The shared unlock_user at the end of do_freebsd_kenv used the (potentially modified) len variable for all cases, including KENV_SET which locks with VERIFY_READ. Unlock the KENV_SET buffer inline with writeback length 0 so it doesn't spuriously write back to user memory.
Signed-off-by: Warner Losh <[email protected]> --- bsd-user/freebsd/os-misc.h | 2 ++ 1 file changed, 2 insertions(+) diff --git a/bsd-user/freebsd/os-misc.h b/bsd-user/freebsd/os-misc.h index 7ee903a5ba..204d8ebd3d 100644 --- a/bsd-user/freebsd/os-misc.h +++ b/bsd-user/freebsd/os-misc.h @@ -495,6 +495,8 @@ static inline abi_long do_freebsd_kenv(abi_long action, abi_ulong name, break; } ret = kenv(action, gname, gvalue, len); + unlock_user(gvalue, value, 0); + gvalue = NULL; break; case KENV_UNSET: gname = lock_user_string(name); -- 2.52.0
