Sat Jun 27 07:00:43 2020 UTC ()
Yet another idiotic compat syscall that was developed with literally zero
test made. Simply invoking this syscall with _valid parameters_ triggers a
fatal fault, because the kernel tries to write to userland addresses.

With specially-crafted parameters it is easy to completely escalate
privileges into the kernel.

Also the size of the allocation is just obviously wrong, but it looks like
the callers are even more wrong, so not gonna fix it for now.

Reported-by: syzbot+b05096f3114b2820d81c@syzkaller.appspotmail.com


(maxv)
diff -r1.11 -r1.12 src/sys/compat/sys/mount.h
cvs diff -r1.11 -r1.12 src/sys/compat/sys/mount.h (expand / switch to unified diff)

--- src/sys/compat/sys/mount.h 2019/10/04 01:28:02 1.11
+++ src/sys/compat/sys/mount.h 2020/06/27 07:00:43 1.12
@@ -1,14 +1,14 @@ @@ -1,14 +1,14 @@
1/* $NetBSD: mount.h,v 1.11 2019/10/04 01:28:02 christos Exp $ */ 1/* $NetBSD: mount.h,v 1.12 2020/06/27 07:00:43 maxv Exp $ */
2 2
3/* 3/*
4 * Copyright (c) 1989, 1991, 1993 4 * Copyright (c) 1989, 1991, 1993
5 * The Regents of the University of California. All rights reserved. 5 * The Regents of the University of California. All rights reserved.
6 * 6 *
7 * Redistribution and use in source and binary forms, with or without 7 * Redistribution and use in source and binary forms, with or without
8 * modification, are permitted provided that the following conditions 8 * modification, are permitted provided that the following conditions
9 * are met: 9 * are met:
10 * 1. Redistributions of source code must retain the above copyright 10 * 1. Redistributions of source code must retain the above copyright
11 * notice, this list of conditions and the following disclaimer. 11 * notice, this list of conditions and the following disclaimer.
12 * 2. Redistributions in binary form must reproduce the above copyright 12 * 2. Redistributions in binary form must reproduce the above copyright
13 * notice, this list of conditions and the following disclaimer in the 13 * notice, this list of conditions and the following disclaimer in the
14 * documentation and/or other materials provided with the distribution. 14 * documentation and/or other materials provided with the distribution.
@@ -130,27 +130,27 @@ statvfs_to_statfs12(const struct statvfs @@ -130,27 +130,27 @@ statvfs_to_statfs12(const struct statvfs
130 memcpy(s12->f_fstypename, fs->f_fstypename, sizeof(s12->f_fstypename)); 130 memcpy(s12->f_fstypename, fs->f_fstypename, sizeof(s12->f_fstypename));
131 memcpy(s12->f_mntonname, fs->f_mntonname, sizeof(s12->f_mntonname)); 131 memcpy(s12->f_mntonname, fs->f_mntonname, sizeof(s12->f_mntonname));
132 memcpy(s12->f_mntfromname, fs->f_mntfromname, 132 memcpy(s12->f_mntfromname, fs->f_mntfromname,
133 sizeof(s12->f_mntfromname)); 133 sizeof(s12->f_mntfromname));
134} 134}
135 135
136#ifdef _KERNEL 136#ifdef _KERNEL
137static __inline int 137static __inline int
138statvfs_to_statfs12_copy(const void *vs, void *vs12, size_t l) 138statvfs_to_statfs12_copy(const void *vs, void *vs12, size_t l)
139{ 139{
140 struct statfs12 *s12 = STATVFSBUF_GET(); 140 struct statfs12 *s12 = STATVFSBUF_GET();
141 int error; 141 int error;
142 142
143 statvfs_to_statfs12(vs, vs12); 143 statvfs_to_statfs12(vs, s12);
144 error = copyout(s12, vs12, l); 144 error = copyout(s12, vs12, l);
145 STATVFSBUF_PUT(s12); 145 STATVFSBUF_PUT(s12);
146 146
147 return error; 147 return error;
148} 148}
149 149
150/* 150/*
151 * Filesystem configuration information. Not used by NetBSD, but 151 * Filesystem configuration information. Not used by NetBSD, but
152 * defined here to provide a compatible sysctl interface to Lite2. 152 * defined here to provide a compatible sysctl interface to Lite2.
153 */ 153 */
154struct vfsconf { 154struct vfsconf {
155 struct vfsops *vfc_vfsops; /* filesystem operations vector */ 155 struct vfsops *vfc_vfsops; /* filesystem operations vector */
156 char vfc_name[MFSNAMELEN]; /* filesystem type name */ 156 char vfc_name[MFSNAMELEN]; /* filesystem type name */