mirror of
https://github.com/opnsense/src.git
synced 2026-04-29 01:59:38 -04:00
fea1a98ead
freebsd32_sendmsg() and freebsd32_recvmsg() both copyin the message header twice, once directly and once in freebsd32_copyinmsghdr(). The iovec length from the former is used when copying in msg_iov, but the rest of the kernel uses the iovec length from the latter. When kern_sendit() and kern_recvit() iterate over the iovec to compute the residual for I/O, they can therefore end up walking past the end of the copied in iovec, either resulting in a system call error, userspace memory corruption from uiomove() with invalid iovecs, or a kernel page fault if the copied-in iovec is followed by an unmapped KVA region. Reported by: syzbot+7cc64cd0c49605acd421@syzkaller.appspotmail.com Reviewed by: kib, emaste MFC after: 1 week Sponsored by: The FreeBSD Foundation Differential Revision: https://reviews.freebsd.org/D32010 |
||
|---|---|---|
| .. | ||
| capabilities.conf | ||
| freebsd32.h | ||
| freebsd32_capability.c | ||
| freebsd32_ioctl.c | ||
| freebsd32_ioctl.h | ||
| freebsd32_ipc.h | ||
| freebsd32_misc.c | ||
| freebsd32_misc.h | ||
| freebsd32_proto.h | ||
| freebsd32_signal.h | ||
| freebsd32_syscall.h | ||
| freebsd32_syscalls.c | ||
| freebsd32_sysent.c | ||
| freebsd32_systrace_args.c | ||
| freebsd32_util.h | ||
| Makefile | ||
| syscalls.conf | ||
| syscalls.master | ||