[src/netbsd-3-0]: src/sys/dev Pull up following revision(s) (requested by mjf...

To: source-changes-hg%NetBSD.org@localhost
Subject: [src/netbsd-3-0]: src/sys/dev Pull up following revision(s) (requested by mjf...
From: ghen <ghen%NetBSD.org@localhost>
Date: Fri, 24 Jan 2020 17:01:49 +0000

details:   https://anonhg.NetBSD.org/src/rev/e840e780e274
branches:  netbsd-3-0
changeset: 579433:e840e780e274
user:      ghen <ghen%NetBSD.org@localhost>
date:      Mon Aug 06 11:40:56 2007 +0000

description:
Pull up following revision(s) (requested by mjf in ticket #1815):
        sys/dev/ic/pcdisplay_subr.c: revision 1.33 via patch
        sys/dev/ic/vga_raster.c: revision 1.29 via patch
        sys/dev/ic/vga.c: revision 1.95 via patch
        sys/dev/rasops/rasops.c: revision 1.56 via patch
        sys/dev/isa/ega.c: revision 1.23 via patch
Implement bounds checking in some places in display driver code to avoid
the possibility of a local user panic.
Set the 'ri' pointer before use.

diffstat:

 sys/dev/ic/pcdisplay_subr.c |  10 +++++++---
 sys/dev/ic/vga.c            |   8 ++++++--
 sys/dev/ic/vga_raster.c     |  13 ++++++++++---
 sys/dev/isa/ega.c           |   8 ++++++--
 sys/dev/rasops/rasops.c     |   8 ++++++--
 5 files changed, 35 insertions(+), 12 deletions(-)

diffs (167 lines):

diff -r f4a96c054224 -r e840e780e274 sys/dev/ic/pcdisplay_subr.c
--- a/sys/dev/ic/pcdisplay_subr.c       Fri Jun 29 16:58:49 2007 +0000
+++ b/sys/dev/ic/pcdisplay_subr.c       Mon Aug 06 11:40:56 2007 +0000
@@ -1,4 +1,4 @@
-/* $NetBSD: pcdisplay_subr.c,v 1.28 2005/02/27 00:27:02 perry Exp $ */
+/* $NetBSD: pcdisplay_subr.c,v 1.28.12.1 2007/08/06 11:40:56 ghen Exp $ */
 
 /*
  * Copyright (c) 1995, 1996 Carnegie-Mellon University.
@@ -28,7 +28,7 @@
  */
 
 #include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: pcdisplay_subr.c,v 1.28 2005/02/27 00:27:02 perry Exp $");
+__KERNEL_RCSID(0, "$NetBSD: pcdisplay_subr.c,v 1.28.12.1 2007/08/06 11:40:56 ghen Exp $");
 
 #include "opt_wsdisplay_compat.h" /* for WSDISPLAY_CHARFUNCS */
 #include "opt_wsmsgattrs.h" /* for WSDISPLAY_CUSTOM_OUTPUT */
@@ -168,10 +168,14 @@
        struct pcdisplayscreen *scr = id;
        bus_space_tag_t memt = scr->hdl->ph_memt;
        bus_space_handle_t memh = scr->hdl->ph_memh;
-       int off;
+       size_t off;
 
        off = row * scr->type->ncols + col;
 
+       /* check for bogus row and column sizes */
+       if (__predict_false(off >= (scr->type->ncols * scr->type->nrows)))
+               return;
+
        if (scr->active)
                bus_space_write_2(memt, memh, scr->dispoffset + off * 2,
                                  c | (attr << 8));
diff -r f4a96c054224 -r e840e780e274 sys/dev/ic/vga.c
--- a/sys/dev/ic/vga.c  Fri Jun 29 16:58:49 2007 +0000
+++ b/sys/dev/ic/vga.c  Mon Aug 06 11:40:56 2007 +0000
@@ -1,4 +1,4 @@
-/* $NetBSD: vga.c,v 1.81 2005/02/27 00:27:03 perry Exp $ */
+/* $NetBSD: vga.c,v 1.81.8.1 2007/08/06 11:40:56 ghen Exp $ */
 
 /*
  * Copyright (c) 1995, 1996 Carnegie-Mellon University.
@@ -35,7 +35,7 @@
 #include "opt_wsmsgattrs.h"
 
 #include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: vga.c,v 1.81 2005/02/27 00:27:03 perry Exp $");
+__KERNEL_RCSID(0, "$NetBSD: vga.c,v 1.81.8.1 2007/08/06 11:40:56 ghen Exp $");
 
 #include <sys/param.h>
 #include <sys/systm.h>
@@ -1055,6 +1055,10 @@
        struct vgascreen *scr = id;
        struct vga_config *vc = scr->cfg;
 
+       if (__predict_false((unsigned int)fg >= sizeof(fgansitopc) || 
+           (unsigned int)bg >= sizeof(bgansitopc)))
+               return (EINVAL);
+
        if (vc->hdl.vh_mono) {
                if (flags & WSATTR_WSCOLORS)
                        return (EINVAL);
diff -r f4a96c054224 -r e840e780e274 sys/dev/ic/vga_raster.c
--- a/sys/dev/ic/vga_raster.c   Fri Jun 29 16:58:49 2007 +0000
+++ b/sys/dev/ic/vga_raster.c   Mon Aug 06 11:40:56 2007 +0000
@@ -1,4 +1,4 @@
-/*     $NetBSD: vga_raster.c,v 1.16 2005/02/27 00:27:03 perry Exp $    */
+/*     $NetBSD: vga_raster.c,v 1.16.6.1 2007/08/06 11:40:56 ghen Exp $ */
 
 /*
  * Copyright (c) 2001, 2002 Bang Jun-Young
@@ -56,7 +56,7 @@
  */
 
 #include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: vga_raster.c,v 1.16 2005/02/27 00:27:03 perry Exp $");
+__KERNEL_RCSID(0, "$NetBSD: vga_raster.c,v 1.16.6.1 2007/08/06 11:40:56 ghen Exp $");
 
 #include "opt_wsmsgattrs.h" /* for WSDISPLAY_CUSTOM_OUTPUT */
 
@@ -1092,12 +1092,15 @@
 vga_raster_putchar(void *id, int row, int col, u_int c, long attr)
 {
        struct vgascreen *scr = id;
-       int off;
+       size_t off;
        struct vga_raster_font *fs;
        u_int tmp_ch;
 
        off = row * scr->type->ncols + col;
 
+       if (__predict_false(off >= (scr->type->ncols * scr->type->nrows)))
+               return;
+
        LIST_FOREACH(fs, &scr->fontset, next) {
                if ((scr->encoding == fs->font->encoding) &&
                    (c >= fs->font->firstchar) &&
@@ -1368,6 +1371,10 @@
        struct vgascreen *scr = id;
        struct vga_config *vc = scr->cfg;
 
+       if (__predict_false((unsigned int)fg >= sizeof(fgansitopc) || 
+           (unsigned int)bg >= sizeof(bgansitopc)))
+               return (EINVAL);
+
        if (vc->hdl.vh_mono) {
                if (flags & WSATTR_WSCOLORS)
                        return (EINVAL);
diff -r f4a96c054224 -r e840e780e274 sys/dev/isa/ega.c
--- a/sys/dev/isa/ega.c Fri Jun 29 16:58:49 2007 +0000
+++ b/sys/dev/isa/ega.c Mon Aug 06 11:40:56 2007 +0000
@@ -1,4 +1,4 @@
-/* $NetBSD: ega.c,v 1.18 2005/02/27 00:27:17 perry Exp $ */
+/* $NetBSD: ega.c,v 1.18.12.1 2007/08/06 11:40:57 ghen Exp $ */
 
 /*
  * Copyright (c) 1999
@@ -27,7 +27,7 @@
  */
 
 #include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: ega.c,v 1.18 2005/02/27 00:27:17 perry Exp $");
+__KERNEL_RCSID(0, "$NetBSD: ega.c,v 1.18.12.1 2007/08/06 11:40:57 ghen Exp $");
 
 #include <sys/param.h>
 #include <sys/systm.h>
@@ -849,6 +849,10 @@
        struct egascreen *scr = id;
        struct ega_config *vc = scr->cfg;
 
+       if (__predict_false((unsigned int)fg >= sizeof(fgansitopc) ||
+           (unsigned int)bg >= sizeof(bgansitopc)))
+               return (EINVAL);
+
        if (vc->hdl.vh_mono) {
                if (flags & WSATTR_WSCOLORS)
                        return (EINVAL);
diff -r f4a96c054224 -r e840e780e274 sys/dev/rasops/rasops.c
--- a/sys/dev/rasops/rasops.c   Fri Jun 29 16:58:49 2007 +0000
+++ b/sys/dev/rasops/rasops.c   Mon Aug 06 11:40:56 2007 +0000
@@ -1,4 +1,4 @@
-/*      $NetBSD: rasops.c,v 1.46.2.1 2005/06/03 15:11:54 riz Exp $     */
+/*      $NetBSD: rasops.c,v 1.46.2.1.2.1 2007/08/06 11:40:57 ghen Exp $        */
 
 /*-
  * Copyright (c) 1999 The NetBSD Foundation, Inc.
@@ -37,7 +37,7 @@
  */
 
 #include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: rasops.c,v 1.46.2.1 2005/06/03 15:11:54 riz Exp $");
+__KERNEL_RCSID(0, "$NetBSD: rasops.c,v 1.46.2.1.2.1 2007/08/06 11:40:57 ghen Exp $");
 
 #include "opt_rasops.h"
 #include "rasops_glue.h"
@@ -390,6 +390,10 @@
 {
        int swap;
 
+       if (__predict_false((unsigned int)fg >= sizeof(rasops_isgray) ||
+           (unsigned int)bg >= sizeof(rasops_isgray)))
+               return (EINVAL);
+
 #ifdef RASOPS_CLIPPING
        fg &= 7;
        bg &= 7;

Prev by Date: [src/netbsd-3-0]: src/doc Ticket #1807.
Next by Date: [src/netbsd-3-0]: src/sys/kern Pull up following revision(s) (requested by ma...
Previous by Thread: [src/netbsd-3-0]: src/doc Ticket #1807.
Next by Thread: [src/netbsd-3-0]: src/sys/kern Pull up following revision(s) (requested by ma...
Indexes:

Home | Main Index | Thread Index | Old Index