Source-Changes-HG archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
[src/netbsd-2]: src/sys/kern Pull up following revision(s) (requested by chri...
details: https://anonhg.NetBSD.org/src/rev/c6532d26e645
branches: netbsd-2
changeset: 564546:c6532d26e645
user: bouyer <bouyer%NetBSD.org@localhost>
date: Mon Oct 16 17:56:26 2006 +0000
description:
Pull up following revision(s) (requested by christos in ticket #10720):
sys/kern/sys_process.c: revision 1.111 via patch
Don't allow ptrace to copyout arbitrary sized data. Reported by the
Suresec vulnerability research team.
diffstat:
sys/kern/sys_process.c | 19 ++++++++-----------
1 files changed, 8 insertions(+), 11 deletions(-)
diffs (62 lines):
diff -r a6a4be96f1e6 -r c6532d26e645 sys/kern/sys_process.c
--- a/sys/kern/sys_process.c Sun Oct 15 16:01:29 2006 +0000
+++ b/sys/kern/sys_process.c Mon Oct 16 17:56:26 2006 +0000
@@ -1,4 +1,4 @@
-/* $NetBSD: sys_process.c,v 1.86 2004/03/13 18:43:18 matt Exp $ */
+/* $NetBSD: sys_process.c,v 1.86.4.1 2006/10/16 17:56:26 bouyer Exp $ */
/*-
* Copyright (c) 1982, 1986, 1989, 1993
@@ -89,7 +89,7 @@
*/
#include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: sys_process.c,v 1.86 2004/03/13 18:43:18 matt Exp $");
+__KERNEL_RCSID(0, "$NetBSD: sys_process.c,v 1.86.4.1 2006/10/16 17:56:26 bouyer Exp $");
#include <sys/param.h>
#include <sys/systm.h>
@@ -135,7 +135,7 @@
struct iovec iov;
struct ptrace_io_desc piod;
struct ptrace_lwpinfo pl;
- int s, error, write, tmp, size;
+ int s, error, write, tmp;
/* "A foolish consistency..." XXX */
if (SCARG(uap, req) == PT_TRACE_ME)
@@ -458,10 +458,9 @@
goto sendsig;
case PT_LWPINFO:
- size = SCARG(uap, data);
- if (size < sizeof(lwpid_t))
+ if (SCARG(uap, data) != sizeof(pl))
return (EINVAL);
- error = copyin(SCARG(uap, addr), &pl, sizeof(lwpid_t));
+ error = copyin(SCARG(uap, addr), &pl, sizeof(pl));
if (error)
return (error);
tmp = pl.pl_lwpid;
@@ -469,8 +468,8 @@
lt = LIST_FIRST(&t->p_lwps);
else {
LIST_FOREACH(lt, &t->p_lwps, l_sibling)
- if (lt->l_lid == tmp)
- break;
+ if (lt->l_lid == tmp)
+ break;
if (lt == NULL)
return (ESRCH);
lt = LIST_NEXT(lt, l_sibling);
@@ -483,9 +482,7 @@
pl.pl_event = PL_EVENT_SIGNAL;
}
- error = copyout(&pl, SCARG(uap, addr), SCARG(uap, data));
-
- return (0);
+ return copyout(&pl, SCARG(uap, addr), sizeof(pl));
#ifdef PT_SETREGS
case PT_SETREGS:
Home |
Main Index |
Thread Index |
Old Index