From owner-freebsd-bugs Sun Mar 17 23:20:57 2002 Delivered-To: freebsd-bugs@hub.freebsd.org Received: from freefall.freebsd.org (freefall.FreeBSD.org [216.136.204.21]) by hub.freebsd.org (Postfix) with ESMTP id 3F69C37B435 for ; Sun, 17 Mar 2002 23:20:05 -0800 (PST) Received: (from gnats@localhost) by freefall.freebsd.org (8.11.6/8.11.6) id g2I7K4J75063; Sun, 17 Mar 2002 23:20:04 -0800 (PST) (envelope-from gnats) Date: Sun, 17 Mar 2002 23:20:04 -0800 (PST) Message-Id: <200203180720.g2I7K4J75063@freefall.freebsd.org> To: freebsd-bugs@FreeBSD.org Cc: From: David Greenman Subject: Re: kern/36038: sendfile(2) on smbfs fails, exposes kernel memory to userspace Reply-To: David Greenman Sender: owner-freebsd-bugs@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org The following reply was made to PR kern/36038; it has been noted by GNATS. From: David Greenman To: "Tim J. Robbins" Cc: FreeBSD-gnats-submit@FreeBSD.org Subject: Re: kern/36038: sendfile(2) on smbfs fails, exposes kernel memory to userspace Date: Sun, 17 Mar 2002 23:12:28 -0800 >sendfile(2) on a file on a smbfs mount usually fails with errno == EFAULT. >However, in certain situations it can accidentally leak what appears to >be random kernel memory. After a quick look at this, it appears that md_get_uio() (located in kern/sysbr_mchain.c) doesn't support UIO_NOCOPY, which sendfile() requires. This function (and it's children) appear to be only used by smbfs. -DG David Greenman Co-founder, The FreeBSD Project - http://www.freebsd.org President, TeraSolutions, Inc. - http://www.terasolutions.com President, Download Technologies, Inc. - http://www.downloadtech.com Pave the road of life with opportunities. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-bugs" in the body of the message