Source-Changes-HG archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

[src/netbsd-7-1]: src/sys/compat Pull up following revision(s) (requested by ...



details:   https://anonhg.NetBSD.org/src/rev/a338ba90515a
branches:  netbsd-7-1
changeset: 800771:a338ba90515a
user:      snj <snj%NetBSD.org@localhost>
date:      Sat Aug 12 03:59:55 2017 +0000

description:
Pull up following revision(s) (requested by mrg in ticket #1475):
        sys/compat/svr4/svr4_lwp.c: revision 1.20
        sys/compat/svr4/svr4_signal.c: revision 1.67
        sys/compat/svr4/svr4_stream.c: revision 1.89-1.91 via patch
        sys/compat/svr4_32/svr4_32_signal.c: revision 1.29
Fix some of the multitudinous holes in svr4 streams.
We should never have enabled this by default; it is a minefield.
>From Ilja Van Sprundel.
--
Zero stack data before copyout.
>From Ilja Van Sprundel.
--
Fix indexing of svr4 signals.
>From Ilja Van Sprundel.
--
Feebly attempt to get this reference counting less bad.
This svr4 streams code is bad and it should feel bad.
>From Ilja Van Sprundel.
--
Check bounds in svr4_sys_putmsg.  Check more svr4_strmcmd bounds.
svr4 streams code is still a disaster.
>From Ilja Van Sprundel.

diffstat:

 sys/compat/svr4/svr4_lwp.c          |   6 ++-
 sys/compat/svr4/svr4_signal.c       |  55 +++++++++++++++++++++++++++--------
 sys/compat/svr4/svr4_stream.c       |  57 +++++++++++++++++++++++++++++++-----
 sys/compat/svr4_32/svr4_32_signal.c |  46 ++++++++++++++++++++++++-----
 4 files changed, 132 insertions(+), 32 deletions(-)

diffs (truncated from 430 to 300 lines):

diff -r 6b854db77e28 -r a338ba90515a sys/compat/svr4/svr4_lwp.c
--- a/sys/compat/svr4/svr4_lwp.c        Sat Aug 12 03:48:33 2017 +0000
+++ b/sys/compat/svr4/svr4_lwp.c        Sat Aug 12 03:59:55 2017 +0000
@@ -1,4 +1,4 @@
-/*     $NetBSD: svr4_lwp.c,v 1.19 2009/11/23 00:46:07 rmind Exp $      */
+/*     $NetBSD: svr4_lwp.c,v 1.19.50.1 2017/08/12 03:59:55 snj Exp $   */
 
 /*-
  * Copyright (c) 1999 The NetBSD Foundation, Inc.
@@ -30,7 +30,7 @@
  */
 
 #include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: svr4_lwp.c,v 1.19 2009/11/23 00:46:07 rmind Exp $");
+__KERNEL_RCSID(0, "$NetBSD: svr4_lwp.c,v 1.19.50.1 2017/08/12 03:59:55 snj Exp $");
 
 #include <sys/param.h>
 #include <sys/kernel.h>
@@ -108,6 +108,8 @@
        struct svr4_lwpinfo lwpinfo;
        int error;
 
+       memset(&lwpinfo, 0, sizeof(lwpinfo));
+
        /* XXX NJWLWP */
        TIMEVAL_TO_TIMESPEC(&l->l_proc->p_stats->p_ru.ru_stime, &lwpinfo.lwp_stime);
        TIMEVAL_TO_TIMESPEC(&l->l_proc->p_stats->p_ru.ru_utime, &lwpinfo.lwp_utime);
diff -r 6b854db77e28 -r a338ba90515a sys/compat/svr4/svr4_signal.c
--- a/sys/compat/svr4/svr4_signal.c     Sat Aug 12 03:48:33 2017 +0000
+++ b/sys/compat/svr4/svr4_signal.c     Sat Aug 12 03:59:55 2017 +0000
@@ -1,4 +1,4 @@
-/*     $NetBSD: svr4_signal.c,v 1.65.30.1 2015/01/17 12:10:53 martin Exp $      */
+/*     $NetBSD: svr4_signal.c,v 1.65.30.1.6.1 2017/08/12 03:59:55 snj Exp $     */
 
 /*-
  * Copyright (c) 1994, 1998 The NetBSD Foundation, Inc.
@@ -30,7 +30,7 @@
  */
 
 #include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: svr4_signal.c,v 1.65.30.1 2015/01/17 12:10:53 martin Exp $");
+__KERNEL_RCSID(0, "$NetBSD: svr4_signal.c,v 1.65.30.1.6.1 2017/08/12 03:59:55 snj Exp $");
 
 #include <sys/param.h>
 #include <sys/systm.h>
@@ -72,6 +72,21 @@
 extern const int native_to_svr4_signo[];
 extern const int svr4_to_native_signo[];
 
+static int
+svr4_decode_signum(int signum, int *native_signo, int *sigcall)
+{
+
+       if (SVR4_SIGNO(signum) >= SVR4_NSIG)
+               return EINVAL;
+
+       if (native_signo)
+               *native_signo = svr4_to_native_signo[SVR4_SIGNO(signum)];
+       if (sigcall)
+               *sigcall = SVR4_SIGCALL(signum);
+
+       return 0;
+}
+
 static inline void
 svr4_sigfillset(svr4_sigset_t *s)
 {
@@ -173,6 +188,7 @@
        } */
        struct svr4_sigaction nssa, ossa;
        struct sigaction nbsa, obsa;
+       int native_signo;
        int error;
 
        if (SCARG(uap, nsa)) {
@@ -181,7 +197,12 @@
                        return (error);
                svr4_to_native_sigaction(&nssa, &nbsa);
        }
-       error = sigaction1(l, svr4_to_native_signo[SVR4_SIGNO(SCARG(uap, signum))],
+
+       error = svr4_decode_signum(SCARG(uap, signum), &native_signo, NULL);
+       if (error)
+               return error;
+
+       error = sigaction1(l, native_signo,
            SCARG(uap, nsa) ? &nbsa : 0, SCARG(uap, osa) ? &obsa : 0,
            NULL, 0);
        if (error)
@@ -216,16 +237,18 @@
                syscallarg(int) signum;
                syscallarg(svr4_sig_t) handler;
        } */
-       int signum = svr4_to_native_signo[SVR4_SIGNO(SCARG(uap, signum))];
+       int native_signo, sigcall;
        struct proc *p = l->l_proc;
        struct sigaction nbsa, obsa;
        sigset_t ss;
        int error;
 
-       if (signum <= 0 || signum >= SVR4_NSIG)
-               return (EINVAL);
+       error = svr4_decode_signum(SCARG(uap, signum), &native_signo,
+           &sigcall);
+       if (error)
+               return error;
 
-       switch (SVR4_SIGCALL(SCARG(uap, signum))) {
+       switch (sigcall) {
        case SVR4_SIGDEFER_MASK:
                if (SCARG(uap, handler) == SVR4_SIG_HOLD)
                        goto sighold;
@@ -235,7 +258,7 @@
                nbsa.sa_handler = (sig_t)SCARG(uap, handler);
                sigemptyset(&nbsa.sa_mask);
                nbsa.sa_flags = 0;
-               error = sigaction1(l, signum, &nbsa, &obsa, NULL, 0);
+               error = sigaction1(l, native_signo, &nbsa, &obsa, NULL, 0);
                if (error)
                        return (error);
                *retval = (u_int)(u_long)obsa.sa_handler;
@@ -244,7 +267,7 @@
        case SVR4_SIGHOLD_MASK:
        sighold:
                sigemptyset(&ss);
-               sigaddset(&ss, signum);
+               sigaddset(&ss, native_signo);
                mutex_enter(p->p_lock);
                error = sigprocmask1(l, SIG_BLOCK, &ss, 0);
                mutex_exit(p->p_lock);
@@ -252,7 +275,7 @@
 
        case SVR4_SIGRELSE_MASK:
                sigemptyset(&ss);
-               sigaddset(&ss, signum);
+               sigaddset(&ss, native_signo);
                mutex_enter(p->p_lock);
                error = sigprocmask1(l, SIG_UNBLOCK, &ss, 0);
                mutex_exit(p->p_lock);
@@ -262,11 +285,11 @@
                nbsa.sa_handler = SIG_IGN;
                sigemptyset(&nbsa.sa_mask);
                nbsa.sa_flags = 0;
-               return (sigaction1(l, signum, &nbsa, 0, NULL, 0));
+               return (sigaction1(l, native_signo, &nbsa, 0, NULL, 0));
 
        case SVR4_SIGPAUSE_MASK:
                ss = l->l_sigmask;      /* XXXAD locking */
-               sigdelset(&ss, signum);
+               sigdelset(&ss, native_signo);
                return (sigsuspend1(l, &ss));
 
        default:
@@ -392,9 +415,15 @@
                syscallarg(int) signum;
        } */
        struct sys_kill_args ka;
+       int native_signo;
+       int error;
+
+       error = svr4_decode_signum(SCARG(uap, signum), &native_signo, NULL);
+       if (error)
+               return error;
 
        SCARG(&ka, pid) = SCARG(uap, pid);
-       SCARG(&ka, signum) = svr4_to_native_signo[SVR4_SIGNO(SCARG(uap, signum))];
+       SCARG(&ka, signum) = native_signo;
        return sys_kill(l, &ka, retval);
 }
 
diff -r 6b854db77e28 -r a338ba90515a sys/compat/svr4/svr4_stream.c
--- a/sys/compat/svr4/svr4_stream.c     Sat Aug 12 03:48:33 2017 +0000
+++ b/sys/compat/svr4/svr4_stream.c     Sat Aug 12 03:59:55 2017 +0000
@@ -1,4 +1,4 @@
-/*     $NetBSD: svr4_stream.c,v 1.80 2014/07/09 04:54:03 rtr Exp $      */
+/*     $NetBSD: svr4_stream.c,v 1.80.8.1 2017/08/12 03:59:55 snj Exp $  */
 
 /*-
  * Copyright (c) 1994, 2008 The NetBSD Foundation, Inc.
@@ -39,7 +39,7 @@
  */
 
 #include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: svr4_stream.c,v 1.80 2014/07/09 04:54:03 rtr Exp $");
+__KERNEL_RCSID(0, "$NetBSD: svr4_stream.c,v 1.80.8.1 2017/08/12 03:59:55 snj Exp $");
 
 #include <sys/param.h>
 #include <sys/kernel.h>
@@ -526,11 +526,17 @@
        if (st == NULL)
                return EINVAL;
 
-       if (ioc->len > sizeof(lst))
+       if (ioc->len < offsetof(struct svr4_strmcmd, pad) ||
+           ioc->len > sizeof(lst))
                return EINVAL;
 
        if ((error = copyin(NETBSD32PTR(ioc->buf), &lst, ioc->len)) != 0)
                return error;
+       if (lst.offs < 0 ||
+           lst.len < 0 ||
+           lst.len > ioc->len ||
+           ioc->len - lst.len < lst.offs)
+               return EINVAL;
 
        if (lst.cmd != SVR4_TI_OLD_BIND_REQUEST) {
                DPRINTF(("si_listen: bad request %ld\n", lst.cmd));
@@ -716,7 +722,9 @@
 
        memset(&info, 0, sizeof(info));
 
-       if (ioc->len > sizeof(info))
+       /* tsdu is next after cmd, the only field we read */
+       if (ioc->len < offsetof(struct svr4_infocmd, tsdu) ||
+           ioc->len > sizeof(info))
                return EINVAL;
 
        if ((error = copyin(NETBSD32PTR(ioc->buf), &info, ioc->len)) != 0)
@@ -762,7 +770,8 @@
                return EINVAL;
        }
 
-       if (ioc->len > sizeof(bnd))
+       if (ioc->len < offsetof(struct svr4_strmcmd, pad) ||
+           ioc->len > sizeof(bnd))
                return EINVAL;
 
        if ((error = copyin(NETBSD32PTR(ioc->buf), &bnd, ioc->len)) != 0)
@@ -772,6 +781,11 @@
                DPRINTF(("ti_bind: bad request %ld\n", bnd.cmd));
                return EINVAL;
        }
+       if (bnd.offs < 0 ||
+           bnd.len < 0 ||
+           bnd.len > ioc->len ||
+           ioc->len - bnd.len < bnd.offs)
+               return EINVAL;
 
        switch (st->s_family) {
        case AF_INET:
@@ -781,6 +795,9 @@
                if (bnd.offs == 0)
                        goto reply;
 
+               if (ioc->len < sizeof(struct svr4_netaddr_in) ||
+                   bnd.offs > ioc->len - sizeof(struct svr4_netaddr_in))
+                       return EINVAL;
                netaddr_to_sockaddr_in(&sain, &bnd);
 
                DPRINTF(("TI_BIND: fam %d, port %d, addr %x\n",
@@ -794,6 +811,9 @@
                if (bnd.offs == 0)
                        goto reply;
 
+               if (ioc->len < sizeof(struct svr4_netaddr_un) ||
+                   bnd.offs > ioc->len - sizeof(struct svr4_netaddr_un))
+                       return EINVAL;
                netaddr_to_sockaddr_un(&saun, &bnd);
 
                if (saun.sun_path[0] == '\0')
@@ -1420,7 +1440,8 @@
                goto out;
        }
 
-       if (ctl.len > sizeof(sc)) {
+       if (ctl.len < offsetof(struct svr4_strmcmd, pad) ||
+           ctl.len > sizeof(sc)) {
                DPRINTF(("putmsg: Bad control size %ld != %d\n",
                    (unsigned long)sizeof(struct svr4_strmcmd), ctl.len));
                error = EINVAL;
@@ -1429,6 +1450,13 @@
 
        if ((error = copyin(NETBSD32PTR(ctl.buf), &sc, ctl.len)) != 0)
                goto out;
+       if (sc.offs < 0 ||
+           sc.len < 0 ||
+           sc.len > ctl.len ||
+           sc.offs > ctl.len - sc.len) {
+               error = EINVAL;
+               goto out;
+       }
 
        switch (st->s_family) {
        case AF_INET:
@@ -1473,8 +1501,11 @@
                        *retval = 0;
                        error = 0;
                        goto out;
-               }
-               else {
+               } else if (sc.len < sizeof(dev_t[2])) {
+                       *retval = 0;
+                       error = EINVAL;
+                       goto out;
+               } else {
                        /* Maybe we've been given a device/inode pair */
                        dev_t *dev = SVR4_ADDROF(&sc);
                        svr4_ino_t *ino = (svr4_ino_t *) &dev[1];
@@ -1502,10 +1533,12 @@
        switch (st->s_cmd = sc.cmd) {



Home | Main Index | Thread Index | Old Index