Received: by mail.netbsd.org (Postfix, from userid 605) id 482018504A; Sat, 27 Jun 2020 07:00:44 +0000 (UTC) Received: from localhost (localhost [127.0.0.1]) by mail.netbsd.org (Postfix) with ESMTP id BB10885049 for ; Sat, 27 Jun 2020 07:00:43 +0000 (UTC) X-Virus-Scanned: amavisd-new at netbsd.org Received: from mail.netbsd.org ([IPv6:::1]) by localhost (mail.netbsd.org [IPv6:::1]) (amavisd-new, port 10025) with ESMTP id LV1CmqO1ymtb for ; Sat, 27 Jun 2020 07:00:43 +0000 (UTC) Received: from cvs.NetBSD.org (ivanova.netbsd.org [199.233.217.197]) by mail.netbsd.org (Postfix) with ESMTP id 5BE9984DE8 for ; Sat, 27 Jun 2020 07:00:43 +0000 (UTC) Received: by cvs.NetBSD.org (Postfix, from userid 500) id 540CCFB28; Sat, 27 Jun 2020 07:00:43 +0000 (UTC) Content-Disposition: inline Content-Transfer-Encoding: 8bit Content-Type: text/plain; charset="US-ASCII" MIME-Version: 1.0 Date: Sat, 27 Jun 2020 07:00:43 +0000 From: "Maxime Villard" Subject: CVS commit: src/sys/compat/sys To: source-changes@NetBSD.org X-Mailer: log_accum Message-Id: <20200627070043.540CCFB28@cvs.NetBSD.org> Sender: source-changes-owner@NetBSD.org List-Id: source-changes.NetBSD.org Precedence: bulk Reply-To: source-changes-d@NetBSD.org Mail-Reply-To: "Maxime Villard" Mail-Followup-To: source-changes-d@NetBSD.org List-Unsubscribe: Module Name: src Committed By: maxv Date: Sat Jun 27 07:00:43 UTC 2020 Modified Files: src/sys/compat/sys: mount.h Log Message: Yet another idiotic compat syscall that was developed with literally zero test made. Simply invoking this syscall with _valid parameters_ triggers a fatal fault, because the kernel tries to write to userland addresses. With specially-crafted parameters it is easy to completely escalate privileges into the kernel. Also the size of the allocation is just obviously wrong, but it looks like the callers are even more wrong, so not gonna fix it for now. Reported-by: syzbot+b05096f3114b2820d81c@syzkaller.appspotmail.com To generate a diff of this commit: cvs rdiff -u -r1.11 -r1.12 src/sys/compat/sys/mount.h Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files.