Hold a read lock on the map while copying out data during a sysctl(2) call

to prevent another thread from unmapping the memory and triggering
an assertion or even corrupting random physical memory pages.

This fix is similar to the change in uvm_glue.c rev. 1.74.  However in this
case we need to be careful since some sysctl(2) calls look at the map of
the current process.  In those cases we must not attempt to lock the map
again.

ok mpi@

Should fix:
Reported-by: syzbot+be89fe83d6c004fcb412@syzkaller.appspotmail.com

1 files changed, 3 insertions, 1 deletions

diff --git a/sys/uvm/uvm_io.c b/sys/uvm/uvm_io.c
index 96a9ba543b1..e18df842fe1 100644
--- a/sys/uvm/uvm_io.c
+++ b/sys/uvm/uvm_io.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: uvm_io.c,v 1.27 2021/03/20 10:24:21 mpi Exp $	*/
+/*	$OpenBSD: uvm_io.c,v 1.28 2022/03/11 19:24:19 kettenis Exp $	*/
 /*	$NetBSD: uvm_io.c,v 1.12 2000/06/27 17:29:23 mrg Exp $	*/
 
 /*
@@ -86,6 +86,8 @@ uvm_io(vm_map_t map, struct uio *uio, int flags)
 	extractflags = 0;
 	if (flags & UVM_IO_FIXPROT)
 		extractflags |= UVM_EXTRACT_FIXPROT;
+	if (flags & UVM_IO_RDLOCKED)
+		extractflags |= UVM_EXTRACT_RDLOCKED;
 
 	/*
 	 * step 1: main loop...  while we've got data to move