fea1a98ead
freebsd32_sendmsg() and freebsd32_recvmsg() both copyin the message header twice, once directly and once in freebsd32_copyinmsghdr(). The iovec length from the former is used when copying in msg_iov, but the rest of the kernel uses the iovec length from the latter. When kern_sendit() and kern_recvit() iterate over the iovec to compute the residual for I/O, they can therefore end up walking past the end of the copied in iovec, either resulting in a system call error, userspace memory corruption from uiomove() with invalid iovecs, or a kernel page fault if the copied-in iovec is followed by an unmapped KVA region. Reported by: syzbot+7cc64cd0c49605acd421@syzkaller.appspotmail.com Reviewed by: kib, emaste MFC after: 1 week Sponsored by: The FreeBSD Foundation Differential Revision: https://reviews.freebsd.org/D32010 |
||
|---|---|---|
| .. | ||
| cloudabi | ||
| cloudabi32 | ||
| cloudabi64 | ||
| freebsd32 | ||
| ia32 | ||
| lindebugfs | ||
| linprocfs | ||
| linsysfs | ||
| linux | ||
| linuxkpi/common | ||
| x86bios | ||