9ns: fix format-string vulnerability in cmderror()
authorBarret Rhoden <brho@cs.berkeley.edu>
Thu, 9 May 2019 00:26:12 +0000 (20:26 -0400)
committerBarret Rhoden <brho@cs.berkeley.edu>
Thu, 9 May 2019 00:26:12 +0000 (20:26 -0400)
commitf24797cdfdfd67cea63a9c6f1e6cd4b07c76a2c6
tree6577542783ca6ee38b40ee3ce6d524987377244e
parentd8ea787e72600cb97b19e2cd96b63745b2a4b0fb
9ns: fix format-string vulnerability in cmderror()

In cmderror(), the genbuf is filled with user-controlled data via the
seprintf() calls.  That data could consist of a %s.  That genbuf was
passed to error(), which takes a format string.  Thus userspace could
set the format string passed to error, triggering a page fault (at
least).

Reported-by: syzbot+36f58f45c1902ffdca18@syzkaller.appspotmail.com
Signed-off-by: Barret Rhoden <brho@cs.berkeley.edu>
kern/src/ns/parse.c