CVS commit: [netbsd-6-0] src/sys/compat/linux32/arch/amd64
Module Name:src Committed By: snj Date: Sat Sep 9 16:53:33 UTC 2017 Modified Files: src/sys/compat/linux32/arch/amd64 [netbsd-6-0]: linux32_machdep.c Log Message: Pull up following revision(s) (requested by maxv in ticket #1502): sys/compat/linux32/arch/amd64/linux32_machdep.c: revision 1.39 Fix a ring0 escalation vulnerability in compat_linux32 where the index of %cs is controlled by userland, making it easy to trigger the page fault and get kernel privileges. To generate a diff of this commit: cvs rdiff -u -r1.29 -r1.29.14.1 \ src/sys/compat/linux32/arch/amd64/linux32_machdep.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/sys/compat/linux32/arch/amd64/linux32_machdep.c diff -u src/sys/compat/linux32/arch/amd64/linux32_machdep.c:1.29 src/sys/compat/linux32/arch/amd64/linux32_machdep.c:1.29.14.1 --- src/sys/compat/linux32/arch/amd64/linux32_machdep.c:1.29 Fri Mar 4 22:25:31 2011 +++ src/sys/compat/linux32/arch/amd64/linux32_machdep.c Sat Sep 9 16:53:33 2017 @@ -1,4 +1,4 @@ -/* $NetBSD: linux32_machdep.c,v 1.29 2011/03/04 22:25:31 joerg Exp $ */ +/* $NetBSD: linux32_machdep.c,v 1.29.14.1 2017/09/09 16:53:33 snj Exp $ */ /*- * Copyright (c) 2006 Emmanuel Dreyfus, all rights reserved. @@ -31,7 +31,7 @@ * POSSIBILITY OF SUCH DAMAGE. */ #include -__KERNEL_RCSID(0, "$NetBSD: linux32_machdep.c,v 1.29 2011/03/04 22:25:31 joerg Exp $"); +__KERNEL_RCSID(0, "$NetBSD: linux32_machdep.c,v 1.29.14.1 2017/09/09 16:53:33 snj Exp $"); #include #include @@ -428,8 +428,9 @@ linux32_restore_sigcontext(struct lwp *l /* * Check for security violations. */ - if (((scp->sc_eflags ^ tf->tf_rflags) & PSL_USERSTATIC) != 0 || - !USERMODE(scp->sc_cs, scp->sc_eflags)) + if (((scp->sc_eflags ^ tf->tf_rflags) & PSL_USERSTATIC) != 0) + return EINVAL; + if (!VALID_USER_CSEL32(scp->sc_cs)) return EINVAL; if (scp->sc_fs != 0 && !VALID_USER_DSEL32(scp->sc_fs) &&
CVS commit: [netbsd-6-0] src/sys/compat/linux/common
Module Name:src Committed By: snj Date: Sat Aug 19 05:03:57 UTC 2017 Modified Files: src/sys/compat/linux/common [netbsd-6-0]: linux_time.c Log Message: Pull up following revision(s) (requested by mrg in ticket #1489): sys/compat/linux/common/linux_time.c: 1.38-1.39 via patch Only let the superuser set the compat_linux timezone. Not really keen to invent a new kauth cookie for this useless purpose. >From Ilja Van Sprundel. -- Put suser check in the right function: settimeofday, not gettimeofday. While here, remove wrong comment. Noted by kre@. To generate a diff of this commit: cvs rdiff -u -r1.35 -r1.35.12.1 src/sys/compat/linux/common/linux_time.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/sys/compat/linux/common/linux_time.c diff -u src/sys/compat/linux/common/linux_time.c:1.35 src/sys/compat/linux/common/linux_time.c:1.35.12.1 --- src/sys/compat/linux/common/linux_time.c:1.35 Fri Nov 18 04:07:44 2011 +++ src/sys/compat/linux/common/linux_time.c Sat Aug 19 05:03:57 2017 @@ -1,4 +1,4 @@ -/* $NetBSD: linux_time.c,v 1.35 2011/11/18 04:07:44 christos Exp $ */ +/* $NetBSD: linux_time.c,v 1.35.12.1 2017/08/19 05:03:57 snj Exp $ */ /*- * Copyright (c) 2001 The NetBSD Foundation, Inc. @@ -30,7 +30,7 @@ */ #include -__KERNEL_RCSID(0, "$NetBSD: linux_time.c,v 1.35 2011/11/18 04:07:44 christos Exp $"); +__KERNEL_RCSID(0, "$NetBSD: linux_time.c,v 1.35.12.1 2017/08/19 05:03:57 snj Exp $"); #include #include @@ -109,11 +109,10 @@ linux_sys_settimeofday(struct lwp *l, co return (error); } - /* - * If user is not the superuser, we returned - * after the sys_settimeofday() call. - */ if (SCARG(uap, tzp)) { + if (kauth_authorize_generic(kauth_cred_get(), + KAUTH_GENERIC_ISSUSER, NULL) != 0) + return (EPERM); error = copyin(SCARG(uap, tzp), _sys_tz, sizeof(linux_sys_tz)); if (error) return (error);
CVS commit: [netbsd-6-0] src/sys/compat
Module Name:src Committed By: snj Date: Sat Aug 19 04:19:56 UTC 2017 Modified Files: src/sys/compat/common [netbsd-6-0]: vfs_syscalls_12.c vfs_syscalls_43.c src/sys/compat/ibcs2 [netbsd-6-0]: ibcs2_misc.c src/sys/compat/linux/common [netbsd-6-0]: linux_file64.c linux_misc.c src/sys/compat/linux32/common [netbsd-6-0]: linux32_dirent.c src/sys/compat/osf1 [netbsd-6-0]: osf1_file.c src/sys/compat/sunos [netbsd-6-0]: sunos_misc.c src/sys/compat/sunos32 [netbsd-6-0]: sunos32_misc.c src/sys/compat/svr4 [netbsd-6-0]: svr4_misc.c src/sys/compat/svr4_32 [netbsd-6-0]: svr4_32_misc.c Log Message: Pull up following revision(s) (requested by mrg in ticket #1483): sys/compat/common/vfs_syscalls_12.c: revision 1.34 sys/compat/svr4_32/svr4_32_misc.c: revision 1.78 sys/compat/sunos32/sunos32_misc.c: revision 1.78 sys/compat/linux/common/linux_misc.c: revision 1.239 sys/compat/osf1/osf1_file.c: revision 1.44 sys/compat/common/vfs_syscalls_43.c: revision 1.60 sys/compat/svr4/svr4_misc.c: revision 1.158 sys/compat/ibcs2/ibcs2_misc.c: revision 1.114 sys/compat/linux/common/linux_file64.c: revision 1.59 sys/compat/linux32/common/linux32_dirent.c: revision 1.18 sys/compat/sunos/sunos_misc.c: revision 1.171 Fail, don't panic, on bad dirents from file system. Controllable via puffs from userland. >From Ilja Van Sprundel. To generate a diff of this commit: cvs rdiff -u -r1.29.18.1 -r1.29.18.2 src/sys/compat/common/vfs_syscalls_12.c cvs rdiff -u -r1.54.20.2 -r1.54.20.3 src/sys/compat/common/vfs_syscalls_43.c cvs rdiff -u -r1.111 -r1.111.20.1 src/sys/compat/ibcs2/ibcs2_misc.c cvs rdiff -u -r1.53 -r1.53.14.1 src/sys/compat/linux/common/linux_file64.c cvs rdiff -u -r1.219 -r1.219.14.1 src/sys/compat/linux/common/linux_misc.c cvs rdiff -u -r1.13 -r1.13.14.1 \ src/sys/compat/linux32/common/linux32_dirent.c cvs rdiff -u -r1.41.14.1 -r1.41.14.2 src/sys/compat/osf1/osf1_file.c cvs rdiff -u -r1.168 -r1.168.20.1 src/sys/compat/sunos/sunos_misc.c cvs rdiff -u -r1.74 -r1.74.8.1 src/sys/compat/sunos32/sunos32_misc.c cvs rdiff -u -r1.155 -r1.155.14.1 src/sys/compat/svr4/svr4_misc.c cvs rdiff -u -r1.74 -r1.74.14.1 src/sys/compat/svr4_32/svr4_32_misc.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/sys/compat/common/vfs_syscalls_12.c diff -u src/sys/compat/common/vfs_syscalls_12.c:1.29.18.1 src/sys/compat/common/vfs_syscalls_12.c:1.29.18.2 --- src/sys/compat/common/vfs_syscalls_12.c:1.29.18.1 Sat Aug 12 16:20:59 2017 +++ src/sys/compat/common/vfs_syscalls_12.c Sat Aug 19 04:19:55 2017 @@ -1,4 +1,4 @@ -/* $NetBSD: vfs_syscalls_12.c,v 1.29.18.1 2017/08/12 16:20:59 snj Exp $ */ +/* $NetBSD: vfs_syscalls_12.c,v 1.29.18.2 2017/08/19 04:19:55 snj Exp $ */ /* * Copyright (c) 1989, 1993 @@ -37,7 +37,7 @@ */ #include -__KERNEL_RCSID(0, "$NetBSD: vfs_syscalls_12.c,v 1.29.18.1 2017/08/12 16:20:59 snj Exp $"); +__KERNEL_RCSID(0, "$NetBSD: vfs_syscalls_12.c,v 1.29.18.2 2017/08/19 04:19:55 snj Exp $"); #include #include @@ -171,8 +171,10 @@ again: for (cookie = cookiebuf; len > 0; len -= reclen) { bdp = (struct dirent *)inp; reclen = bdp->d_reclen; - if (reclen & 3) - panic(__func__); + if (reclen & 3) { + error = EIO; + goto out; + } if (bdp->d_fileno == 0) { inp += reclen; /* it is a hole; squish it out */ if (cookie) Index: src/sys/compat/common/vfs_syscalls_43.c diff -u src/sys/compat/common/vfs_syscalls_43.c:1.54.20.2 src/sys/compat/common/vfs_syscalls_43.c:1.54.20.3 --- src/sys/compat/common/vfs_syscalls_43.c:1.54.20.2 Sat Aug 12 16:20:59 2017 +++ src/sys/compat/common/vfs_syscalls_43.c Sat Aug 19 04:19:55 2017 @@ -1,4 +1,4 @@ -/* $NetBSD: vfs_syscalls_43.c,v 1.54.20.2 2017/08/12 16:20:59 snj Exp $ */ +/* $NetBSD: vfs_syscalls_43.c,v 1.54.20.3 2017/08/19 04:19:55 snj Exp $ */ /* * Copyright (c) 1989, 1993 @@ -37,7 +37,7 @@ */ #include -__KERNEL_RCSID(0, "$NetBSD: vfs_syscalls_43.c,v 1.54.20.2 2017/08/12 16:20:59 snj Exp $"); +__KERNEL_RCSID(0, "$NetBSD: vfs_syscalls_43.c,v 1.54.20.3 2017/08/19 04:19:55 snj Exp $"); #if defined(_KERNEL_OPT) #include "opt_compat_netbsd.h" @@ -448,8 +448,10 @@ again: for (cookie = cookiebuf; len > 0; len -= reclen) { bdp = (struct dirent *)inp; reclen = bdp->d_reclen; - if (reclen & 3) - panic(__func__); + if (reclen & 3) { + error = EIO; + goto out; + } if (bdp->d_fileno == 0) { inp += reclen; /* it is a hole; squish it out */ if (cookie) Index: src/sys/compat/ibcs2/ibcs2_misc.c diff -u src/sys/compat/ibcs2/ibcs2_misc.c:1.111 src/sys/compat/ibcs2/ibcs2_misc.c:1.111.20.1 --- src/sys/compat/ibcs2/ibcs2_misc.c:1.111 Thu Jun 24 13:03:06 2010 +++ src/sys/compat/ibcs2/ibcs2_misc.c Sat Aug 19 04:19:55 2017 @@ -1,4 +1,4 @@ -/* $NetBSD: ibcs2_misc.c,v 1.111 2010/06/24
CVS commit: [netbsd-6-0] src/sys/compat/ibcs2
Module Name:src Committed By: snj Date: Sat Aug 19 04:13:48 UTC 2017 Modified Files: src/sys/compat/ibcs2 [netbsd-6-0]: ibcs2_exec_coff.c ibcs2_ioctl.c ibcs2_stat.c Log Message: Pull up following revision(s) (requested by mrg in ticket #1481): sys/compat/ibcs2/ibcs2_exec_coff.c: 1.27-1.29 sys/compat/ibcs2/ibcs2_ioctl.c: 1.46 sys/compat/ibcs2/ibcs2_stat.c: 1.49-1.50 Check for NUL termination within the buffer we have. >From Ilja Van Sprundel. -- Make sure we have enough space in the buffer before reading it. >From Ilja Van Sprundel. -- Make sure we move forward over the buffer. >From Ilja Van Sprundel. -- Zero buffers in ibcs2 ioctl to avoid disclosing stack to userland. >From Ilja Van Sprundel. -- Don't drop vnode ref until we're done with mount in ibcs2_stat(v)fs. Nothing else guarantees the mount will stick around. >From Ilja Van Sprundel. -- Little happy on the commit trigger. Actually use the out label. To generate a diff of this commit: cvs rdiff -u -r1.25 -r1.25.20.1 src/sys/compat/ibcs2/ibcs2_exec_coff.c cvs rdiff -u -r1.45 -r1.45.42.1 src/sys/compat/ibcs2/ibcs2_ioctl.c cvs rdiff -u -r1.47 -r1.47.24.1 src/sys/compat/ibcs2/ibcs2_stat.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/sys/compat/ibcs2/ibcs2_exec_coff.c diff -u src/sys/compat/ibcs2/ibcs2_exec_coff.c:1.25 src/sys/compat/ibcs2/ibcs2_exec_coff.c:1.25.20.1 --- src/sys/compat/ibcs2/ibcs2_exec_coff.c:1.25 Thu Jul 22 03:19:02 2010 +++ src/sys/compat/ibcs2/ibcs2_exec_coff.c Sat Aug 19 04:13:48 2017 @@ -1,4 +1,4 @@ -/* $NetBSD: ibcs2_exec_coff.c,v 1.25 2010/07/22 03:19:02 christos Exp $ */ +/* $NetBSD: ibcs2_exec_coff.c,v 1.25.20.1 2017/08/19 04:13:48 snj Exp $ */ /* * Copyright (c) 1994, 1995, 1998 Scott Bartram @@ -35,7 +35,7 @@ */ #include -__KERNEL_RCSID(0, "$NetBSD: ibcs2_exec_coff.c,v 1.25 2010/07/22 03:19:02 christos Exp $"); +__KERNEL_RCSID(0, "$NetBSD: ibcs2_exec_coff.c,v 1.25.20.1 2017/08/19 04:13:48 snj Exp $"); #include #include @@ -454,6 +454,10 @@ exec_ibcs2_coff_prep_zmagic(struct lwp * } bufp = tbuf; while (len) { + if (len < sizeof(struct coff_slhdr)) { +free(tbuf, M_TEMP); +return ENOEXEC; + } slhdr = (struct coff_slhdr *)bufp; if (slhdr->path_index > LONG_MAX / sizeof(long) || @@ -465,7 +469,9 @@ exec_ibcs2_coff_prep_zmagic(struct lwp * path_index = slhdr->path_index * sizeof(long); entry_len = slhdr->entry_len * sizeof(long); - if (entry_len > len) { + if (entry_len < sizeof(struct coff_slhdr) || + entry_len > len || + strnlen(slhdr->sl_name, entry_len) == entry_len) { free(tbuf, M_TEMP); return ENOEXEC; } Index: src/sys/compat/ibcs2/ibcs2_ioctl.c diff -u src/sys/compat/ibcs2/ibcs2_ioctl.c:1.45 src/sys/compat/ibcs2/ibcs2_ioctl.c:1.45.42.1 --- src/sys/compat/ibcs2/ibcs2_ioctl.c:1.45 Tue Jun 24 10:03:17 2008 +++ src/sys/compat/ibcs2/ibcs2_ioctl.c Sat Aug 19 04:13:48 2017 @@ -1,4 +1,4 @@ -/* $NetBSD: ibcs2_ioctl.c,v 1.45 2008/06/24 10:03:17 gmcgarry Exp $ */ +/* $NetBSD: ibcs2_ioctl.c,v 1.45.42.1 2017/08/19 04:13:48 snj Exp $ */ /* * Copyright (c) 1994, 1995 Scott Bartram @@ -27,7 +27,7 @@ */ #include -__KERNEL_RCSID(0, "$NetBSD: ibcs2_ioctl.c,v 1.45 2008/06/24 10:03:17 gmcgarry Exp $"); +__KERNEL_RCSID(0, "$NetBSD: ibcs2_ioctl.c,v 1.45.42.1 2017/08/19 04:13:48 snj Exp $"); #include #include @@ -402,8 +402,10 @@ ibcs2_sys_ioctl(struct lwp *l, const str if ((error = (*ctl)(fp, TIOCGETA, )) != 0) goto out; + memset(, 0, sizeof(sts)); btios2stios(, ); if (SCARG(uap, cmd) == IBCS2_TCGETA) { + memset(, 0, sizeof(st)); stios2stio(, ); error = copyout(, SCARG(uap, data), sizeof(st)); if (error) @@ -559,6 +561,7 @@ ibcs2_sys_gtty(struct lwp *l, const stru fd_putfile(SCARG(uap, fd)); + memset(, 0, sizeof(itb)); itb.sg_ispeed = tb.sg_ispeed; itb.sg_ospeed = tb.sg_ospeed; itb.sg_erase = tb.sg_erase; Index: src/sys/compat/ibcs2/ibcs2_stat.c diff -u src/sys/compat/ibcs2/ibcs2_stat.c:1.47 src/sys/compat/ibcs2/ibcs2_stat.c:1.47.24.1 --- src/sys/compat/ibcs2/ibcs2_stat.c:1.47 Mon Jun 29 05:08:16 2009 +++ src/sys/compat/ibcs2/ibcs2_stat.c Sat Aug 19 04:13:48 2017 @@ -1,4 +1,4 @@ -/* $NetBSD: ibcs2_stat.c,v 1.47 2009/06/29 05:08:16 dholland Exp $ */ +/* $NetBSD: ibcs2_stat.c,v 1.47.24.1 2017/08/19 04:13:48 snj Exp $ */ /* * Copyright (c) 1995, 1998 Scott Bartram * All rights reserved. @@ -27,7 +27,7 @@ */ #include -__KERNEL_RCSID(0, "$NetBSD: ibcs2_stat.c,v 1.47 2009/06/29 05:08:16 dholland Exp $"); +__KERNEL_RCSID(0, "$NetBSD: ibcs2_stat.c,v 1.47.24.1 2017/08/19 04:13:48 snj Exp $"); #include #include @@ -147,11 +147,13 @@ ibcs2_sys_statfs(struct lwp *l, const st return (error); mp = vp->v_mount; sp = >mnt_stat; - vrele(vp); if ((error = VFS_STATVFS(mp, sp)) != 0) - return (error); + goto out; sp->f_flag =
CVS commit: [netbsd-6-0] src/sys/compat/svr4_32
Module Name:src Committed By: snj Date: Sat Aug 19 04:01:28 UTC 2017 Modified Files: src/sys/compat/svr4_32 [netbsd-6-0]: svr4_32_signal.c Log Message: Pull up following revision(s) (requested by martin in ticket #1481): sys/compat/svr4_32/svr4_32_signal.c: 1.30 make it compile again. To generate a diff of this commit: cvs rdiff -u -r1.26.46.1 -r1.26.46.2 src/sys/compat/svr4_32/svr4_32_signal.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/sys/compat/svr4_32/svr4_32_signal.c diff -u src/sys/compat/svr4_32/svr4_32_signal.c:1.26.46.1 src/sys/compat/svr4_32/svr4_32_signal.c:1.26.46.2 --- src/sys/compat/svr4_32/svr4_32_signal.c:1.26.46.1 Sat Aug 19 03:40:46 2017 +++ src/sys/compat/svr4_32/svr4_32_signal.c Sat Aug 19 04:01:28 2017 @@ -1,4 +1,4 @@ -/* $NetBSD: svr4_32_signal.c,v 1.26.46.1 2017/08/19 03:40:46 snj Exp $ */ +/* $NetBSD: svr4_32_signal.c,v 1.26.46.2 2017/08/19 04:01:28 snj Exp $ */ /*- * Copyright (c) 1994, 1998 The NetBSD Foundation, Inc. @@ -30,7 +30,7 @@ */ #include -__KERNEL_RCSID(0, "$NetBSD: svr4_32_signal.c,v 1.26.46.1 2017/08/19 03:40:46 snj Exp $"); +__KERNEL_RCSID(0, "$NetBSD: svr4_32_signal.c,v 1.26.46.2 2017/08/19 04:01:28 snj Exp $"); #if defined(_KERNEL_OPT) #include "opt_compat_svr4.h" @@ -397,16 +397,16 @@ svr4_32_sys_signal(struct lwp *l, const nbsa.sa_handler = (sig_t)SCARG(uap, handler); sigemptyset(_mask); nbsa.sa_flags = 0; - error = sigaction1(l, signum, , , NULL, 0); + error = sigaction1(l, native_signo, , , NULL, 0); if (error) - return (error); + return error; *retval = (u_int)(u_long)obsa.sa_handler; - return (0); + return 0; case SVR4_SIGHOLD_MASK: sighold: sigemptyset(); - sigaddset(, signum); + sigaddset(, native_signo); mutex_enter(p->p_lock); error = sigprocmask1(l, SIG_BLOCK, , 0); mutex_exit(p->p_lock); @@ -414,7 +414,7 @@ svr4_32_sys_signal(struct lwp *l, const case SVR4_SIGRELSE_MASK: sigemptyset(); - sigaddset(, signum); + sigaddset(, native_signo); mutex_enter(p->p_lock); error = sigprocmask1(l, SIG_UNBLOCK, , 0); mutex_exit(p->p_lock); @@ -424,17 +424,17 @@ svr4_32_sys_signal(struct lwp *l, const nbsa.sa_handler = SIG_IGN; sigemptyset(_mask); nbsa.sa_flags = 0; - return (sigaction1(l, signum, , 0, NULL, 0)); + return sigaction1(l, native_signo, , 0, NULL, 0); case SVR4_SIGPAUSE_MASK: mutex_enter(p->p_lock); ss = l->l_sigmask; mutex_exit(p->p_lock); - sigdelset(, signum); - return (sigsuspend1(l, )); + sigdelset(, native_signo); + return sigsuspend1(l, ); default: - return (ENOSYS); + return ENOSYS; } }
CVS commit: [netbsd-6-0] src/sys/compat
Module Name:src Committed By: snj Date: Sat Aug 19 03:40:46 UTC 2017 Modified Files: src/sys/compat/svr4 [netbsd-6-0]: svr4_lwp.c svr4_signal.c svr4_stream.c src/sys/compat/svr4_32 [netbsd-6-0]: svr4_32_signal.c Log Message: Pull up following revision(s) (requested by mrg in ticket #1479): sys/compat/svr4/svr4_lwp.c: 1.20 sys/compat/svr4/svr4_signal.c: 1.67 sys/compat/svr4/svr4_stream.c: 1.89-1.91 via patch sys/compat/svr4_32/svr4_32_signal.c: 1.29 Fix some of the multitudinous holes in svr4 streams. We should never have enabled this by default; it is a minefield. >From Ilja Van Sprundel. -- Zero stack data before copyout. >From Ilja Van Sprundel. -- Fix indexing of svr4 signals. >From Ilja Van Sprundel. -- Feebly attempt to get this reference counting less bad. This svr4 streams code is bad and it should feel bad. >From Ilja Van Sprundel. -- Check bounds in svr4_sys_putmsg. Check more svr4_strmcmd bounds. svr4 streams code is still a disaster. >From Ilja Van Sprundel. To generate a diff of this commit: cvs rdiff -u -r1.19 -r1.19.24.1 src/sys/compat/svr4/svr4_lwp.c cvs rdiff -u -r1.65 -r1.65.16.1 src/sys/compat/svr4/svr4_signal.c cvs rdiff -u -r1.79 -r1.79.14.1 src/sys/compat/svr4/svr4_stream.c cvs rdiff -u -r1.26 -r1.26.46.1 src/sys/compat/svr4_32/svr4_32_signal.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/sys/compat/svr4/svr4_lwp.c diff -u src/sys/compat/svr4/svr4_lwp.c:1.19 src/sys/compat/svr4/svr4_lwp.c:1.19.24.1 --- src/sys/compat/svr4/svr4_lwp.c:1.19 Mon Nov 23 00:46:07 2009 +++ src/sys/compat/svr4/svr4_lwp.c Sat Aug 19 03:40:46 2017 @@ -1,4 +1,4 @@ -/* $NetBSD: svr4_lwp.c,v 1.19 2009/11/23 00:46:07 rmind Exp $ */ +/* $NetBSD: svr4_lwp.c,v 1.19.24.1 2017/08/19 03:40:46 snj Exp $ */ /*- * Copyright (c) 1999 The NetBSD Foundation, Inc. @@ -30,7 +30,7 @@ */ #include -__KERNEL_RCSID(0, "$NetBSD: svr4_lwp.c,v 1.19 2009/11/23 00:46:07 rmind Exp $"); +__KERNEL_RCSID(0, "$NetBSD: svr4_lwp.c,v 1.19.24.1 2017/08/19 03:40:46 snj Exp $"); #include #include @@ -108,6 +108,8 @@ svr4_sys__lwp_info(struct lwp *l, const struct svr4_lwpinfo lwpinfo; int error; + memset(, 0, sizeof(lwpinfo)); + /* XXX NJWLWP */ TIMEVAL_TO_TIMESPEC(>l_proc->p_stats->p_ru.ru_stime, _stime); TIMEVAL_TO_TIMESPEC(>l_proc->p_stats->p_ru.ru_utime, _utime); Index: src/sys/compat/svr4/svr4_signal.c diff -u src/sys/compat/svr4/svr4_signal.c:1.65 src/sys/compat/svr4/svr4_signal.c:1.65.16.1 --- src/sys/compat/svr4/svr4_signal.c:1.65 Thu Feb 3 21:45:31 2011 +++ src/sys/compat/svr4/svr4_signal.c Sat Aug 19 03:40:46 2017 @@ -1,4 +1,4 @@ -/* $NetBSD: svr4_signal.c,v 1.65 2011/02/03 21:45:31 joerg Exp $ */ +/* $NetBSD: svr4_signal.c,v 1.65.16.1 2017/08/19 03:40:46 snj Exp $ */ /*- * Copyright (c) 1994, 1998 The NetBSD Foundation, Inc. @@ -30,7 +30,7 @@ */ #include -__KERNEL_RCSID(0, "$NetBSD: svr4_signal.c,v 1.65 2011/02/03 21:45:31 joerg Exp $"); +__KERNEL_RCSID(0, "$NetBSD: svr4_signal.c,v 1.65.16.1 2017/08/19 03:40:46 snj Exp $"); #include #include @@ -73,6 +73,21 @@ void native_to_svr4_sigaction(const stru extern const int native_to_svr4_signo[]; extern const int svr4_to_native_signo[]; +static int +svr4_decode_signum(int signum, int *native_signo, int *sigcall) +{ + + if (SVR4_SIGNO(signum) >= SVR4_NSIG) + return EINVAL; + + if (native_signo) + *native_signo = svr4_to_native_signo[SVR4_SIGNO(signum)]; + if (sigcall) + *sigcall = SVR4_SIGCALL(signum); + + return 0; +} + static inline void svr4_sigfillset(svr4_sigset_t *s) { @@ -174,6 +189,7 @@ svr4_sys_sigaction(struct lwp *l, const } */ struct svr4_sigaction nssa, ossa; struct sigaction nbsa, obsa; + int native_signo; int error; if (SCARG(uap, nsa)) { @@ -182,7 +198,12 @@ svr4_sys_sigaction(struct lwp *l, const return (error); svr4_to_native_sigaction(, ); } - error = sigaction1(l, svr4_to_native_signo[SVR4_SIGNO(SCARG(uap, signum))], + + error = svr4_decode_signum(SCARG(uap, signum), _signo, NULL); + if (error) + return error; + + error = sigaction1(l, native_signo, SCARG(uap, nsa) ? : 0, SCARG(uap, osa) ? : 0, NULL, 0); if (error) @@ -217,16 +238,18 @@ svr4_sys_signal(struct lwp *l, const str syscallarg(int) signum; syscallarg(svr4_sig_t) handler; } */ - int signum = svr4_to_native_signo[SVR4_SIGNO(SCARG(uap, signum))]; + int native_signo, sigcall; struct proc *p = l->l_proc; struct sigaction nbsa, obsa; sigset_t ss; int error; - if (signum <= 0 || signum >= SVR4_NSIG) - return (EINVAL); + error = svr4_decode_signum(SCARG(uap, signum), _signo, + ); + if (error) + return error; - switch (SVR4_SIGCALL(SCARG(uap, signum))) { + switch (sigcall) { case SVR4_SIGDEFER_MASK: if (SCARG(uap, handler) == SVR4_SIG_HOLD) goto sighold; @@ -236,7 +259,7 @@ svr4_sys_signal(struct lwp *l, const str
CVS commit: [netbsd-6-0] src/sys/compat
Module Name:src Committed By: snj Date: Sat Aug 12 16:20:59 UTC 2017 Modified Files: src/sys/compat/common [netbsd-6-0]: vfs_syscalls_12.c vfs_syscalls_43.c src/sys/compat/sys [netbsd-6-0]: dirent.h Log Message: Pull up following revision(s) (requested by mrg in ticket #1469): sys/compat/common/vfs_syscalls_12.c: revision 1.30 sys/compat/common/vfs_syscalls_43.c: revision 1.56 sys/compat/sys/dirent.h: revision 1.3 It is wishful thinking that vn_readdir will return dirent12 structures. -- Fix the compat-4.3 getdirentries call (pre d_type). This is used in NetBSD-0.9. -- add a struct for the 4.3BSD struct direct To generate a diff of this commit: cvs rdiff -u -r1.29 -r1.29.18.1 src/sys/compat/common/vfs_syscalls_12.c cvs rdiff -u -r1.54.20.1 -r1.54.20.2 src/sys/compat/common/vfs_syscalls_43.c cvs rdiff -u -r1.2 -r1.2.124.1 src/sys/compat/sys/dirent.h Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/sys/compat/common/vfs_syscalls_12.c diff -u src/sys/compat/common/vfs_syscalls_12.c:1.29 src/sys/compat/common/vfs_syscalls_12.c:1.29.18.1 --- src/sys/compat/common/vfs_syscalls_12.c:1.29 Wed Jan 19 10:21:16 2011 +++ src/sys/compat/common/vfs_syscalls_12.c Sat Aug 12 16:20:59 2017 @@ -1,4 +1,4 @@ -/* $NetBSD: vfs_syscalls_12.c,v 1.29 2011/01/19 10:21:16 tsutsui Exp $ */ +/* $NetBSD: vfs_syscalls_12.c,v 1.29.18.1 2017/08/12 16:20:59 snj Exp $ */ /* * Copyright (c) 1989, 1993 @@ -37,7 +37,7 @@ */ #include -__KERNEL_RCSID(0, "$NetBSD: vfs_syscalls_12.c,v 1.29 2011/01/19 10:21:16 tsutsui Exp $"); +__KERNEL_RCSID(0, "$NetBSD: vfs_syscalls_12.c,v 1.29.18.1 2017/08/12 16:20:59 snj Exp $"); #include #include @@ -56,6 +56,7 @@ __KERNEL_RCSID(0, "$NetBSD: vfs_syscalls #include #include +#include /* * Convert from a new to an old stat structure. @@ -96,28 +97,140 @@ compat_12_sys_getdirentries(struct lwp * syscallarg(u_int) count; syscallarg(long *) basep; } */ + struct dirent *bdp; + struct vnode *vp; + char *inp, *tbuf; /* Current-format */ + int len, reclen; /* Current-format */ + char *outp; /* Dirent12-format */ + int resid, old_reclen = 0; /* Dirent12-format */ struct file *fp; - int error, done; + struct uio auio; + struct iovec aiov; + struct dirent12 idb; + off_t off; /* true file offset */ + int buflen, error, eofflag, nbytes; + struct vattr va; + off_t *cookiebuf = NULL, *cookie; + int ncookies; long loff; - + /* fd_getvnode() will use the descriptor for us */ if ((error = fd_getvnode(SCARG(uap, fd), )) != 0) - return error; + return (error); + if ((fp->f_flag & FREAD) == 0) { error = EBADF; - goto out; + goto out1; + } + + vp = (struct vnode *)fp->f_data; + if (vp->v_type != VDIR) { + error = ENOTDIR; + goto out1; } + vn_lock(vp, LK_SHARED | LK_RETRY); + error = VOP_GETATTR(vp, , l->l_cred); + VOP_UNLOCK(vp); + if (error) + goto out1; + loff = fp->f_offset; + nbytes = SCARG(uap, count); + buflen = min(MAXBSIZE, nbytes); + if (buflen < va.va_blocksize) + buflen = va.va_blocksize; + tbuf = malloc(buflen, M_TEMP, M_WAITOK); + + vn_lock(vp, LK_EXCLUSIVE | LK_RETRY); + off = fp->f_offset; +again: + aiov.iov_base = tbuf; + aiov.iov_len = buflen; + auio.uio_iov = + auio.uio_iovcnt = 1; + auio.uio_rw = UIO_READ; + auio.uio_resid = buflen; + auio.uio_offset = off; + UIO_SETUP_SYSSPACE(); + /* + * First we read into the malloc'ed buffer, then + * we massage it into user space, one record at a time. + */ + error = VOP_READDIR(vp, , fp->f_cred, , , + ); + if (error) + goto out; + + inp = tbuf; + outp = SCARG(uap, buf); + resid = nbytes; + if ((len = buflen - auio.uio_resid) == 0) + goto eof; + + for (cookie = cookiebuf; len > 0; len -= reclen) { + bdp = (struct dirent *)inp; + reclen = bdp->d_reclen; + if (reclen & 3) + panic(__func__); + if (bdp->d_fileno == 0) { + inp += reclen; /* it is a hole; squish it out */ + if (cookie) +off = *cookie++; + else +off += reclen; + continue; + } + old_reclen = _DIRENT_RECLEN(, bdp->d_namlen); + if (reclen > len || resid < old_reclen) { + /* entry too big for buffer, so just stop */ + outp++; + break; + } + /* + * Massage in place to make a Dirent12-shaped dirent (otherwise + * we have to worry about touching user memory outside of + * the copyout() call). + */ + idb.d_fileno = (uint32_t)bdp->d_fileno; + idb.d_reclen = (uint16_t)old_reclen; + idb.d_type = (uint8_t)bdp->d_type; + idb.d_namlen = (uint8_t)bdp->d_namlen; + strcpy(idb.d_name, bdp->d_name); + if ((error = copyout(, outp, old_reclen))) + goto out; + /* advance past this real entry */ + inp += reclen; + if (cookie) + off = *cookie++; /* each entry points to itself */ + else + off += reclen; + /* advance output past Dirent12-shaped entry */ + outp += old_reclen; + resid -= old_reclen; + } - error = vn_readdir(fp,
CVS commit: [netbsd-6-0] src/sys/compat/linux/arch/amd64
Module Name:src Committed By: snj Date: Tue Feb 14 16:57:57 UTC 2017 Modified Files: src/sys/compat/linux/arch/amd64 [netbsd-6-0]: linux_machdep.c Log Message: Pull up following revision(s) (requested by maxv in ticket #1433): sys/compat/linux/arch/amd64/linux_machdep.c: 1.50, 1.51 Don't let userland choose %rip. This is the Intel Sysret vulnerability again. -- Make sure %rip is in userland. This is harmless, since the return to userland is made with iret instead of sysret in this path. While here, use size_t. To generate a diff of this commit: cvs rdiff -u -r1.39 -r1.39.10.1 \ src/sys/compat/linux/arch/amd64/linux_machdep.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/sys/compat/linux/arch/amd64/linux_machdep.c diff -u src/sys/compat/linux/arch/amd64/linux_machdep.c:1.39 src/sys/compat/linux/arch/amd64/linux_machdep.c:1.39.10.1 --- src/sys/compat/linux/arch/amd64/linux_machdep.c:1.39 Fri Nov 18 04:07:43 2011 +++ src/sys/compat/linux/arch/amd64/linux_machdep.c Tue Feb 14 16:57:57 2017 @@ -1,4 +1,4 @@ -/* $NetBSD: linux_machdep.c,v 1.39 2011/11/18 04:07:43 christos Exp $ */ +/* $NetBSD: linux_machdep.c,v 1.39.10.1 2017/02/14 16:57:57 snj Exp $ */ /*- * Copyright (c) 2005 Emmanuel Dreyfus, all rights reserved. @@ -33,7 +33,7 @@ #include -__KERNEL_RCSID(0, "$NetBSD: linux_machdep.c,v 1.39 2011/11/18 04:07:43 christos Exp $"); +__KERNEL_RCSID(0, "$NetBSD: linux_machdep.c,v 1.39.10.1 2017/02/14 16:57:57 snj Exp $"); #include #include @@ -254,7 +254,12 @@ linux_sendsig(const ksiginfo_t *ksi, con if (error != 0) { sigexit(l, SIGILL); return; - } + } + + if ((vaddr_t)catcher >= VM_MAXUSER_ADDRESS) { + sigexit(l, SIGILL); + return; + } linux_buildcontext(l, catcher, sp); tf->tf_rdi = sigframe.info.lsi_signo; @@ -485,7 +490,7 @@ linux_usertrap(struct lwp *l, vaddr_t tr { struct trapframe *tf = arg; uint64_t retaddr; - int vsyscallnr; + size_t vsyscallnr; /* * Check for a vsyscall. %rip must be the fault address, @@ -515,6 +520,8 @@ linux_usertrap(struct lwp *l, vaddr_t tr */ if (copyin((void *)tf->tf_rsp, , sizeof retaddr) != 0) return 0; + if ((vaddr_t)retaddr >= VM_MAXUSER_ADDRESS) + return 0; tf->tf_rip = retaddr; tf->tf_rax = linux_vsyscall_to_syscall[vsyscallnr]; tf->tf_rsp += 8; /* "pop" the return address */
CVS commit: [netbsd-6-0] src/sys/compat/common
Module Name:src Committed By: bouyer Date: Sat Aug 27 14:51:50 UTC 2016 Modified Files: src/sys/compat/common [netbsd-6-0]: vfs_syscalls_43.c Log Message: Pull up following revision(s) (requested by mrg in ticket #1400): sys/compat/common/vfs_syscalls_43.c: revision 1.58 fill in the tv_nsec parts of the converted timespec in cvtstat(). To generate a diff of this commit: cvs rdiff -u -r1.54 -r1.54.20.1 src/sys/compat/common/vfs_syscalls_43.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/sys/compat/common/vfs_syscalls_43.c diff -u src/sys/compat/common/vfs_syscalls_43.c:1.54 src/sys/compat/common/vfs_syscalls_43.c:1.54.20.1 --- src/sys/compat/common/vfs_syscalls_43.c:1.54 Fri Nov 19 06:44:36 2010 +++ src/sys/compat/common/vfs_syscalls_43.c Sat Aug 27 14:51:50 2016 @@ -1,4 +1,4 @@ -/* $NetBSD: vfs_syscalls_43.c,v 1.54 2010/11/19 06:44:36 dholland Exp $ */ +/* $NetBSD: vfs_syscalls_43.c,v 1.54.20.1 2016/08/27 14:51:50 bouyer Exp $ */ /* * Copyright (c) 1989, 1993 @@ -37,7 +37,7 @@ */ #include -__KERNEL_RCSID(0, "$NetBSD: vfs_syscalls_43.c,v 1.54 2010/11/19 06:44:36 dholland Exp $"); +__KERNEL_RCSID(0, "$NetBSD: vfs_syscalls_43.c,v 1.54.20.1 2016/08/27 14:51:50 bouyer Exp $"); #if defined(_KERNEL_OPT) #include "opt_compat_netbsd.h" @@ -72,15 +72,42 @@ __KERNEL_RCSID(0, "$NetBSD: vfs_syscalls #include +static void cvttimespec(struct timespec *, struct timespec50 *); static void cvtstat(struct stat *, struct stat43 *); /* + * Convert from an old to a new timespec structure. + */ +static void +cvttimespec(struct timespec *ts, struct timespec50 *ots) +{ + + if (ts->tv_sec > INT_MAX) { +#if defined(DEBUG) || 1 + static bool first = true; + + if (first) { + first = false; + printf("%s[%s:%d]: time_t does not fit\n", + __func__, curlwp->l_proc->p_comm, + curlwp->l_lid); + } +#endif + ots->tv_sec = INT_MAX; + } else + ots->tv_sec = ts->tv_sec; + ots->tv_nsec = ts->tv_nsec; +} + +/* * Convert from an old to a new stat structure. */ static void cvtstat(struct stat *st, struct stat43 *ost) { + /* Handle any padding. */ + memset(ost, 0, sizeof *ost); ost->st_dev = st->st_dev; ost->st_ino = st->st_ino; ost->st_mode = st->st_mode & 0x; @@ -92,9 +119,9 @@ cvtstat(struct stat *st, struct stat43 * ost->st_size = st->st_size; else ost->st_size = -2; - ost->st_atime = st->st_atime; - ost->st_mtime = st->st_mtime; - ost->st_ctime = st->st_ctime; + cvttimespec(>st_atimespec, >st_atimespec); + cvttimespec(>st_mtimespec, >st_mtimespec); + cvttimespec(>st_ctimespec, >st_ctimespec); ost->st_blksize = st->st_blksize; ost->st_blocks = st->st_blocks; ost->st_flags = st->st_flags;
CVS commit: [netbsd-6-0] src/sys/compat/netbsd32
Module Name:src Committed By: martin Date: Thu Apr 21 15:25:52 UTC 2016 Modified Files: src/sys/compat/netbsd32 [netbsd-6-0]: netbsd32_socket.c Log Message: Pull up following revision(s) (requested by christos in ticket #1378): sys/compat/netbsd32/netbsd32_socket.c: revision 1.42 Memory leak, triggerable from an unprivileged user. To generate a diff of this commit: cvs rdiff -u -r1.39.2.2 -r1.39.2.2.4.1 \ src/sys/compat/netbsd32/netbsd32_socket.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/sys/compat/netbsd32/netbsd32_socket.c diff -u src/sys/compat/netbsd32/netbsd32_socket.c:1.39.2.2 src/sys/compat/netbsd32/netbsd32_socket.c:1.39.2.2.4.1 --- src/sys/compat/netbsd32/netbsd32_socket.c:1.39.2.2 Sat Aug 18 22:01:40 2012 +++ src/sys/compat/netbsd32/netbsd32_socket.c Thu Apr 21 15:25:52 2016 @@ -1,4 +1,4 @@ -/* $NetBSD: netbsd32_socket.c,v 1.39.2.2 2012/08/18 22:01:40 riz Exp $ */ +/* $NetBSD: netbsd32_socket.c,v 1.39.2.2.4.1 2016/04/21 15:25:52 martin Exp $ */ /* * Copyright (c) 1998, 2001 Matthew R. Green @@ -27,7 +27,7 @@ */ #include -__KERNEL_RCSID(0, "$NetBSD: netbsd32_socket.c,v 1.39.2.2 2012/08/18 22:01:40 riz Exp $"); +__KERNEL_RCSID(0, "$NetBSD: netbsd32_socket.c,v 1.39.2.2.4.1 2016/04/21 15:25:52 martin Exp $"); #include #include @@ -331,7 +331,7 @@ netbsd32_sendmsg(struct lwp *l, const st } */ struct msghdr msg; struct netbsd32_msghdr msg32; - struct iovec aiov[UIO_SMALLIOV], *iov; + struct iovec aiov[UIO_SMALLIOV], *iov = aiov; struct netbsd32_iovec *iov32; size_t iovsz; int error; @@ -346,6 +346,7 @@ netbsd32_sendmsg(struct lwp *l, const st error = copyin32_msg_control(l, ); if (error) return (error); + /* From here on, msg.msg_control is allocated */ } else { msg.msg_control = NULL; msg.msg_controllen = 0; @@ -353,23 +354,32 @@ netbsd32_sendmsg(struct lwp *l, const st iovsz = msg.msg_iovlen * sizeof(struct iovec); if ((u_int)msg.msg_iovlen > UIO_SMALLIOV) { - if ((u_int)msg.msg_iovlen > IOV_MAX) - return (EMSGSIZE); + if ((u_int)msg.msg_iovlen > IOV_MAX) { + error = EMSGSIZE; + goto out; + } iov = kmem_alloc(iovsz, KM_SLEEP); - } else - iov = aiov; + } iov32 = NETBSD32PTR64(msg32.msg_iov); error = netbsd32_to_iovecin(iov32, iov, msg.msg_iovlen); if (error) - goto done; + goto out; msg.msg_iov = iov; error = do_sys_sendmsg(l, SCARG(uap, s), , SCARG(uap, flags), retval); -done: + /* msg.msg_control freed by do_sys_sendmsg() */ + if (iov != aiov) kmem_free(iov, iovsz); return (error); + +out: + if (iov != aiov) + kmem_free(iov, iovsz); + if (msg.msg_control) + m_free(msg.msg_control); + return error; } int
CVS commit: [netbsd-6-0] src/sys/compat/linux/arch
Module Name:src Committed By: bouyer Date: Sun Nov 15 20:42:37 UTC 2015 Modified Files: src/sys/compat/linux/arch/arm [netbsd-6-0]: linux_ptrace.c src/sys/compat/linux/arch/i386 [netbsd-6-0]: linux_ptrace.c src/sys/compat/linux/arch/powerpc [netbsd-6-0]: linux_ptrace.c Log Message: Pull up following revision(s) (requested by pgoyette in ticket #1335): sys/compat/linux/arch/i386/linux_ptrace.c: revision 1.31 sys/compat/linux/arch/arm/linux_ptrace.c: revision 1.19 sys/compat/linux/arch/powerpc/linux_ptrace.c: revision 1.29 Don't release proc_lock until we're done looking at things that are protected by the lock, particularly p_stat and p_waited. Found by Robert Elz. XXX Pullup to NetBSD-7, -6, -6-0, and -6-1 To generate a diff of this commit: cvs rdiff -u -r1.16 -r1.16.18.1 src/sys/compat/linux/arch/arm/linux_ptrace.c cvs rdiff -u -r1.26 -r1.26.20.1 src/sys/compat/linux/arch/i386/linux_ptrace.c cvs rdiff -u -r1.23 -r1.23.20.1 \ src/sys/compat/linux/arch/powerpc/linux_ptrace.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/sys/compat/linux/arch/arm/linux_ptrace.c diff -u src/sys/compat/linux/arch/arm/linux_ptrace.c:1.16 src/sys/compat/linux/arch/arm/linux_ptrace.c:1.16.18.1 --- src/sys/compat/linux/arch/arm/linux_ptrace.c:1.16 Wed Jul 7 01:30:33 2010 +++ src/sys/compat/linux/arch/arm/linux_ptrace.c Sun Nov 15 20:42:36 2015 @@ -1,4 +1,4 @@ -/* $NetBSD: linux_ptrace.c,v 1.16 2010/07/07 01:30:33 chs Exp $ */ +/* $NetBSD: linux_ptrace.c,v 1.16.18.1 2015/11/15 20:42:36 bouyer Exp $ */ /*- * Copyright (c) 1999 The NetBSD Foundation, Inc. @@ -31,7 +31,7 @@ #include -__KERNEL_RCSID(0, "$NetBSD: linux_ptrace.c,v 1.16 2010/07/07 01:30:33 chs Exp $"); +__KERNEL_RCSID(0, "$NetBSD: linux_ptrace.c,v 1.16.18.1 2015/11/15 20:42:36 bouyer Exp $"); #include #include @@ -140,7 +140,6 @@ linux_sys_ptrace_arch(struct lwp *l, con goto out; } mutex_enter(t->p_lock); - mutex_exit(proc_lock); /* * You cannot do what you want to the process if: @@ -148,6 +147,7 @@ linux_sys_ptrace_arch(struct lwp *l, con */ if (!ISSET(t->p_slflag, PSL_TRACED)) { mutex_exit(t->p_lock); + mutex_exit(proc_lock); error = EPERM; goto out; } @@ -160,9 +160,11 @@ linux_sys_ptrace_arch(struct lwp *l, con if (ISSET(t->p_slflag, PSL_FSTRACE) || t->p_pptr != p || t->p_stat != SSTOP || !t->p_waited) { mutex_exit(t->p_lock); + mutex_exit(proc_lock); error = EBUSY; goto out; } + mutex_exit(proc_lock); /* XXX: ptrace needs revamp for multi-threading support. */ if (t->p_nlwps > 1) { mutex_exit(t->p_lock); Index: src/sys/compat/linux/arch/i386/linux_ptrace.c diff -u src/sys/compat/linux/arch/i386/linux_ptrace.c:1.26 src/sys/compat/linux/arch/i386/linux_ptrace.c:1.26.20.1 --- src/sys/compat/linux/arch/i386/linux_ptrace.c:1.26 Wed Jul 7 01:30:34 2010 +++ src/sys/compat/linux/arch/i386/linux_ptrace.c Sun Nov 15 20:42:36 2015 @@ -1,4 +1,4 @@ -/* $NetBSD: linux_ptrace.c,v 1.26 2010/07/07 01:30:34 chs Exp $ */ +/* $NetBSD: linux_ptrace.c,v 1.26.20.1 2015/11/15 20:42:36 bouyer Exp $ */ /*- * Copyright (c) 1999 The NetBSD Foundation, Inc. @@ -30,7 +30,7 @@ */ #include -__KERNEL_RCSID(0, "$NetBSD: linux_ptrace.c,v 1.26 2010/07/07 01:30:34 chs Exp $"); +__KERNEL_RCSID(0, "$NetBSD: linux_ptrace.c,v 1.26.20.1 2015/11/15 20:42:36 bouyer Exp $"); #include #include @@ -184,7 +184,6 @@ linux_sys_ptrace_arch(struct lwp *l, con return ESRCH; } mutex_enter(t->p_lock); - mutex_exit(proc_lock); /* * You cannot do what you want to the process if: @@ -192,6 +191,7 @@ linux_sys_ptrace_arch(struct lwp *l, con */ if (!ISSET(t->p_slflag, PSL_TRACED)) { mutex_exit(t->p_lock); + mutex_exit(proc_lock); error = EPERM; goto out; } @@ -204,9 +204,11 @@ linux_sys_ptrace_arch(struct lwp *l, con if (ISSET(t->p_slflag, PSL_FSTRACE) || t->p_pptr != p || t->p_stat != SSTOP || !t->p_waited) { mutex_exit(t->p_lock); + mutex_exit(proc_lock); error = EBUSY; goto out; } + mutex_exit(proc_lock); /* XXX: ptrace needs revamp for multi-threading support. */ if (t->p_nlwps > 1) { mutex_exit(t->p_lock); Index: src/sys/compat/linux/arch/powerpc/linux_ptrace.c diff -u src/sys/compat/linux/arch/powerpc/linux_ptrace.c:1.23 src/sys/compat/linux/arch/powerpc/linux_ptrace.c:1.23.20.1 --- src/sys/compat/linux/arch/powerpc/linux_ptrace.c:1.23 Thu Jul 1 02:38:28 2010 +++ src/sys/compat/linux/arch/powerpc/linux_ptrace.c Sun Nov 15 20:42:36 2015 @@ -1,4 +1,4 @@ -/* $NetBSD: linux_ptrace.c,v 1.23 2010/07/01 02:38:28 rmind Exp $ */ +/* $NetBSD: linux_ptrace.c,v 1.23.20.1 2015/11/15 20:42:36 bouyer Exp $ */ /*- * Copyright (c) 1999, 2001 The NetBSD Foundation, Inc. @@ -30,7 +30,7 @@ */ #include -__KERNEL_RCSID(0, "$NetBSD: linux_ptrace.c,v 1.23 2010/07/01 02:38:28 rmind Exp $"); +__KERNEL_RCSID(0,
CVS commit: [netbsd-6-0] src/sys/compat/osf1
Module Name:src Committed By: bouyer Date: Sun Nov 15 20:48:44 UTC 2015 Modified Files: src/sys/compat/osf1 [netbsd-6-0]: osf1_socket.c Log Message: Pull up following revision(s) (requested by maxv in ticket #1338): sys/compat/osf1/osf1_socket.c: revision 1.21 easy kmem_alloc(0) ok shm@ To generate a diff of this commit: cvs rdiff -u -r1.20 -r1.20.20.1 src/sys/compat/osf1/osf1_socket.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/sys/compat/osf1/osf1_socket.c diff -u src/sys/compat/osf1/osf1_socket.c:1.20 src/sys/compat/osf1/osf1_socket.c:1.20.20.1 --- src/sys/compat/osf1/osf1_socket.c:1.20 Fri Apr 23 15:19:21 2010 +++ src/sys/compat/osf1/osf1_socket.c Sun Nov 15 20:48:44 2015 @@ -1,4 +1,4 @@ -/* $NetBSD: osf1_socket.c,v 1.20 2010/04/23 15:19:21 rmind Exp $ */ +/* $NetBSD: osf1_socket.c,v 1.20.20.1 2015/11/15 20:48:44 bouyer Exp $ */ /* * Copyright (c) 1999 Christopher G. Demetriou. All rights reserved. @@ -58,7 +58,7 @@ */ #include -__KERNEL_RCSID(0, "$NetBSD: osf1_socket.c,v 1.20 2010/04/23 15:19:21 rmind Exp $"); +__KERNEL_RCSID(0, "$NetBSD: osf1_socket.c,v 1.20.20.1 2015/11/15 20:48:44 bouyer Exp $"); #include #include @@ -116,7 +116,7 @@ osf1_sys_sendmsg_xopen(struct lwp *l, co return (EINVAL); iov_len = bsd_msghdr.msg_iovlen; - if (iov_len > IOV_MAX) + if ((iov_len > IOV_MAX) || (iov_len == 0)) return EMSGSIZE; bsd_iovec = kmem_alloc(iov_len * sizeof(struct iovec), KM_SLEEP); bsd_msghdr.msg_iov = bsd_iovec;
CVS commit: [netbsd-6-0] src/sys/compat/netbsd32
Module Name:src Committed By: martin Date: Sun Aug 2 12:54:34 UTC 2015 Modified Files: src/sys/compat/netbsd32 [netbsd-6-0]: netbsd32_ioctl.c Log Message: Pull up following revision(s) (requested by maxv in ticket #1318): sys/compat/netbsd32/netbsd32_ioctl.c: revision 1.82 Wrong logic. Here, userland can control the size and the data copied, which basically means it can overflow kernel memory. ok martin@ christos@ To generate a diff of this commit: cvs rdiff -u -r1.64 -r1.64.12.1 src/sys/compat/netbsd32/netbsd32_ioctl.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/sys/compat/netbsd32/netbsd32_ioctl.c diff -u src/sys/compat/netbsd32/netbsd32_ioctl.c:1.64 src/sys/compat/netbsd32/netbsd32_ioctl.c:1.64.12.1 --- src/sys/compat/netbsd32/netbsd32_ioctl.c:1.64 Thu Oct 6 03:19:32 2011 +++ src/sys/compat/netbsd32/netbsd32_ioctl.c Sun Aug 2 12:54:34 2015 @@ -1,4 +1,4 @@ -/* $NetBSD: netbsd32_ioctl.c,v 1.64 2011/10/06 03:19:32 macallan Exp $ */ +/* $NetBSD: netbsd32_ioctl.c,v 1.64.12.1 2015/08/02 12:54:34 martin Exp $ */ /* * Copyright (c) 1998, 2001 Matthew R. Green @@ -31,7 +31,7 @@ */ #include sys/cdefs.h -__KERNEL_RCSID(0, $NetBSD: netbsd32_ioctl.c,v 1.64 2011/10/06 03:19:32 macallan Exp $); +__KERNEL_RCSID(0, $NetBSD: netbsd32_ioctl.c,v 1.64.12.1 2015/08/02 12:54:34 martin Exp $); #include sys/param.h #include sys/systm.h @@ -192,7 +192,7 @@ netbsd32_to_if_addrprefreq(const struct strlcpy(ifap-ifap_name, ifap32-ifap_name, sizeof(ifap-ifap_name)); ifap-ifap_preference = ifap32-ifap_preference; memcpy(ifap-ifap_addr, ifap32-ifap_addr, - max(ifap32-ifap_addr.ss_len, _SS_MAXSIZE)); + min(ifap32-ifap_addr.ss_len, _SS_MAXSIZE)); } static inline void @@ -425,7 +425,7 @@ netbsd32_from_if_addrprefreq(const struc strlcpy(ifap32-ifap_name, ifap-ifap_name, sizeof(ifap32-ifap_name)); ifap32-ifap_preference = ifap-ifap_preference; memcpy(ifap32-ifap_addr, ifap-ifap_addr, - max(ifap-ifap_addr.ss_len, _SS_MAXSIZE)); + min(ifap-ifap_addr.ss_len, _SS_MAXSIZE)); } static inline void
CVS commit: [netbsd-6-0] src/sys/compat/netbsd32
Module Name:src Committed By: martin Date: Sun Dec 14 14:03:28 UTC 2014 Modified Files: src/sys/compat/netbsd32 [netbsd-6-0]: netbsd32_compat_30.c Log Message: Pull up revision 1.31, requested by maxv in #1209: Prevent a user-triggerable kmem_alloc(0). To generate a diff of this commit: cvs rdiff -u -r1.30 -r1.30.20.1 src/sys/compat/netbsd32/netbsd32_compat_30.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/sys/compat/netbsd32/netbsd32_compat_30.c diff -u src/sys/compat/netbsd32/netbsd32_compat_30.c:1.30 src/sys/compat/netbsd32/netbsd32_compat_30.c:1.30.20.1 --- src/sys/compat/netbsd32/netbsd32_compat_30.c:1.30 Fri Apr 23 15:19:20 2010 +++ src/sys/compat/netbsd32/netbsd32_compat_30.c Sun Dec 14 14:03:28 2014 @@ -1,4 +1,4 @@ -/* $NetBSD: netbsd32_compat_30.c,v 1.30 2010/04/23 15:19:20 rmind Exp $ */ +/* $NetBSD: netbsd32_compat_30.c,v 1.30.20.1 2014/12/14 14:03:28 martin Exp $ */ /* * Copyright (c) 1998, 2001 Matthew R. Green @@ -27,7 +27,7 @@ */ #include sys/cdefs.h -__KERNEL_RCSID(0, $NetBSD: netbsd32_compat_30.c,v 1.30 2010/04/23 15:19:20 rmind Exp $); +__KERNEL_RCSID(0, $NetBSD: netbsd32_compat_30.c,v 1.30.20.1 2014/12/14 14:03:28 martin Exp $); #include sys/param.h #include sys/systm.h @@ -78,6 +78,9 @@ compat_30_netbsd32_getdents(struct lwp * error = EBADF; goto out; } + if (count == 0) + goto out; + buf = kmem_alloc(count, KM_SLEEP); error = vn_readdir(fp, buf, UIO_SYSSPACE, count, done, l, 0, 0); if (error == 0) {
CVS commit: [netbsd-6-0] src/sys/compat/netbsd32
Module Name:src Committed By: msaitoh Date: Sun Nov 9 07:10:23 UTC 2014 Modified Files: src/sys/compat/netbsd32 [netbsd-6-0]: netbsd32_compat_50.c Log Message: Pull up following revision(s) (requested by maxv in ticket #1179): sys/compat/netbsd32/netbsd32_compat_50.c: revision 1.28 fix multiple mistakes: - error from copyout was ignored - the wrong size was specified in copyin - missing locking. To generate a diff of this commit: cvs rdiff -u -r1.20.12.1 -r1.20.12.2 \ src/sys/compat/netbsd32/netbsd32_compat_50.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/sys/compat/netbsd32/netbsd32_compat_50.c diff -u src/sys/compat/netbsd32/netbsd32_compat_50.c:1.20.12.1 src/sys/compat/netbsd32/netbsd32_compat_50.c:1.20.12.2 --- src/sys/compat/netbsd32/netbsd32_compat_50.c:1.20.12.1 Mon Jun 30 12:10:25 2014 +++ src/sys/compat/netbsd32/netbsd32_compat_50.c Sun Nov 9 07:10:23 2014 @@ -1,4 +1,4 @@ -/* $NetBSD: netbsd32_compat_50.c,v 1.20.12.1 2014/06/30 12:10:25 msaitoh Exp $ */ +/* $NetBSD: netbsd32_compat_50.c,v 1.20.12.2 2014/11/09 07:10:23 msaitoh Exp $ */ /*- * Copyright (c) 2008 The NetBSD Foundation, Inc. @@ -36,7 +36,7 @@ * POSSIBILITY OF SUCH DAMAGE. */ #include sys/cdefs.h -__KERNEL_RCSID(0, $NetBSD: netbsd32_compat_50.c,v 1.20.12.1 2014/06/30 12:10:25 msaitoh Exp $); +__KERNEL_RCSID(0, $NetBSD: netbsd32_compat_50.c,v 1.20.12.2 2014/11/09 07:10:23 msaitoh Exp $); #if defined(_KERNEL_OPT) #include opt_sysv.h @@ -248,30 +248,31 @@ compat_50_netbsd32_adjtime(struct lwp *l return (error); if (SCARG_P32(uap, olddelta)) { + mutex_spin_enter(timecounter_lock); atv.tv_sec = time_adjtime / 100; atv.tv_usec = time_adjtime % 100; if (atv.tv_usec 0) { atv.tv_usec += 100; atv.tv_sec--; } - (void) copyout(atv, - SCARG_P32(uap, olddelta), - sizeof(atv)); + mutex_spin_exit(timecounter_lock); + + error = copyout(atv, SCARG_P32(uap, olddelta), sizeof(atv)); if (error) return (error); } if (SCARG_P32(uap, delta)) { - error = copyin(SCARG_P32(uap, delta), atv, - sizeof(struct timeval)); + error = copyin(SCARG_P32(uap, delta), atv, sizeof(atv)); if (error) return (error); + mutex_spin_enter(timecounter_lock); time_adjtime = (int64_t)atv.tv_sec * 100 + atv.tv_usec; - if (time_adjtime) /* We need to save the system time during shutdown */ time_adjusted |= 1; + mutex_spin_exit(timecounter_lock); } return 0;
CVS commit: [netbsd-6-0] src/sys/compat/freebsd
Module Name:src Committed By: snj Date: Sun Oct 19 19:36:59 UTC 2014 Modified Files: src/sys/compat/freebsd [netbsd-6-0]: freebsd_sysctl.c Log Message: Pull up following revision(s) (requested by maxv in ticket #1168): sys/compat/freebsd/freebsd_sysctl.c: revision 1.17 I'm not sure reading from an unsanitized userland pointer is a good idea. Some users might be tempted to give 0x01, in which case the kernel will crash. To generate a diff of this commit: cvs rdiff -u -r1.15 -r1.15.28.1 src/sys/compat/freebsd/freebsd_sysctl.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/sys/compat/freebsd/freebsd_sysctl.c diff -u src/sys/compat/freebsd/freebsd_sysctl.c:1.15 src/sys/compat/freebsd/freebsd_sysctl.c:1.15.28.1 --- src/sys/compat/freebsd/freebsd_sysctl.c:1.15 Wed Nov 19 18:36:02 2008 +++ src/sys/compat/freebsd/freebsd_sysctl.c Sun Oct 19 19:36:59 2014 @@ -1,4 +1,4 @@ -/* $NetBSD: freebsd_sysctl.c,v 1.15 2008/11/19 18:36:02 ad Exp $ */ +/* $NetBSD: freebsd_sysctl.c,v 1.15.28.1 2014/10/19 19:36:59 snj Exp $ */ /*- * Copyright (c) 2005 The NetBSD Foundation, Inc. @@ -31,7 +31,7 @@ */ #include sys/cdefs.h -__KERNEL_RCSID(0, $NetBSD: freebsd_sysctl.c,v 1.15 2008/11/19 18:36:02 ad Exp $); +__KERNEL_RCSID(0, $NetBSD: freebsd_sysctl.c,v 1.15.28.1 2014/10/19 19:36:59 snj Exp $); #include sys/param.h #include sys/systm.h @@ -95,7 +95,7 @@ freebsd_sys_sysctl(struct lwp *l, const } */ int error; int name[CTL_MAXNAME]; - size_t newlen, *oldlenp; + size_t newlen, *oldlenp, oldlen; u_int namelen; void *new, *old; @@ -146,9 +146,14 @@ freebsd_sys_sysctl(struct lwp *l, const old = SCARG(uap, old); oldlenp = SCARG(uap, oldlenp); - if (old == NULL || oldlenp == NULL || *oldlenp sizeof(int)) + if (old == NULL || oldlenp == NULL) return(EINVAL); + if ((error = copyin(oldlenp, oldlen, sizeof(oldlen + return (error); + if (oldlen sizeof(int)) + return (EINVAL); + if ((locnew = (char *) malloc(newlen + 1, M_TEMP, M_WAITOK)) == NULL) return(ENOMEM); @@ -168,11 +173,11 @@ freebsd_sys_sysctl(struct lwp *l, const oidlen *= sizeof(int); error = copyout(oid, SCARG(uap, old), -MIN(oidlen, *SCARG(uap, oldlenp))); +MIN(oidlen, oldlen)); if (error) return(error); ktrmibio(-1, UIO_READ, SCARG(uap, old), - MIN(oidlen, *SCARG(uap, oldlenp)), 0); + MIN(oidlen, oldlen), 0); error = copyout(oidlen, SCARG(uap, oldlenp), sizeof(u_int));
CVS commit: [netbsd-6-0] src/sys/compat/osf1
Module Name:src Committed By: msaitoh Date: Wed Aug 27 15:02:39 UTC 2014 Modified Files: src/sys/compat/osf1 [netbsd-6-0]: osf1_file.c Log Message: Pull up following revision(s) (requested by maxv in ticket #1141): sys/compat/osf1/osf1_file.c: revision 1.42 Ensure nbytes 0. Otherwise bad things may happen. Compile-tested only. ok christos@ To generate a diff of this commit: cvs rdiff -u -r1.41 -r1.41.14.1 src/sys/compat/osf1/osf1_file.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/sys/compat/osf1/osf1_file.c diff -u src/sys/compat/osf1/osf1_file.c:1.41 src/sys/compat/osf1/osf1_file.c:1.41.14.1 --- src/sys/compat/osf1/osf1_file.c:1.41 Fri Jul 22 10:02:08 2011 +++ src/sys/compat/osf1/osf1_file.c Wed Aug 27 15:02:39 2014 @@ -1,4 +1,4 @@ -/* $NetBSD: osf1_file.c,v 1.41 2011/07/22 10:02:08 njoly Exp $ */ +/* $NetBSD: osf1_file.c,v 1.41.14.1 2014/08/27 15:02:39 msaitoh Exp $ */ /* * Copyright (c) 1999 Christopher G. Demetriou. All rights reserved. @@ -58,7 +58,7 @@ */ #include sys/cdefs.h -__KERNEL_RCSID(0, $NetBSD: osf1_file.c,v 1.41 2011/07/22 10:02:08 njoly Exp $); +__KERNEL_RCSID(0, $NetBSD: osf1_file.c,v 1.41.14.1 2014/08/27 15:02:39 msaitoh Exp $); #if defined(_KERNEL_OPT) #include opt_syscall_debug.h @@ -133,7 +133,7 @@ osf1_sys_getdirentries(struct lwp *l, co /* { syscallarg(int) fd; syscallarg(char *) buf; - syscallarg(u_int) nbytes; + syscallarg(int) nbytes; syscallarg(long *) basep; } */ struct dirent *bdp; @@ -151,6 +151,11 @@ osf1_sys_getdirentries(struct lwp *l, co off_t *cookiebuf = NULL, *cookie; int ncookies, fd; + if (SCARG(uap, nbytes) 0) + return EINVAL; + if (SCARG(uap, nbytes) == 0) + return 0; + fd = SCARG(uap, fd); if ((error = fd_getvnode(fd, fp)) != 0) return (error);
CVS commit: [netbsd-6-0] src/sys/compat
Module Name:src Committed By: msaitoh Date: Fri Aug 8 03:14:10 UTC 2014 Modified Files: src/sys/compat/linux/common [netbsd-6-0]: linux_socketcall.c src/sys/compat/linux32/common [netbsd-6-0]: linux32_socketcall.c Log Message: Pull up following revision(s) (requested by maxv in ticket #1104): sys/compat/linux32/common/linux32_socketcall.c: revision 1.9 sys/compat/linux/common/linux_socketcall.c: revision 1.44 If SCARG(uap, what) = 0, copyin() will copy (size_t)-1 bytes, and it's not a good idea; but not proven harmful. With the help of njoly@ To generate a diff of this commit: cvs rdiff -u -r1.39 -r1.39.40.1 \ src/sys/compat/linux/common/linux_socketcall.c cvs rdiff -u -r1.7 -r1.7.26.1 \ src/sys/compat/linux32/common/linux32_socketcall.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/sys/compat/linux/common/linux_socketcall.c diff -u src/sys/compat/linux/common/linux_socketcall.c:1.39 src/sys/compat/linux/common/linux_socketcall.c:1.39.40.1 --- src/sys/compat/linux/common/linux_socketcall.c:1.39 Thu Jul 3 14:07:09 2008 +++ src/sys/compat/linux/common/linux_socketcall.c Fri Aug 8 03:14:10 2014 @@ -1,4 +1,4 @@ -/* $NetBSD: linux_socketcall.c,v 1.39 2008/07/03 14:07:09 njoly Exp $ */ +/* $NetBSD: linux_socketcall.c,v 1.39.40.1 2014/08/08 03:14:10 msaitoh Exp $ */ /*- * Copyright (c) 1995, 1998 The NetBSD Foundation, Inc. @@ -30,7 +30,7 @@ */ #include sys/cdefs.h -__KERNEL_RCSID(0, $NetBSD: linux_socketcall.c,v 1.39 2008/07/03 14:07:09 njoly Exp $); +__KERNEL_RCSID(0, $NetBSD: linux_socketcall.c,v 1.39.40.1 2014/08/08 03:14:10 msaitoh Exp $); #include sys/param.h #include sys/kernel.h @@ -123,7 +123,7 @@ linux_sys_socketcall(struct lwp *l, cons struct linux_socketcall_dummy_args lda; int error; - if (SCARG(uap, what) 0 || SCARG(uap, what) LINUX_MAX_SOCKETCALL) + if (SCARG(uap, what) = 0 || SCARG(uap, what) LINUX_MAX_SOCKETCALL) return ENOSYS; if ((error = copyin(SCARG(uap, args), lda, Index: src/sys/compat/linux32/common/linux32_socketcall.c diff -u src/sys/compat/linux32/common/linux32_socketcall.c:1.7 src/sys/compat/linux32/common/linux32_socketcall.c:1.7.26.1 --- src/sys/compat/linux32/common/linux32_socketcall.c:1.7 Wed Nov 19 18:36:04 2008 +++ src/sys/compat/linux32/common/linux32_socketcall.c Fri Aug 8 03:14:10 2014 @@ -1,4 +1,4 @@ -/* $NetBSD: linux32_socketcall.c,v 1.7 2008/11/19 18:36:04 ad Exp $ */ +/* $NetBSD: linux32_socketcall.c,v 1.7.26.1 2014/08/08 03:14:10 msaitoh Exp $ */ /*- * Copyright (c) 2006 Emmanuel Dreyfus, all rights reserved. @@ -31,7 +31,7 @@ * POSSIBILITY OF SUCH DAMAGE. */ #include sys/cdefs.h -__KERNEL_RCSID(0, $NetBSD: linux32_socketcall.c,v 1.7 2008/11/19 18:36:04 ad Exp $); +__KERNEL_RCSID(0, $NetBSD: linux32_socketcall.c,v 1.7.26.1 2014/08/08 03:14:10 msaitoh Exp $); #include sys/types.h #include sys/param.h @@ -96,7 +96,7 @@ linux32_sys_socketcall(struct lwp *l, co union linux32_socketcall_args ua; int error; - if (SCARG(uap, what) 0 || SCARG(uap, what) LINUX32_MAX_SOCKETCALL) + if (SCARG(uap, what) = 0 || SCARG(uap, what) LINUX32_MAX_SOCKETCALL) return ENOSYS; if ((error = copyin(SCARG_P32(uap, args), ua,
CVS commit: [netbsd-6-0] src/sys/compat/netbsd32
Module Name:src Committed By: msaitoh Date: Mon Jun 30 12:10:25 UTC 2014 Modified Files: src/sys/compat/netbsd32 [netbsd-6-0]: netbsd32_compat_50.c netbsd32_event.c Log Message: Pull up following revision(s) (requested by maxv in ticket #1090): sys/compat/netbsd32/netbsd32_compat_50.c: revision 1.24 sys/compat/netbsd32/netbsd32_event.c: revision 1.11 Allocate directly KQ_NEVENTS bytes. Otherwise a user can panic the system. ok christos@ To generate a diff of this commit: cvs rdiff -u -r1.20 -r1.20.12.1 src/sys/compat/netbsd32/netbsd32_compat_50.c cvs rdiff -u -r1.9 -r1.9.16.1 src/sys/compat/netbsd32/netbsd32_event.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/sys/compat/netbsd32/netbsd32_compat_50.c diff -u src/sys/compat/netbsd32/netbsd32_compat_50.c:1.20 src/sys/compat/netbsd32/netbsd32_compat_50.c:1.20.12.1 --- src/sys/compat/netbsd32/netbsd32_compat_50.c:1.20 Fri Nov 18 03:34:13 2011 +++ src/sys/compat/netbsd32/netbsd32_compat_50.c Mon Jun 30 12:10:25 2014 @@ -1,4 +1,4 @@ -/* $NetBSD: netbsd32_compat_50.c,v 1.20 2011/11/18 03:34:13 christos Exp $ */ +/* $NetBSD: netbsd32_compat_50.c,v 1.20.12.1 2014/06/30 12:10:25 msaitoh Exp $ */ /*- * Copyright (c) 2008 The NetBSD Foundation, Inc. @@ -36,7 +36,7 @@ * POSSIBILITY OF SUCH DAMAGE. */ #include sys/cdefs.h -__KERNEL_RCSID(0, $NetBSD: netbsd32_compat_50.c,v 1.20 2011/11/18 03:34:13 christos Exp $); +__KERNEL_RCSID(0, $NetBSD: netbsd32_compat_50.c,v 1.20.12.1 2014/06/30 12:10:25 msaitoh Exp $); #if defined(_KERNEL_OPT) #include opt_sysv.h @@ -631,7 +631,8 @@ compat_50_netbsd32_kevent(struct lwp *l, nchanges = SCARG(uap, nchanges); nevents = SCARG(uap, nevents); - maxalloc = MIN(KQ_NEVENTS, MAX(nchanges, nevents)); + maxalloc = KQ_NEVENTS; + netbsd32_kevent_ops.keo_private = kmem_alloc(maxalloc * sizeof(struct netbsd32_kevent), KM_SLEEP); Index: src/sys/compat/netbsd32/netbsd32_event.c diff -u src/sys/compat/netbsd32/netbsd32_event.c:1.9 src/sys/compat/netbsd32/netbsd32_event.c:1.9.16.1 --- src/sys/compat/netbsd32/netbsd32_event.c:1.9 Mon May 23 21:34:47 2011 +++ src/sys/compat/netbsd32/netbsd32_event.c Mon Jun 30 12:10:25 2014 @@ -1,4 +1,4 @@ -/* $NetBSD: netbsd32_event.c,v 1.9 2011/05/23 21:34:47 joerg Exp $ */ +/* $NetBSD: netbsd32_event.c,v 1.9.16.1 2014/06/30 12:10:25 msaitoh Exp $ */ /* * Copyright (c) 2005 The NetBSD Foundation. @@ -27,7 +27,7 @@ */ #include sys/cdefs.h -__KERNEL_RCSID(0, $NetBSD: netbsd32_event.c,v 1.9 2011/05/23 21:34:47 joerg Exp $); +__KERNEL_RCSID(0, $NetBSD: netbsd32_event.c,v 1.9.16.1 2014/06/30 12:10:25 msaitoh Exp $); #include sys/types.h #include sys/param.h @@ -112,7 +112,8 @@ netbsd32___kevent50(struct lwp *l, nchanges = SCARG(uap, nchanges); nevents = SCARG(uap, nevents); - maxalloc = MIN(KQ_NEVENTS, MAX(nchanges, nevents)); + maxalloc = KQ_NEVENTS; + netbsd32_kevent_ops.keo_private = kmem_alloc(maxalloc * sizeof(struct netbsd32_kevent), KM_SLEEP);
CVS commit: [netbsd-6-0] src/sys/compat/freebsd
Module Name:src Committed By: msaitoh Date: Thu Jun 26 04:01:32 UTC 2014 Modified Files: src/sys/compat/freebsd [netbsd-6-0]: freebsd_sched.c Log Message: Pull up following revision(s) (requested by maxv in ticket #1086): sys/compat/freebsd/freebsd_sched.c 1.20-1.21 Avoid NULL dereference and fix sched param conversion (at least make it do something). Pointed out by Maxime Villard. Simplify and clarify. To generate a diff of this commit: cvs rdiff -u -r1.19 -r1.19.46.1 src/sys/compat/freebsd/freebsd_sched.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/sys/compat/freebsd/freebsd_sched.c diff -u src/sys/compat/freebsd/freebsd_sched.c:1.19 src/sys/compat/freebsd/freebsd_sched.c:1.19.46.1 --- src/sys/compat/freebsd/freebsd_sched.c:1.19 Mon Apr 28 20:23:41 2008 +++ src/sys/compat/freebsd/freebsd_sched.c Thu Jun 26 04:01:32 2014 @@ -1,4 +1,4 @@ -/* $NetBSD: freebsd_sched.c,v 1.19 2008/04/28 20:23:41 martin Exp $ */ +/* $NetBSD: freebsd_sched.c,v 1.19.46.1 2014/06/26 04:01:32 msaitoh Exp $ */ /*- * Copyright (c) 1999 The NetBSD Foundation, Inc. @@ -35,7 +35,7 @@ */ #include sys/cdefs.h -__KERNEL_RCSID(0, $NetBSD: freebsd_sched.c,v 1.19 2008/04/28 20:23:41 martin Exp $); +__KERNEL_RCSID(0, $NetBSD: freebsd_sched.c,v 1.19.46.1 2014/06/26 04:01:32 msaitoh Exp $); #include sys/param.h #include sys/mount.h @@ -62,72 +62,72 @@ freebsd_sys_yield(struct lwp *l, const v */ static int sched_freebsd2native(int freebsd_policy, -struct freebsd_sched_param *freebsd_params, int *native_policy, +const struct freebsd_sched_param *freebsd_params, int *native_policy, struct sched_param *native_params) { - int error; - - error = 0; + int p; switch (freebsd_policy) { case FREEBSD_SCHED_OTHER: - *native_policy = SCHED_OTHER; + p = SCHED_OTHER; break; case FREEBSD_SCHED_FIFO: - *native_policy = SCHED_FIFO; + p = SCHED_FIFO; break; case FREEBSD_SCHED_RR: - *native_policy = SCHED_RR; + p = SCHED_RR; break; default: - error = EINVAL; - break; + return EINVAL; } - if (freebsd_params != NULL native_params != NULL !error) { - native_params = (struct sched_param *)freebsd_params; + if (native_policy != NULL) + *native_policy = p; + + if (freebsd_params != NULL native_params != NULL) { + /* XXX: Needs adjustment to do a proper conversion. */ + native_params-sched_priority = freebsd_params-sched_priority; } - - return (error); + return 0; } /* - * XXX: Needs adjustment to do a proper conversion. */ static int -sched_native2freebsd(int native_policy, struct sched_param *native_params, +sched_native2freebsd(int native_policy, const struct sched_param *native_params, int *freebsd_policy, struct freebsd_sched_param *freebsd_params) { - int error; - - error = 0; + int p; switch (native_policy) { case SCHED_OTHER: - *freebsd_policy = FREEBSD_SCHED_OTHER; + p = FREEBSD_SCHED_OTHER; break; case SCHED_FIFO: - *freebsd_policy = FREEBSD_SCHED_FIFO; + p = FREEBSD_SCHED_FIFO; break; case SCHED_RR: - *freebsd_policy = FREEBSD_SCHED_RR; + p = FREEBSD_SCHED_RR; break; default: - error = EINVAL; - break; + return EINVAL; } - if (native_params != NULL freebsd_params != NULL !error) { - freebsd_params = (struct freebsd_sched_param *)native_params; + if (freebsd_policy != NULL) + *freebsd_policy = p; + + if (native_params != NULL freebsd_params != NULL) { + /* XXX: Needs adjustment to do a proper conversion. */ + freebsd_params-sched_priority = native_params-sched_priority; } - - return (error); + + return 0; } int @@ -199,7 +199,7 @@ freebsd_sys_sched_getparam(struct lwp *l goto out; out: - return (error); + return error; } int
CVS commit: [netbsd-6-0] src/sys/compat/common
Module Name:src Committed By: bouyer Date: Tue Dec 17 20:52:13 UTC 2013 Modified Files: src/sys/compat/common [netbsd-6-0]: compat_util.c Log Message: Pull up following revision(s) (requested by martin in ticket #999): sys/compat/common/compat_util.c: revision 1.45 Free pathbuf in an error path. From Maxime Villard. To generate a diff of this commit: cvs rdiff -u -r1.44 -r1.44.20.1 src/sys/compat/common/compat_util.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/sys/compat/common/compat_util.c diff -u src/sys/compat/common/compat_util.c:1.44 src/sys/compat/common/compat_util.c:1.44.20.1 --- src/sys/compat/common/compat_util.c:1.44 Fri Nov 19 06:44:35 2010 +++ src/sys/compat/common/compat_util.c Tue Dec 17 20:52:13 2013 @@ -1,4 +1,4 @@ -/* $NetBSD: compat_util.c,v 1.44 2010/11/19 06:44:35 dholland Exp $ */ +/* $NetBSD: compat_util.c,v 1.44.20.1 2013/12/17 20:52:13 bouyer Exp $ */ /*- * Copyright (c) 1994 The NetBSD Foundation, Inc. @@ -58,7 +58,7 @@ */ #include sys/cdefs.h -__KERNEL_RCSID(0, $NetBSD: compat_util.c,v 1.44 2010/11/19 06:44:35 dholland Exp $); +__KERNEL_RCSID(0, $NetBSD: compat_util.c,v 1.44.20.1 2013/12/17 20:52:13 bouyer Exp $); #include sys/param.h #include sys/systm.h @@ -139,6 +139,7 @@ emul_find_interp(struct lwp *l, struct e error = namei(nd); if (error != 0) { epp-ep_interp = NULL; + pathbuf_destroy(pb); return error; }
CVS commit: [netbsd-6-0] src/sys/compat/netbsd32
Module Name:src Committed By: riz Date: Fri Feb 8 20:46:01 UTC 2013 Modified Files: src/sys/compat/netbsd32 [netbsd-6-0]: netbsd32_execve.c Log Message: Pull up following revision(s) (requested by hannken in ticket #793): sys/compat/netbsd32/netbsd32_execve.c: revision 1.37 netbsd32_posix_spawn_fa_alloc: use the right length for path allocation. This error lead to memory pool corruption when freeing kmem with wrong size. To generate a diff of this commit: cvs rdiff -u -r1.33.2.1 -r1.33.2.1.4.1 \ src/sys/compat/netbsd32/netbsd32_execve.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/sys/compat/netbsd32/netbsd32_execve.c diff -u src/sys/compat/netbsd32/netbsd32_execve.c:1.33.2.1 src/sys/compat/netbsd32/netbsd32_execve.c:1.33.2.1.4.1 --- src/sys/compat/netbsd32/netbsd32_execve.c:1.33.2.1 Thu Apr 12 17:05:38 2012 +++ src/sys/compat/netbsd32/netbsd32_execve.c Fri Feb 8 20:46:01 2013 @@ -1,4 +1,4 @@ -/* $NetBSD: netbsd32_execve.c,v 1.33.2.1 2012/04/12 17:05:38 riz Exp $ */ +/* $NetBSD: netbsd32_execve.c,v 1.33.2.1.4.1 2013/02/08 20:46:01 riz Exp $ */ /* * Copyright (c) 1998, 2001 Matthew R. Green @@ -28,7 +28,7 @@ #include sys/cdefs.h -__KERNEL_RCSID(0, $NetBSD: netbsd32_execve.c,v 1.33.2.1 2012/04/12 17:05:38 riz Exp $); +__KERNEL_RCSID(0, $NetBSD: netbsd32_execve.c,v 1.33.2.1.4.1 2013/02/08 20:46:01 riz Exp $); #include sys/param.h #include sys/systm.h @@ -141,7 +141,7 @@ netbsd32_posix_spawn_fa_alloc(struct pos MAXPATHLEN, slen); if (error) goto out; - fae-fae_path = kmem_alloc(fal, KM_SLEEP); + fae-fae_path = kmem_alloc(slen, KM_SLEEP); memcpy(fae-fae_path, pbuf, slen); fae-fae_oflag = f32-fae_oflag; fae-fae_mode = f32-fae_mode;
CVS commit: [netbsd-6-0] src/sys/compat/netbsd32
Module Name:src Committed By: riz Date: Mon Dec 17 00:32:29 UTC 2012 Modified Files: src/sys/compat/netbsd32 [netbsd-6-0]: netbsd32_fs.c Log Message: Pull up following revision(s) (requested by matt in ticket #756): sys/compat/netbsd32/netbsd32_fs.c: revision 1.64 Fix inverted error check. To generate a diff of this commit: cvs rdiff -u -r1.62 -r1.62.6.1 src/sys/compat/netbsd32/netbsd32_fs.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/sys/compat/netbsd32/netbsd32_fs.c diff -u src/sys/compat/netbsd32/netbsd32_fs.c:1.62 src/sys/compat/netbsd32/netbsd32_fs.c:1.62.6.1 --- src/sys/compat/netbsd32/netbsd32_fs.c:1.62 Wed Jan 25 14:06:07 2012 +++ src/sys/compat/netbsd32/netbsd32_fs.c Mon Dec 17 00:32:29 2012 @@ -1,4 +1,4 @@ -/* $NetBSD: netbsd32_fs.c,v 1.62 2012/01/25 14:06:07 christos Exp $ */ +/* $NetBSD: netbsd32_fs.c,v 1.62.6.1 2012/12/17 00:32:29 riz Exp $ */ /* * Copyright (c) 1998, 2001 Matthew R. Green @@ -27,7 +27,7 @@ */ #include sys/cdefs.h -__KERNEL_RCSID(0, $NetBSD: netbsd32_fs.c,v 1.62 2012/01/25 14:06:07 christos Exp $); +__KERNEL_RCSID(0, $NetBSD: netbsd32_fs.c,v 1.62.6.1 2012/12/17 00:32:29 riz Exp $); #include sys/param.h #include sys/systm.h @@ -595,7 +595,7 @@ netbsd32___fhstat50(struct lwp *l, const int error; error = do_fhstat(l, SCARG_P32(uap, fhp), SCARG(uap, fh_size), sb); - if (error != 0) { + if (error == 0) { netbsd32_from_stat(sb, sb32); error = copyout(sb32, SCARG_P32(uap, sb), sizeof(sb)); }