From owner-freebsd-bugs  Mon Mar 18 14:20:11 2002
Delivered-To: freebsd-bugs@hub.freebsd.org
Received: from freefall.freebsd.org (freefall.FreeBSD.org [216.136.204.21])
	by hub.freebsd.org (Postfix) with ESMTP id C22C537B417
	for <freebsd-bugs@hub.freebsd.org>; Mon, 18 Mar 2002 14:20:02 -0800 (PST)
Received: (from gnats@localhost)
	by freefall.freebsd.org (8.11.6/8.11.6) id g2IMK2S50958;
	Mon, 18 Mar 2002 14:20:02 -0800 (PST)
	(envelope-from gnats)
Date: Mon, 18 Mar 2002 14:20:02 -0800 (PST)
Message-Id: <200203182220.g2IMK2S50958@freefall.freebsd.org>
To: freebsd-bugs@FreeBSD.org
Cc: 
From: "Tim J. Robbins" <tim@robbins.dropbear.id.au>
Subject: Re: kern/36038: sendfile(2) on smbfs fails, exposes kernel memory to userspace
Reply-To: "Tim J. Robbins" <tim@robbins.dropbear.id.au>
Sender: owner-freebsd-bugs@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-bugs.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-bugs>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-bugs>
X-Loop: FreeBSD.org

The following reply was made to PR kern/36038; it has been noted by GNATS.

From: "Tim J. Robbins" <tim@robbins.dropbear.id.au>
To: David Greenman <dg@root.com>
Cc: FreeBSD-gnats-submit@FreeBSD.org
Subject: Re: kern/36038: sendfile(2) on smbfs fails, exposes kernel memory to userspace
Date: Tue, 19 Mar 2002 09:16:28 +1100

 On Sun, Mar 17, 2002 at 11:12:28PM -0800, David Greenman wrote:
 
 >    After a quick look at this, it appears that md_get_uio() (located in
 > kern/sysbr_mchain.c) doesn't support UIO_NOCOPY, which sendfile() requires.
 > This function (and it's children) appear to be only used by smbfs.
 
 Thanks for helping to track down the bug so quickly.
 
 md_get_uio() made the incorrect assumption that anything other than
 UIO_SYSSPACE was UIO_USER(I)SPACE.
 
 I'm not sure how to implement UIO_NOCOPY for mchain, so these patches
 just make it return an error instead of trying to copy bogus data,
 leading to EFAULT or revealing contents of kernel memory.
 
 Patch against HEAD:
 
 Index: subr_mchain.c
 ===================================================================
 RCS file: /home/ncvs/src/sys/kern/subr_mchain.c,v
 retrieving revision 1.4
 diff -u -r1.4 subr_mchain.c
 --- subr_mchain.c	2002/02/21 16:23:38	1.4
 +++ subr_mchain.c	2002/03/18 22:13:41
 @@ -273,8 +273,21 @@
  	long left;
  	int mtype, error;
  
 -	mtype = (uiop->uio_segflg == UIO_SYSSPACE) ? MB_MSYSTEM : MB_MUSER;
 -
 +	switch (uiop->uio_segflg) {
 +	case UIO_USERSPACE:
 +	case UIO_USERISPACE:
 +		mtype = MB_MUSER;
 +		break;
 +	case UIO_SYSSPACE:
 +		mtype = MB_MSYSTEM;
 +		break;
 +	case UIO_NOCOPY:
 +		/* XXX Not supported */
 +		return EOPNOTSUPP;
 +	default:
 +		return EINVAL;
 +	}
 + 
  	while (size > 0 && uiop->uio_resid) {
  		if (uiop->uio_iovcnt <= 0 || uiop->uio_iov == NULL)
  			return EFBIG;
 
 
 Patch against RELENG_4:
 
 Index: subr_mchain.c
 ===================================================================
 RCS file: /home/ncvs/src/sys/kern/subr_mchain.c,v
 retrieving revision 1.2.2.1
 diff -u -r1.2.2.1 subr_mchain.c
 --- subr_mchain.c	2001/05/18 11:01:21	1.2.2.1
 +++ subr_mchain.c	2002/03/18 22:10:40
 @@ -525,7 +525,21 @@
  	long left;
  	int mtype, error;
  
 -	mtype = (uiop->uio_segflg == UIO_SYSSPACE) ? MB_MSYSTEM : MB_MUSER;
 +	switch (uiop->uio_segflg) {
 +	case UIO_USERSPACE:
 +	case UIO_USERISPACE:
 +		mtype = MB_MUSER;
 +		break;
 +	case UIO_SYSSPACE:
 +		mtype = MB_MSYSTEM;
 +		break;
 +	case UIO_NOCOPY:
 +		/* XXX Not supported */
 +		return EOPNOTSUPP;
 +	default:
 +		return EINVAL;
 +	}
 +
  	while (size > 0) {
  		if (uiop->uio_iovcnt <= 0 || uiop->uio_iov == NULL)
  			return EFBIG;
 
 
 Tim

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-bugs" in the body of the message