Source-Changes-HG archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
[src/netbsd-7-1]: src/sys/compat Pull up following revision(s) (requested by ...
details: https://anonhg.NetBSD.org/src/rev/a338ba90515a
branches: netbsd-7-1
changeset: 800771:a338ba90515a
user: snj <snj%NetBSD.org@localhost>
date: Sat Aug 12 03:59:55 2017 +0000
description:
Pull up following revision(s) (requested by mrg in ticket #1475):
sys/compat/svr4/svr4_lwp.c: revision 1.20
sys/compat/svr4/svr4_signal.c: revision 1.67
sys/compat/svr4/svr4_stream.c: revision 1.89-1.91 via patch
sys/compat/svr4_32/svr4_32_signal.c: revision 1.29
Fix some of the multitudinous holes in svr4 streams.
We should never have enabled this by default; it is a minefield.
>From Ilja Van Sprundel.
--
Zero stack data before copyout.
>From Ilja Van Sprundel.
--
Fix indexing of svr4 signals.
>From Ilja Van Sprundel.
--
Feebly attempt to get this reference counting less bad.
This svr4 streams code is bad and it should feel bad.
>From Ilja Van Sprundel.
--
Check bounds in svr4_sys_putmsg. Check more svr4_strmcmd bounds.
svr4 streams code is still a disaster.
>From Ilja Van Sprundel.
diffstat:
sys/compat/svr4/svr4_lwp.c | 6 ++-
sys/compat/svr4/svr4_signal.c | 55 +++++++++++++++++++++++++++--------
sys/compat/svr4/svr4_stream.c | 57 +++++++++++++++++++++++++++++++-----
sys/compat/svr4_32/svr4_32_signal.c | 46 ++++++++++++++++++++++++-----
4 files changed, 132 insertions(+), 32 deletions(-)
diffs (truncated from 430 to 300 lines):
diff -r 6b854db77e28 -r a338ba90515a sys/compat/svr4/svr4_lwp.c
--- a/sys/compat/svr4/svr4_lwp.c Sat Aug 12 03:48:33 2017 +0000
+++ b/sys/compat/svr4/svr4_lwp.c Sat Aug 12 03:59:55 2017 +0000
@@ -1,4 +1,4 @@
-/* $NetBSD: svr4_lwp.c,v 1.19 2009/11/23 00:46:07 rmind Exp $ */
+/* $NetBSD: svr4_lwp.c,v 1.19.50.1 2017/08/12 03:59:55 snj Exp $ */
/*-
* Copyright (c) 1999 The NetBSD Foundation, Inc.
@@ -30,7 +30,7 @@
*/
#include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: svr4_lwp.c,v 1.19 2009/11/23 00:46:07 rmind Exp $");
+__KERNEL_RCSID(0, "$NetBSD: svr4_lwp.c,v 1.19.50.1 2017/08/12 03:59:55 snj Exp $");
#include <sys/param.h>
#include <sys/kernel.h>
@@ -108,6 +108,8 @@
struct svr4_lwpinfo lwpinfo;
int error;
+ memset(&lwpinfo, 0, sizeof(lwpinfo));
+
/* XXX NJWLWP */
TIMEVAL_TO_TIMESPEC(&l->l_proc->p_stats->p_ru.ru_stime, &lwpinfo.lwp_stime);
TIMEVAL_TO_TIMESPEC(&l->l_proc->p_stats->p_ru.ru_utime, &lwpinfo.lwp_utime);
diff -r 6b854db77e28 -r a338ba90515a sys/compat/svr4/svr4_signal.c
--- a/sys/compat/svr4/svr4_signal.c Sat Aug 12 03:48:33 2017 +0000
+++ b/sys/compat/svr4/svr4_signal.c Sat Aug 12 03:59:55 2017 +0000
@@ -1,4 +1,4 @@
-/* $NetBSD: svr4_signal.c,v 1.65.30.1 2015/01/17 12:10:53 martin Exp $ */
+/* $NetBSD: svr4_signal.c,v 1.65.30.1.6.1 2017/08/12 03:59:55 snj Exp $ */
/*-
* Copyright (c) 1994, 1998 The NetBSD Foundation, Inc.
@@ -30,7 +30,7 @@
*/
#include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: svr4_signal.c,v 1.65.30.1 2015/01/17 12:10:53 martin Exp $");
+__KERNEL_RCSID(0, "$NetBSD: svr4_signal.c,v 1.65.30.1.6.1 2017/08/12 03:59:55 snj Exp $");
#include <sys/param.h>
#include <sys/systm.h>
@@ -72,6 +72,21 @@
extern const int native_to_svr4_signo[];
extern const int svr4_to_native_signo[];
+static int
+svr4_decode_signum(int signum, int *native_signo, int *sigcall)
+{
+
+ if (SVR4_SIGNO(signum) >= SVR4_NSIG)
+ return EINVAL;
+
+ if (native_signo)
+ *native_signo = svr4_to_native_signo[SVR4_SIGNO(signum)];
+ if (sigcall)
+ *sigcall = SVR4_SIGCALL(signum);
+
+ return 0;
+}
+
static inline void
svr4_sigfillset(svr4_sigset_t *s)
{
@@ -173,6 +188,7 @@
} */
struct svr4_sigaction nssa, ossa;
struct sigaction nbsa, obsa;
+ int native_signo;
int error;
if (SCARG(uap, nsa)) {
@@ -181,7 +197,12 @@
return (error);
svr4_to_native_sigaction(&nssa, &nbsa);
}
- error = sigaction1(l, svr4_to_native_signo[SVR4_SIGNO(SCARG(uap, signum))],
+
+ error = svr4_decode_signum(SCARG(uap, signum), &native_signo, NULL);
+ if (error)
+ return error;
+
+ error = sigaction1(l, native_signo,
SCARG(uap, nsa) ? &nbsa : 0, SCARG(uap, osa) ? &obsa : 0,
NULL, 0);
if (error)
@@ -216,16 +237,18 @@
syscallarg(int) signum;
syscallarg(svr4_sig_t) handler;
} */
- int signum = svr4_to_native_signo[SVR4_SIGNO(SCARG(uap, signum))];
+ int native_signo, sigcall;
struct proc *p = l->l_proc;
struct sigaction nbsa, obsa;
sigset_t ss;
int error;
- if (signum <= 0 || signum >= SVR4_NSIG)
- return (EINVAL);
+ error = svr4_decode_signum(SCARG(uap, signum), &native_signo,
+ &sigcall);
+ if (error)
+ return error;
- switch (SVR4_SIGCALL(SCARG(uap, signum))) {
+ switch (sigcall) {
case SVR4_SIGDEFER_MASK:
if (SCARG(uap, handler) == SVR4_SIG_HOLD)
goto sighold;
@@ -235,7 +258,7 @@
nbsa.sa_handler = (sig_t)SCARG(uap, handler);
sigemptyset(&nbsa.sa_mask);
nbsa.sa_flags = 0;
- error = sigaction1(l, signum, &nbsa, &obsa, NULL, 0);
+ error = sigaction1(l, native_signo, &nbsa, &obsa, NULL, 0);
if (error)
return (error);
*retval = (u_int)(u_long)obsa.sa_handler;
@@ -244,7 +267,7 @@
case SVR4_SIGHOLD_MASK:
sighold:
sigemptyset(&ss);
- sigaddset(&ss, signum);
+ sigaddset(&ss, native_signo);
mutex_enter(p->p_lock);
error = sigprocmask1(l, SIG_BLOCK, &ss, 0);
mutex_exit(p->p_lock);
@@ -252,7 +275,7 @@
case SVR4_SIGRELSE_MASK:
sigemptyset(&ss);
- sigaddset(&ss, signum);
+ sigaddset(&ss, native_signo);
mutex_enter(p->p_lock);
error = sigprocmask1(l, SIG_UNBLOCK, &ss, 0);
mutex_exit(p->p_lock);
@@ -262,11 +285,11 @@
nbsa.sa_handler = SIG_IGN;
sigemptyset(&nbsa.sa_mask);
nbsa.sa_flags = 0;
- return (sigaction1(l, signum, &nbsa, 0, NULL, 0));
+ return (sigaction1(l, native_signo, &nbsa, 0, NULL, 0));
case SVR4_SIGPAUSE_MASK:
ss = l->l_sigmask; /* XXXAD locking */
- sigdelset(&ss, signum);
+ sigdelset(&ss, native_signo);
return (sigsuspend1(l, &ss));
default:
@@ -392,9 +415,15 @@
syscallarg(int) signum;
} */
struct sys_kill_args ka;
+ int native_signo;
+ int error;
+
+ error = svr4_decode_signum(SCARG(uap, signum), &native_signo, NULL);
+ if (error)
+ return error;
SCARG(&ka, pid) = SCARG(uap, pid);
- SCARG(&ka, signum) = svr4_to_native_signo[SVR4_SIGNO(SCARG(uap, signum))];
+ SCARG(&ka, signum) = native_signo;
return sys_kill(l, &ka, retval);
}
diff -r 6b854db77e28 -r a338ba90515a sys/compat/svr4/svr4_stream.c
--- a/sys/compat/svr4/svr4_stream.c Sat Aug 12 03:48:33 2017 +0000
+++ b/sys/compat/svr4/svr4_stream.c Sat Aug 12 03:59:55 2017 +0000
@@ -1,4 +1,4 @@
-/* $NetBSD: svr4_stream.c,v 1.80 2014/07/09 04:54:03 rtr Exp $ */
+/* $NetBSD: svr4_stream.c,v 1.80.8.1 2017/08/12 03:59:55 snj Exp $ */
/*-
* Copyright (c) 1994, 2008 The NetBSD Foundation, Inc.
@@ -39,7 +39,7 @@
*/
#include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: svr4_stream.c,v 1.80 2014/07/09 04:54:03 rtr Exp $");
+__KERNEL_RCSID(0, "$NetBSD: svr4_stream.c,v 1.80.8.1 2017/08/12 03:59:55 snj Exp $");
#include <sys/param.h>
#include <sys/kernel.h>
@@ -526,11 +526,17 @@
if (st == NULL)
return EINVAL;
- if (ioc->len > sizeof(lst))
+ if (ioc->len < offsetof(struct svr4_strmcmd, pad) ||
+ ioc->len > sizeof(lst))
return EINVAL;
if ((error = copyin(NETBSD32PTR(ioc->buf), &lst, ioc->len)) != 0)
return error;
+ if (lst.offs < 0 ||
+ lst.len < 0 ||
+ lst.len > ioc->len ||
+ ioc->len - lst.len < lst.offs)
+ return EINVAL;
if (lst.cmd != SVR4_TI_OLD_BIND_REQUEST) {
DPRINTF(("si_listen: bad request %ld\n", lst.cmd));
@@ -716,7 +722,9 @@
memset(&info, 0, sizeof(info));
- if (ioc->len > sizeof(info))
+ /* tsdu is next after cmd, the only field we read */
+ if (ioc->len < offsetof(struct svr4_infocmd, tsdu) ||
+ ioc->len > sizeof(info))
return EINVAL;
if ((error = copyin(NETBSD32PTR(ioc->buf), &info, ioc->len)) != 0)
@@ -762,7 +770,8 @@
return EINVAL;
}
- if (ioc->len > sizeof(bnd))
+ if (ioc->len < offsetof(struct svr4_strmcmd, pad) ||
+ ioc->len > sizeof(bnd))
return EINVAL;
if ((error = copyin(NETBSD32PTR(ioc->buf), &bnd, ioc->len)) != 0)
@@ -772,6 +781,11 @@
DPRINTF(("ti_bind: bad request %ld\n", bnd.cmd));
return EINVAL;
}
+ if (bnd.offs < 0 ||
+ bnd.len < 0 ||
+ bnd.len > ioc->len ||
+ ioc->len - bnd.len < bnd.offs)
+ return EINVAL;
switch (st->s_family) {
case AF_INET:
@@ -781,6 +795,9 @@
if (bnd.offs == 0)
goto reply;
+ if (ioc->len < sizeof(struct svr4_netaddr_in) ||
+ bnd.offs > ioc->len - sizeof(struct svr4_netaddr_in))
+ return EINVAL;
netaddr_to_sockaddr_in(&sain, &bnd);
DPRINTF(("TI_BIND: fam %d, port %d, addr %x\n",
@@ -794,6 +811,9 @@
if (bnd.offs == 0)
goto reply;
+ if (ioc->len < sizeof(struct svr4_netaddr_un) ||
+ bnd.offs > ioc->len - sizeof(struct svr4_netaddr_un))
+ return EINVAL;
netaddr_to_sockaddr_un(&saun, &bnd);
if (saun.sun_path[0] == '\0')
@@ -1420,7 +1440,8 @@
goto out;
}
- if (ctl.len > sizeof(sc)) {
+ if (ctl.len < offsetof(struct svr4_strmcmd, pad) ||
+ ctl.len > sizeof(sc)) {
DPRINTF(("putmsg: Bad control size %ld != %d\n",
(unsigned long)sizeof(struct svr4_strmcmd), ctl.len));
error = EINVAL;
@@ -1429,6 +1450,13 @@
if ((error = copyin(NETBSD32PTR(ctl.buf), &sc, ctl.len)) != 0)
goto out;
+ if (sc.offs < 0 ||
+ sc.len < 0 ||
+ sc.len > ctl.len ||
+ sc.offs > ctl.len - sc.len) {
+ error = EINVAL;
+ goto out;
+ }
switch (st->s_family) {
case AF_INET:
@@ -1473,8 +1501,11 @@
*retval = 0;
error = 0;
goto out;
- }
- else {
+ } else if (sc.len < sizeof(dev_t[2])) {
+ *retval = 0;
+ error = EINVAL;
+ goto out;
+ } else {
/* Maybe we've been given a device/inode pair */
dev_t *dev = SVR4_ADDROF(&sc);
svr4_ino_t *ino = (svr4_ino_t *) &dev[1];
@@ -1502,10 +1533,12 @@
switch (st->s_cmd = sc.cmd) {
Home |
Main Index |
Thread Index |
Old Index