Source-Changes-HG archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
[src/trunk]: src/sys/compat/netbsd32 Fix netbsd32___mount50():
details: https://anonhg.NetBSD.org/src/rev/4d4e53cfa566
branches: trunk
changeset: 965533:4d4e53cfa566
user: maxv <maxv%NetBSD.org@localhost>
date: Sat Sep 21 06:56:51 2019 +0000
description:
Fix netbsd32___mount50():
- zero out fs_args32 to prevent info leaks
- remove unused and non-functional copyin in NFS (lgtm bot)
- declare udata, and don't pass kernel pointers to copyout (lgtm bot)
- make sure data_len is just big enough, to mimic the native behavior
- don't forget to update *retval with the 32bit value
- add an XXX for NFS
diffstat:
sys/compat/netbsd32/netbsd32_fs.c | 50 ++++++++++++++++++++++----------------
1 files changed, 29 insertions(+), 21 deletions(-)
diffs (181 lines):
diff -r 74118b8d83a1 -r 4d4e53cfa566 sys/compat/netbsd32/netbsd32_fs.c
--- a/sys/compat/netbsd32/netbsd32_fs.c Sat Sep 21 00:01:33 2019 +0000
+++ b/sys/compat/netbsd32/netbsd32_fs.c Sat Sep 21 06:56:51 2019 +0000
@@ -1,4 +1,4 @@
-/* $NetBSD: netbsd32_fs.c,v 1.82 2018/12/26 08:01:40 mrg Exp $ */
+/* $NetBSD: netbsd32_fs.c,v 1.83 2019/09/21 06:56:51 maxv Exp $ */
/*
* Copyright (c) 1998, 2001 Matthew R. Green
@@ -27,7 +27,7 @@
*/
#include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: netbsd32_fs.c,v 1.82 2018/12/26 08:01:40 mrg Exp $");
+__KERNEL_RCSID(0, "$NetBSD: netbsd32_fs.c,v 1.83 2019/09/21 06:56:51 maxv Exp $");
#include <sys/param.h>
#include <sys/systm.h>
@@ -809,17 +809,21 @@
const char *type = SCARG_P32(uap, type);
const char *path = SCARG_P32(uap, path);
int flags = SCARG(uap, flags);
- void *data = SCARG_P32(uap, data);
+ void *data, *udata;
size_t data_len = SCARG(uap, data_len);
enum uio_seg data_seg;
size_t len;
int error;
+ udata = data = SCARG_P32(uap, data);
+ memset(&fs_args32, 0, sizeof(fs_args32));
+
error = copyinstr(type, mtype, sizeof(mtype), &len);
if (error)
return error;
+
if (strcmp(mtype, MOUNT_TMPFS) == 0) {
- if (data_len != sizeof(fs_args32.tmpfs_args))
+ if (data_len < sizeof(fs_args32.tmpfs_args))
return EINVAL;
if ((flags & MNT_GETARGS) == 0) {
error = copyin(data, &fs_args32.tmpfs_args,
@@ -843,7 +847,7 @@
data = &fs_args.tmpfs_args;
data_len = sizeof(fs_args.tmpfs_args);
} else if (strcmp(mtype, MOUNT_MFS) == 0) {
- if (data_len != sizeof(fs_args32.mfs_args))
+ if (data_len < sizeof(fs_args32.mfs_args))
return EINVAL;
if ((flags & MNT_GETARGS) == 0) {
error = copyin(data, &fs_args32.mfs_args,
@@ -864,7 +868,7 @@
} else if ((strcmp(mtype, MOUNT_UFS) == 0) ||
(strcmp(mtype, MOUNT_EXT2FS) == 0) ||
(strcmp(mtype, MOUNT_LFS) == 0)) {
- if (data_len > sizeof(fs_args32.ufs_args))
+ if (data_len < sizeof(fs_args32.ufs_args))
return EINVAL;
if ((flags & MNT_GETARGS) == 0) {
error = copyin(data, &fs_args32.ufs_args,
@@ -878,7 +882,7 @@
data = &fs_args.ufs_args;
data_len = sizeof(fs_args.ufs_args);
} else if (strcmp(mtype, MOUNT_CD9660) == 0) {
- if (data_len != sizeof(fs_args32.iso_args))
+ if (data_len < sizeof(fs_args32.iso_args))
return EINVAL;
if ((flags & MNT_GETARGS) == 0) {
error = copyin(data, &fs_args32.iso_args,
@@ -895,7 +899,7 @@
data = &fs_args.iso_args;
data_len = sizeof(fs_args.iso_args);
} else if (strcmp(mtype, MOUNT_MSDOS) == 0) {
- if (data_len != sizeof(fs_args32.msdosfs_args))
+ if (data_len < sizeof(fs_args32.msdosfs_args))
return EINVAL;
if ((flags & MNT_GETARGS) == 0) {
error = copyin(data, &fs_args32.msdosfs_args,
@@ -925,8 +929,9 @@
data = &fs_args.msdosfs_args;
data_len = sizeof(fs_args.msdosfs_args);
} else if (strcmp(mtype, MOUNT_NFS) == 0) {
- if (data_len != sizeof(fs_args32.nfs_args))
+ if (data_len < sizeof(fs_args32.nfs_args))
return EINVAL;
+ /* XXX: NFS requires copyin even with MNT_GETARGS */
if ((flags & MNT_GETARGS) == 0) {
error = copyin(data, &fs_args32.nfs_args,
sizeof(fs_args32.nfs_args));
@@ -952,7 +957,7 @@
data = &fs_args.nfs_args;
data_len = sizeof(fs_args.nfs_args);
} else if (strcmp(mtype, MOUNT_NULL) == 0) {
- if (data_len > sizeof(fs_args32.null_args))
+ if (data_len < sizeof(fs_args32.null_args))
return EINVAL;
if ((flags & MNT_GETARGS) == 0) {
error = copyin(data, &fs_args32.null_args,
@@ -968,10 +973,12 @@
} else {
data_seg = UIO_USERSPACE;
}
+
error = do_sys_mount(l, mtype, UIO_SYSSPACE, path, flags, data, data_seg,
data_len, retval);
if (error)
return error;
+
if (flags & MNT_GETARGS) {
data_len = *retval;
if (strcmp(mtype, MOUNT_TMPFS) == 0) {
@@ -989,8 +996,9 @@
fs_args.tmpfs_args.ta_root_gid;
fs_args32.tmpfs_args.ta_root_mode =
fs_args.tmpfs_args.ta_root_mode;
- error = copyout(&fs_args32.tmpfs_args, data,
+ error = copyout(&fs_args32.tmpfs_args, udata,
sizeof(fs_args32.tmpfs_args));
+ *retval = sizeof(fs_args32.tmpfs_args);
} else if (strcmp(mtype, MOUNT_MFS) == 0) {
if (data_len != sizeof(fs_args.mfs_args))
return EINVAL;
@@ -1001,15 +1009,17 @@
NETBSD32PTR32(fs_args32.mfs_args.base,
fs_args.mfs_args.base);
fs_args32.mfs_args.size = fs_args.mfs_args.size;
- error = copyout(&fs_args32.mfs_args, data,
+ error = copyout(&fs_args32.mfs_args, udata,
sizeof(fs_args32.mfs_args));
+ *retval = sizeof(fs_args32.mfs_args);
} else if (strcmp(mtype, MOUNT_UFS) == 0) {
if (data_len != sizeof(fs_args.ufs_args))
return EINVAL;
NETBSD32PTR32(fs_args32.ufs_args.fspec,
fs_args.ufs_args.fspec);
- error = copyout(&fs_args32.ufs_args, data,
+ error = copyout(&fs_args32.ufs_args, udata,
sizeof(fs_args32.ufs_args));
+ *retval = sizeof(fs_args32.ufs_args);
} else if (strcmp(mtype, MOUNT_CD9660) == 0) {
if (data_len != sizeof(fs_args.iso_args))
return EINVAL;
@@ -1018,16 +1028,12 @@
memset(&fs_args32.iso_args._pad1, 0,
sizeof(fs_args32.iso_args._pad1));
fs_args32.iso_args.flags = fs_args.iso_args.flags;
- error = copyout(&fs_args32.iso_args, data,
+ error = copyout(&fs_args32.iso_args, udata,
sizeof(fs_args32.iso_args));
+ *retval = sizeof(fs_args32.iso_args);
} else if (strcmp(mtype, MOUNT_NFS) == 0) {
if (data_len != sizeof(fs_args.nfs_args))
return EINVAL;
- error = copyin(data, &fs_args32.nfs_args,
- sizeof(fs_args32.nfs_args));
- if (error)
- return error;
- fs_args.nfs_args.version = fs_args32.nfs_args.version;
NETBSD32PTR32(fs_args32.nfs_args.addr,
fs_args.nfs_args.addr);
memcpy(&fs_args32.nfs_args.addrlen,
@@ -1042,15 +1048,17 @@
- offsetof(struct nfs_args, fhsize));
NETBSD32PTR32(fs_args32.nfs_args.hostname,
fs_args.nfs_args.hostname);
- error = copyout(&fs_args32.nfs_args, data,
+ error = copyout(&fs_args32.nfs_args, udata,
sizeof(fs_args32.nfs_args));
+ *retval = sizeof(fs_args32.nfs_args);
} else if (strcmp(mtype, MOUNT_NULL) == 0) {
if (data_len != sizeof(fs_args.null_args))
return EINVAL;
NETBSD32PTR32(fs_args32.null_args.la.target,
fs_args.null_args.la.target);
- error = copyout(&fs_args32.null_args, data,
+ error = copyout(&fs_args32.null_args, udata,
sizeof(fs_args32.null_args));
+ *retval = sizeof(fs_args32.null_args);
}
}
return error;
Home |
Main Index |
Thread Index |
Old Index