Key 'L' copies the source sector to a destination sector. Bug: it
doesn't copy, it messes up the source sector badly instead, and can
smash the stack on some machines.
Root cause: doland() passes § instead of sect to ef_set_uid().
Impact:
1. ef_setuid() clobbers a few bytes at §.
When the bitfield and uid fit into sizeof(sect) bytes, it clobbers
just sect, which has no effect, because doland() returns without
using it again. This is the case on a typical 64-bit machine: bit
field and uid are both 4 bytes, sizeof(sect) is 8.
When they don't fit, whatever is adjacent to sect gets clobbered.
On a typical 32-bit machine with stack growing down, that's p.
Again, no effect, because doland() returns without using it again.
With stack growing up, it could well be the return address,
crashing the server.
2. ef_setuid() fails to update *sect. Impact (when we survive 1):
sect->sct_uid remains unchanged. putsect() writes to the source
sector instead of the destination sector, clobbering the source's
sct_x, sct_y. Breaks invariant sctoff(sct_x, sct_y) == sct_uid!
Subsequent edits are all applied to the source sector.
sect->sct_seqno remains unchanged. No effect, because we write to
the source sector, and the unchanged sequence number is the right
one there.
Broken in commit 536ef0b0, v4.3.15.
Signed-off-by: Markus Armbruster <armbru@pond.sub.org>
Markus Armbruster
5497126d05