The only caller of kcopy is uiomove. There is no way a function like
this can ever work. If you need to rely on your copy function to save
you from pointers outside the address space, it means you don't know
what garbage you're passing it. Meaning you may well be passing it
pointers inside the address space, but to something unexpected, which
you will then shit on.
Replace with memcpy.
Not shown: the 200 line diff to remove kcopy from sparc64 locore.s.
Index: kern/kern_subr.c
===================================================================
RCS file: /cvs/src/sys/kern/kern_subr.c,v
retrieving revision 1.37
diff -u -p -r1.37 kern_subr.c
--- kern/kern_subr.c 19 Oct 2013 09:24:57 -0000 1.37
+++ kern/kern_subr.c 9 Jan 2014 21:00:48 -0000
@@ -88,11 +88,9 @@ uiomove(void *cp, int n, struct uio *uio
case UIO_SYSSPACE:
if (uio->uio_rw == UIO_READ)
- error = kcopy(cp, iov->iov_base, cnt);
+ memcpy(iov->iov_base, cp, cnt);
else
- error = kcopy(iov->iov_base, cp, cnt);
- if (error)
- return(error);
+ memcpy(cp, iov->iov_base, cnt);
}
iov->iov_base = (caddr_t)iov->iov_base + cnt;
iov->iov_len -= cnt;
Index: sys/systm.h
===================================================================
RCS file: /cvs/src/sys/sys/systm.h,v
retrieving revision 1.100
diff -u -p -r1.100 systm.h
--- sys/systm.h 11 Jun 2013 18:15:54 -0000 1.100
+++ sys/systm.h 9 Jan 2014 21:02:04 -0000
@@ -187,10 +187,6 @@ void assertwaitok(void);
void tablefull(const char *);
-int kcopy(const void *, void *, size_t)
- __attribute__ ((__bounded__(__buffer__,1,3)))
- __attribute__ ((__bounded__(__buffer__,2,3)));
-
void bcopy(const void *, void *, size_t)
__attribute__ ((__bounded__(__buffer__,1,3)))
__attribute__ ((__bounded__(__buffer__,2,3)));
