From owner-doc-jp@jp.freebsd.org  Mon Sep  4 05:26:01 2000
Received: (from daemon@localhost)
	by castle.jp.freebsd.org (8.9.3+3.2W/8.7.3) id FAA40393;
	Mon, 4 Sep 2000 05:26:01 +0900 (JST)
	(envelope-from owner-doc-jp@jp.FreeBSD.org)
Received: from sv01.geocities.co.jp (sv01.geocities.co.jp [210.153.89.155])
	by castle.jp.freebsd.org (8.9.3+3.2W/8.7.3) with ESMTP id FAA40388
	for <doc-jp@jp.freebsd.org>; Mon, 4 Sep 2000 05:26:01 +0900 (JST)
	(envelope-from hrs@geocities.co.jp)
Received: from mail.geocities.co.jp (mail.geocities.co.jp [210.153.89.137]) by sv01.geocities.co.jp (8.9.3+3.2W/3.7W) with ESMTP id FAA16489 for <doc-jp@jp.freebsd.org>; Mon, 4 Sep 2000 05:26:00 +0900 (JST)
Received: from mail.hrs.jp (sutnmax1-ppp04.ed.noda.sut.ac.jp [133.31.173.14]) by mail.geocities.co.jp (1.3G-GeocitiesJ-3.3) with ESMTP id FAA12312 for <doc-jp@jp.freebsd.org>; Mon, 4 Sep 2000 05:25:59 +0900 (JST)
Message-Id: <200009032025.FAA12312@mail.geocities.co.jp>
Received: from localhost (alph.hrs.jp [192.168.0.10])
	by mail.hrs.jp (8.9.3/3.7W/DomainMaster) with ESMTP id FAA15968
	for <doc-jp@jp.freebsd.org>; Mon, 4 Sep 2000 05:25:50 +0900 (JST)
	(envelope-from hrs@hrs.jp)
To: doc-jp@jp.freebsd.org
In-Reply-To: <39B26411.1AF62088@mail.wbs.ne.jp>
References: <20000828194347.2D1A537B662@hub.freebsd.org>
	<200009030024.JAA27944@mail.geocities.co.jp>
	<39B26411.1AF62088@mail.wbs.ne.jp>
X-Mailer: Mew version 1.94.1 on Emacs 19.34 / Mule 2.3 (SUETSUMUHANA)
Mime-Version: 1.0
Content-Type: Text/Plain; charset=iso-2022-jp
Content-Transfer-Encoding: 7bit
Date: Mon, 04 Sep 2000 05:25:48 +0900
From: Hiroki Sato <hrs@geocities.co.jp>
X-Dispatcher: imput version 990905(IM130)
Lines: 60
Reply-To: doc-jp@jp.freebsd.org
Precedence: list
X-Distribute: distribute version 2.1 (Alpha) patchlevel 24e+000315
X-Sequence: doc-jp 7670
Subject: [doc-jp 7670] Re: ANNOUNCE: FreeBSD Security Advisory: 
 FreeBSD-SA-00:41.elf
Errors-To: owner-doc-jp@jp.freebsd.org
Sender: owner-doc-jp@jp.freebsd.org
X-Originator: hrs@geocities.co.jp

$B:4F#!wEl5~M}2JBg3X$G$9!#(B

Hiroki Sato <hrs@geocities.co.jp> wrote
 in <200009030024.JAA27944@mail.geocities.co.jp>:

>  1) a sign overflow bug
> 
>    $B$$$^$$$A$I$&$$$&F0:n$J$N$+$o$+$j$^$;$s!#(B

 $B%=!<%9DI$C$F$$$C$?$i$@$$$?$$M}2r!#(B

 ${SYSSRC}/kern/imgact_elf.c $B$N(B

 static int
 elf_load_section(struct proc *p, struct vmspace *vmspace,
                struct vnode *vp, vm_offset_t offset, caddr_t vmaddr,
                size_t memsz, size_t filsz, vm_prot_t prot)

 $B$G(B elf $B%X%C%@$K$"$k%U%!%$%k%5%$%:(B size_t filesz $B$H(B
 $B%*%U%;%C%H(B off_t offset $B$+$i%^%C%W$9$k%Z!<%8?t(B
 size_t map_len $B$r(B

 file_addr = trunc_page(offset);
 map_len = round_page(offset+filsz) - file_addr;

 $B$H5a$a$F$$$k$N$,$^$:$$!E!E$N$+$J(B?

 $B$3$l$O(B

 vm_map_insert(&vmspace->vm_map,
                object,
                file_addr,        /* file offset */
                map_addr,         /* virtual start */
                map_addr + map_len,/* virtual end */
                prot,
                VM_PROT_ALL,
                MAP_COPY_ON_WRITE | MAP_PREFAULT);

 $B$KEO$5$l$F!":G=*E*$K(B pmap_init_pt $B$X(B map_len $B$,EAGE!#(B
 map_len $B$O(B size_t $B$NBg$-$5$r;}$C$F$$$k$3$H$+$i(B
 offset+filesz > 2^(8*^sizeof(size_t)) $B$N$H$-$K(B
 offset+filesz $B$OIiJ}8~$K%i%C%W%"%i%&%s%I$7$F$7$^$$!"(B
 unsigned $B$G9M$($k$HHs>o$KBg$-$JCM$K$J$k(B -> $B$,$s$P$C$F(B
 alloc $B$7$h$&$H$7$F;_$^$k!"$H$$$&LOMM!#(B

 cvs log $B$K$O(B subtract $B$G%Z!<%8?t$,Ii$K$J$C$F$7$^$&$N$,(B
 $B860x$@$H=q$+$l$F$$$^$7$?!#B>$N%k!<%A%s$G$O(B
 $B$@$$$?$$%A%'%C%/$,F~$C$F$$$k$h$&$J$N$G(B
 $B$3$l$C$]$$$s$G$9$,!"$3$l$@$H(B filesz+offset $B$,(B size_t $B$r(B
 $BD6$($k%P%$%J%j(B ($B8=<BE*$K$"$jF@$k$+$I$&$+$OITL@(B) $B$O(B
 $B$9$Y$FF0$+$J$$$3$H$K$J$k$N$G!"$3$3$G$O$J$$$N$+$bCN$l$^$;$s!#(B

  # sign overflow bug $B$O(B
  # $BLu$72<$7$F$7$^$C$?J}$,NI$$$+$J$!!E!E!#(B

--
| $B:4F#(B $B9-@8!wEl5~M}2JBg3X(B <hrs@geocities.co.jp>
|
|                                sato@sekine00.ee.noda.sut.ac.jp(UNIV)
|                                     hrs@FreeBSD.org(FreeBSD Project)
