (PST) From: David Greenman <dg@root.com> To: freebsd-bugs@FreeBSD.org Subject: Re: kern/36038: sendfile(2) on smbfs fails, exposes kernel memory to userspace Message-ID: <200203180720.g2I7K4J75063@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help
The following reply was made to PR kern/36038; it has been noted by GNATS.
From: David Greenman <dg@root.com>
To: "Tim J. Robbins" <tim@robbins.dropbear.id.au>
Cc: FreeBSD-gnats-submit@FreeBSD.org
Subject: Re: kern/36038: sendfile(2) on smbfs fails, exposes kernel memory to userspace
Date: Sun, 17 Mar 2002 23:12:28 -0800
>sendfile(2) on a file on a smbfs mount usually fails with errno == EFAULT.
>However, in certain situations it can accidentally leak what appears to
>be random kernel memory.
After a quick look at this, it appears that md_get_uio() (located in
kern/sysbr_mchain.c) doesn't support UIO_NOCOPY, which sendfile() requires.
This function (and it's children) appear to be only used by smbfs.
-DG
David Greenman
Co-founder, The FreeBSD Project - http://www.freebsd.org
President, TeraSolutions, Inc. - http://www.terasolutions.com
President, Download Technologies, Inc. - http://www.downloadtech.com
Pave the road of life with opportunities.
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-bugs" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200203180720.g2I7K4J75063>