--- - branch: netbsd-9 date: Thu Jan 2 09:50:34 UTC 2020 files: - new: 1.35.4.1 old: '1.35' path: src/sys/compat/common/kern_sig_43.c pathrev: src/sys/compat/common/kern_sig_43.c@1.35.4.1 type: modified - new: 1.38.4.1 old: '1.38' path: src/sys/compat/netbsd32/netbsd32_compat_20.c pathrev: src/sys/compat/netbsd32/netbsd32_compat_20.c@1.38.4.1 type: modified - new: 1.57.4.2 old: 1.57.4.1 path: src/sys/compat/netbsd32/netbsd32_compat_43.c pathrev: src/sys/compat/netbsd32/netbsd32_compat_43.c@1.57.4.2 type: modified - new: 1.39.2.2 old: 1.39.2.1 path: src/sys/compat/netbsd32/netbsd32_compat_50.c pathrev: src/sys/compat/netbsd32/netbsd32_compat_50.c@1.39.2.2 type: modified id: 20200102T095034Z.0ca7734a3e05a7fb05d8bbdb34af38e2e16847c9 log: "Pull up following revision(s) (requested by maxv in ticket #597):\n\n\tsys/compat/common/kern_sig_43.c: revision 1.36\n\tsys/compat/netbsd32/netbsd32_compat_20.c: revision 1.39\n\tsys/compat/netbsd32/netbsd32_compat_43.c: revision 1.59\n\tsys/compat/netbsd32/netbsd32_compat_50.c: revision 1.44\n\nFix sizeof mismatch in copyin. This leads to a user-triggerable stack\noverflow. On my test build at least, by luck, the compiler orders the\nvariables in a way that the overflow hits only local structures which\nhaven't yet been initialized and used, so the overflow is harmless.\n\nVery easily seeable with kASan - just invoke the syscall from a 32bit\nbinary.\n\nFix three stack info leaks, found by kMSan when just invoking all syscalls\nwith a zero page as argument.\n\nMSan: Uninitialized Stack Memory In copyout() At Offset 0, Variable 'sb32' From compat_20_netbsd32_getfsstat()\nMSan: Uninitialized Stack Memory In copyout() At Offset 12, Variable 'oss' From compat_43_sys_sigstack()\nMSan: Uninitialized Stack Memory In copyout() At Offset 0, Variable 'sb' From compat_50_netbsd32___fhstat40()\n" module: src subject: 'CVS commit: [netbsd-9] src/sys/compat' unixtime: '1577958634' user: martin