Page MenuHomeFreeBSD
Differential D25791

Pass the right size to memcpy() when copying the array of FP registers.
ClosedPublic
Actions

Authored by jhb on Jul 23 2020, 8:16 PM.
Tags
None
Referenced Files
F82223940: D25791.id74855.diff
Fri, Apr 26, 5:21 PM
F82223747: D25791.id.diff
Fri, Apr 26, 5:19 PM
F82221097: D25791.id74858.diff
Fri, Apr 26, 4:43 PM
F82204456: D25791.diff
Fri, Apr 26, 11:43 AM
Unknown Object (File)
Thu, Apr 25, 9:44 AM
Unknown Object (File)
Thu, Apr 25, 4:32 AM
Unknown Object (File)
Fri, Apr 19, 4:56 AM
Unknown Object (File)
Thu, Apr 18, 8:35 AM
View All 14 Files
Subscribers
imp

Details

Reviewers
brooks
br
mhorne
imp
Commits
rS363459: Pass the right size to memcpy() when copying the array of FP registers.
Summary

The size of the containint structure was passed instead of the size of
the array. This happened to be harmless as the extra word copied is
one we copy in the next line anyway.

Obtained from: CheriBSD

Test Plan
  • using CHERI in the kernel on RISC-V found this buffer overflow since the pointer passed to memcpy had bounds on the array, not the containing structure

Diff Detail

Repository
rS FreeBSD src repository - subversion
Lint
Lint Passed
Unit
No Test Coverage
Build Status
Buildable 32517
Build 29989: arc lint + arc unit

Revision Contents
Changeset List

PathSize
sys/
riscv/
riscv/
4 lines

Diff 74855

View Options

sys/riscv/riscv/machdep.c

Loading...