Source-Changes-HG archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

[src/trunk]: src/sys/compat/netbsd32 Fix netbsd32___mount50():



details:   https://anonhg.NetBSD.org/src/rev/4d4e53cfa566
branches:  trunk
changeset: 965533:4d4e53cfa566
user:      maxv <maxv%NetBSD.org@localhost>
date:      Sat Sep 21 06:56:51 2019 +0000

description:
Fix netbsd32___mount50():

 - zero out fs_args32 to prevent info leaks
 - remove unused and non-functional copyin in NFS (lgtm bot)
 - declare udata, and don't pass kernel pointers to copyout (lgtm bot)
 - make sure data_len is just big enough, to mimic the native behavior
 - don't forget to update *retval with the 32bit value
 - add an XXX for NFS

diffstat:

 sys/compat/netbsd32/netbsd32_fs.c |  50 ++++++++++++++++++++++----------------
 1 files changed, 29 insertions(+), 21 deletions(-)

diffs (181 lines):

diff -r 74118b8d83a1 -r 4d4e53cfa566 sys/compat/netbsd32/netbsd32_fs.c
--- a/sys/compat/netbsd32/netbsd32_fs.c Sat Sep 21 00:01:33 2019 +0000
+++ b/sys/compat/netbsd32/netbsd32_fs.c Sat Sep 21 06:56:51 2019 +0000
@@ -1,4 +1,4 @@
-/*     $NetBSD: netbsd32_fs.c,v 1.82 2018/12/26 08:01:40 mrg Exp $     */
+/*     $NetBSD: netbsd32_fs.c,v 1.83 2019/09/21 06:56:51 maxv Exp $    */
 
 /*
  * Copyright (c) 1998, 2001 Matthew R. Green
@@ -27,7 +27,7 @@
  */
 
 #include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: netbsd32_fs.c,v 1.82 2018/12/26 08:01:40 mrg Exp $");
+__KERNEL_RCSID(0, "$NetBSD: netbsd32_fs.c,v 1.83 2019/09/21 06:56:51 maxv Exp $");
 
 #include <sys/param.h>
 #include <sys/systm.h>
@@ -809,17 +809,21 @@
        const char *type = SCARG_P32(uap, type);
        const char *path = SCARG_P32(uap, path);
        int flags = SCARG(uap, flags);
-       void *data = SCARG_P32(uap, data);
+       void *data, *udata;
        size_t data_len = SCARG(uap, data_len);
        enum uio_seg data_seg;
        size_t len;
        int error;
  
+       udata = data = SCARG_P32(uap, data);
+       memset(&fs_args32, 0, sizeof(fs_args32));
+
        error = copyinstr(type, mtype, sizeof(mtype), &len);
        if (error)
                return error;
+
        if (strcmp(mtype, MOUNT_TMPFS) == 0) {
-               if (data_len != sizeof(fs_args32.tmpfs_args))
+               if (data_len < sizeof(fs_args32.tmpfs_args))
                        return EINVAL;
                if ((flags & MNT_GETARGS) == 0) {
                        error = copyin(data, &fs_args32.tmpfs_args, 
@@ -843,7 +847,7 @@
                data = &fs_args.tmpfs_args;
                data_len = sizeof(fs_args.tmpfs_args);
        } else if (strcmp(mtype, MOUNT_MFS) == 0) {
-               if (data_len != sizeof(fs_args32.mfs_args))
+               if (data_len < sizeof(fs_args32.mfs_args))
                        return EINVAL;
                if ((flags & MNT_GETARGS) == 0) {
                        error = copyin(data, &fs_args32.mfs_args, 
@@ -864,7 +868,7 @@
        } else if ((strcmp(mtype, MOUNT_UFS) == 0) ||
                   (strcmp(mtype, MOUNT_EXT2FS) == 0) ||
                   (strcmp(mtype, MOUNT_LFS) == 0)) {
-               if (data_len > sizeof(fs_args32.ufs_args))
+               if (data_len < sizeof(fs_args32.ufs_args))
                        return EINVAL;
                if ((flags & MNT_GETARGS) == 0) {
                        error = copyin(data, &fs_args32.ufs_args, 
@@ -878,7 +882,7 @@
                data = &fs_args.ufs_args;
                data_len = sizeof(fs_args.ufs_args);
        } else if (strcmp(mtype, MOUNT_CD9660) == 0) {
-               if (data_len != sizeof(fs_args32.iso_args))
+               if (data_len < sizeof(fs_args32.iso_args))
                        return EINVAL;
                if ((flags & MNT_GETARGS) == 0) {
                        error = copyin(data, &fs_args32.iso_args, 
@@ -895,7 +899,7 @@
                data = &fs_args.iso_args;
                data_len = sizeof(fs_args.iso_args);
        } else if (strcmp(mtype, MOUNT_MSDOS) == 0) {
-               if (data_len != sizeof(fs_args32.msdosfs_args))
+               if (data_len < sizeof(fs_args32.msdosfs_args))
                        return EINVAL;
                if ((flags & MNT_GETARGS) == 0) {
                        error = copyin(data, &fs_args32.msdosfs_args, 
@@ -925,8 +929,9 @@
                data = &fs_args.msdosfs_args;
                data_len = sizeof(fs_args.msdosfs_args);
        } else if (strcmp(mtype, MOUNT_NFS) == 0) {
-               if (data_len != sizeof(fs_args32.nfs_args))
+               if (data_len < sizeof(fs_args32.nfs_args))
                        return EINVAL;
+               /* XXX: NFS requires copyin even with MNT_GETARGS */
                if ((flags & MNT_GETARGS) == 0) {
                        error = copyin(data, &fs_args32.nfs_args, 
                            sizeof(fs_args32.nfs_args));
@@ -952,7 +957,7 @@
                data = &fs_args.nfs_args;
                data_len = sizeof(fs_args.nfs_args);
        } else if (strcmp(mtype, MOUNT_NULL) == 0) {
-               if (data_len > sizeof(fs_args32.null_args))
+               if (data_len < sizeof(fs_args32.null_args))
                        return EINVAL;
                if ((flags & MNT_GETARGS) == 0) {
                        error = copyin(data, &fs_args32.null_args, 
@@ -968,10 +973,12 @@
        } else {
                data_seg = UIO_USERSPACE;
        }
+
        error = do_sys_mount(l, mtype, UIO_SYSSPACE, path, flags, data, data_seg,
            data_len, retval);
        if (error)
                return error;
+
        if (flags & MNT_GETARGS) {
                data_len = *retval;
                if (strcmp(mtype, MOUNT_TMPFS) == 0) {
@@ -989,8 +996,9 @@
                            fs_args.tmpfs_args.ta_root_gid;
                        fs_args32.tmpfs_args.ta_root_mode =
                            fs_args.tmpfs_args.ta_root_mode;
-                       error = copyout(&fs_args32.tmpfs_args, data,
+                       error = copyout(&fs_args32.tmpfs_args, udata,
                                    sizeof(fs_args32.tmpfs_args));
+                       *retval = sizeof(fs_args32.tmpfs_args);
                } else if (strcmp(mtype, MOUNT_MFS) == 0) {
                        if (data_len != sizeof(fs_args.mfs_args))
                                return EINVAL;
@@ -1001,15 +1009,17 @@
                        NETBSD32PTR32(fs_args32.mfs_args.base,
                            fs_args.mfs_args.base);
                        fs_args32.mfs_args.size = fs_args.mfs_args.size;
-                       error = copyout(&fs_args32.mfs_args, data,
+                       error = copyout(&fs_args32.mfs_args, udata,
                                    sizeof(fs_args32.mfs_args));
+                       *retval = sizeof(fs_args32.mfs_args);
                } else if (strcmp(mtype, MOUNT_UFS) == 0) {
                        if (data_len != sizeof(fs_args.ufs_args))
                                return EINVAL;
                        NETBSD32PTR32(fs_args32.ufs_args.fspec,
                            fs_args.ufs_args.fspec);
-                       error = copyout(&fs_args32.ufs_args, data, 
+                       error = copyout(&fs_args32.ufs_args, udata, 
                            sizeof(fs_args32.ufs_args));
+                       *retval = sizeof(fs_args32.ufs_args);
                } else if (strcmp(mtype, MOUNT_CD9660) == 0) {
                        if (data_len != sizeof(fs_args.iso_args))
                                return EINVAL;
@@ -1018,16 +1028,12 @@
                        memset(&fs_args32.iso_args._pad1, 0,
                            sizeof(fs_args32.iso_args._pad1));
                        fs_args32.iso_args.flags = fs_args.iso_args.flags;
-                       error = copyout(&fs_args32.iso_args, data,
+                       error = copyout(&fs_args32.iso_args, udata,
                                    sizeof(fs_args32.iso_args));
+                       *retval = sizeof(fs_args32.iso_args);
                } else if (strcmp(mtype, MOUNT_NFS) == 0) {
                        if (data_len != sizeof(fs_args.nfs_args))
                                return EINVAL;
-                       error = copyin(data, &fs_args32.nfs_args, 
-                           sizeof(fs_args32.nfs_args));
-                       if (error)
-                               return error;
-                       fs_args.nfs_args.version = fs_args32.nfs_args.version;
                        NETBSD32PTR32(fs_args32.nfs_args.addr,
                            fs_args.nfs_args.addr);
                        memcpy(&fs_args32.nfs_args.addrlen,
@@ -1042,15 +1048,17 @@
                                - offsetof(struct nfs_args, fhsize));
                        NETBSD32PTR32(fs_args32.nfs_args.hostname,
                            fs_args.nfs_args.hostname);
-                       error = copyout(&fs_args32.nfs_args, data,
+                       error = copyout(&fs_args32.nfs_args, udata,
                            sizeof(fs_args32.nfs_args));
+                       *retval = sizeof(fs_args32.nfs_args);
                } else if (strcmp(mtype, MOUNT_NULL) == 0) {
                        if (data_len != sizeof(fs_args.null_args))
                                return EINVAL;
                        NETBSD32PTR32(fs_args32.null_args.la.target,
                            fs_args.null_args.la.target);
-                       error = copyout(&fs_args32.null_args, data, 
+                       error = copyout(&fs_args32.null_args, udata, 
                            sizeof(fs_args32.null_args));
+                       *retval = sizeof(fs_args32.null_args);
                }
        }
        return error;



Home | Main Index | Thread Index | Old Index