[src/netbsd-2-1]: src/sys Pull up following revision(s) (requested by adrianp...

[bouyer <bouyer%NetBSD.org@localhost>]

details:   https://anonhg.NetBSD.org/src/rev/594b3c0bedd2
branches:  netbsd-2-1
changeset: 564250:594b3c0bedd2
user:      bouyer <bouyer%NetBSD.org@localhost>
date:      Thu Feb 08 23:09:05 2007 +0000

description:
Pull up following revision(s) (requested by adrianp in ticket #11023):
        sys/kern/kern_ktrace.c: revision 1.110 via patch
        sys/sys/ktrace.h: revision 1.45 via patch
        sys/compat/freebsd/freebsd_misc.c: revision 1.26 via patch
        sys/compat/darwin/darwin_iohidsystem.c: revision 1.35 via patch
        sys/compat/darwin/darwin_ktrace.c: revision 1.6 via patch
Due to insufficient length checking it is possible for a user to cause
an integer overflow.  Make ktruser return an error instead.

diffstat:

 sys/compat/darwin/darwin_iohidsystem.c |   6 +++---
 sys/compat/freebsd/freebsd_misc.c      |  12 ++++--------
 sys/kern/kern_ktrace.c                 |  16 ++++++++--------
 3 files changed, 15 insertions(+), 19 deletions(-)

diffs (112 lines):

diff -r dba77264c43d -r 594b3c0bedd2 sys/compat/darwin/darwin_iohidsystem.c
--- a/sys/compat/darwin/darwin_iohidsystem.c    Tue Feb 06 21:17:57 2007 +0000
+++ b/sys/compat/darwin/darwin_iohidsystem.c    Thu Feb 08 23:09:05 2007 +0000
@@ -1,4 +1,4 @@
-/*     $NetBSD: darwin_iohidsystem.c,v 1.25 2003/12/09 17:13:19 manu Exp $ */
+/*     $NetBSD: darwin_iohidsystem.c,v 1.25.6.1 2007/02/08 23:09:05 bouyer Exp $ */
 
 /*-
  * Copyright (c) 2003 The NetBSD Foundation, Inc.
@@ -37,7 +37,7 @@
  */
 
 #include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: darwin_iohidsystem.c,v 1.25 2003/12/09 17:13:19 manu Exp $");
+__KERNEL_RCSID(0, "$NetBSD: darwin_iohidsystem.c,v 1.25.6.1 2007/02/08 23:09:05 bouyer Exp $");
 
 #include "ioconf.h"
 #include "wsmux.h"
@@ -720,7 +720,7 @@
        mach_set_trailer(req, sizeof(*req));
 
 #ifdef KTRACE
-       ktruser(l->l_proc, "notify_iohidsystem", NULL, 0, 0);
+       (void)ktruser(l->l_proc, "notify_iohidsystem", NULL, 0, 0);
 #endif
        
        mr->mr_refcount++;
diff -r dba77264c43d -r 594b3c0bedd2 sys/compat/freebsd/freebsd_misc.c
--- a/sys/compat/freebsd/freebsd_misc.c Tue Feb 06 21:17:57 2007 +0000
+++ b/sys/compat/freebsd/freebsd_misc.c Thu Feb 08 23:09:05 2007 +0000
@@ -1,4 +1,4 @@
-/*     $NetBSD: freebsd_misc.c,v 1.20.6.1 2005/09/13 16:37:22 tron Exp $       */
+/*     $NetBSD: freebsd_misc.c,v 1.20.6.1.2.1 2007/02/08 23:09:05 bouyer Exp $ */
 
 /*
  * Copyright (c) 1995 Frank van der Linden
@@ -36,7 +36,7 @@
  */
 
 #include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: freebsd_misc.c,v 1.20.6.1 2005/09/13 16:37:22 tron Exp $");
+__KERNEL_RCSID(0, "$NetBSD: freebsd_misc.c,v 1.20.6.1.2.1 2007/02/08 23:09:05 bouyer Exp $");
 
 #if defined(_KERNEL_OPT)
 #include "opt_ntp.h"
@@ -234,12 +234,8 @@
        if (!KTRPOINT(p, KTR_USER))
                return 0;
 
-       if (SCARG(uap, len) > KTR_USER_MAXLEN)
-               return EINVAL;
-
-       ktruser(p, "FreeBSD utrace", SCARG(uap, addr), SCARG(uap, len), 0);
-       
-       return 0;
+       return ktruser(p, "FreeBSD utrace", SCARG(uap, addr), SCARG(uap, len),
+               0);
 #else
        return ENOSYS;
 #endif
diff -r dba77264c43d -r 594b3c0bedd2 sys/kern/kern_ktrace.c
--- a/sys/kern/kern_ktrace.c    Tue Feb 06 21:17:57 2007 +0000
+++ b/sys/kern/kern_ktrace.c    Thu Feb 08 23:09:05 2007 +0000
@@ -1,4 +1,4 @@
-/*     $NetBSD: kern_ktrace.c,v 1.88.2.1 2004/06/24 14:04:46 he Exp $  */
+/*     $NetBSD: kern_ktrace.c,v 1.88.2.1.4.1 2007/02/08 23:09:05 bouyer Exp $  */
 
 /*
  * Copyright (c) 1989, 1993
@@ -32,7 +32,7 @@
  */
 
 #include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: kern_ktrace.c,v 1.88.2.1 2004/06/24 14:04:46 he Exp $");
+__KERNEL_RCSID(0, "$NetBSD: kern_ktrace.c,v 1.88.2.1.4.1 2007/02/08 23:09:05 bouyer Exp $");
 
 #include "opt_ktrace.h"
 #include "opt_compat_mach.h"
@@ -347,6 +347,9 @@
        caddr_t user_dta;
        int error;
 
+       if (len > KTR_USER_MAXLEN)
+               return ENOSPC;
+
        p->p_traceflag |= KTRFAC_ACTIVE;
        ktrinitheader(&kth, p, KTR_USER);
        ktp = malloc(sizeof(struct ktr_user) + len, M_TEMP, M_WAITOK);
@@ -358,7 +361,7 @@
        ktp->ktr_id[KTR_USER_MAXIDLEN-1] = '\0';
 
        user_dta = (caddr_t) ((char *)ktp + sizeof(struct ktr_user));
-       if (copyin(addr, (void *) user_dta, len) != 0)
+       if ((error = copyin(addr, (void *)user_dta, len)) != 0)
                len = 0;
 
        kth.ktr_buf = (void *)ktp;
@@ -798,12 +801,9 @@
        if (!KTRPOINT(p, KTR_USER))
                return (0);
 
-       if (SCARG(uap, len) > KTR_USER_MAXLEN)
-               return (EINVAL);
+       return ktruser(p, SCARG(uap, label), SCARG(uap, addr),
+               SCARG(uap, len), 1);
 
-       ktruser(p, SCARG(uap, label), SCARG(uap, addr), SCARG(uap, len), 1);
-
-       return (0);
 #else /* !KTRACE */
        return ENOSYS;
 #endif /* KTRACE */