CVS commit: [netbsd-6-0] src/sys/compat/linux32/arch/amd64
Module Name:src Committed By: snj Date: Sat Sep 9 16:53:33 UTC 2017 Modified Files: src/sys/compat/linux32/arch/amd64 [netbsd-6-0]: linux32_machdep.c Log Message: Pull up following revision(s) (requested by maxv in ticket #1502): sys/compat/linux32/arch/amd64/linux32_machdep.c: revision 1.39 Fix a ring0 escalation vulnerability in compat_linux32 where the index of %cs is controlled by userland, making it easy to trigger the page fault and get kernel privileges. To generate a diff of this commit: cvs rdiff -u -r1.29 -r1.29.14.1 \ src/sys/compat/linux32/arch/amd64/linux32_machdep.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/sys/compat/linux32/arch/amd64/linux32_machdep.c diff -u src/sys/compat/linux32/arch/amd64/linux32_machdep.c:1.29 src/sys/compat/linux32/arch/amd64/linux32_machdep.c:1.29.14.1 --- src/sys/compat/linux32/arch/amd64/linux32_machdep.c:1.29 Fri Mar 4 22:25:31 2011 +++ src/sys/compat/linux32/arch/amd64/linux32_machdep.c Sat Sep 9 16:53:33 2017 @@ -1,4 +1,4 @@ -/* $NetBSD: linux32_machdep.c,v 1.29 2011/03/04 22:25:31 joerg Exp $ */ +/* $NetBSD: linux32_machdep.c,v 1.29.14.1 2017/09/09 16:53:33 snj Exp $ */ /*- * Copyright (c) 2006 Emmanuel Dreyfus, all rights reserved. @@ -31,7 +31,7 @@ * POSSIBILITY OF SUCH DAMAGE. */ #include -__KERNEL_RCSID(0, "$NetBSD: linux32_machdep.c,v 1.29 2011/03/04 22:25:31 joerg Exp $"); +__KERNEL_RCSID(0, "$NetBSD: linux32_machdep.c,v 1.29.14.1 2017/09/09 16:53:33 snj Exp $"); #include #include @@ -428,8 +428,9 @@ linux32_restore_sigcontext(struct lwp *l /* * Check for security violations. */ - if (((scp->sc_eflags ^ tf->tf_rflags) & PSL_USERSTATIC) != 0 || - !USERMODE(scp->sc_cs, scp->sc_eflags)) + if (((scp->sc_eflags ^ tf->tf_rflags) & PSL_USERSTATIC) != 0) + return EINVAL; + if (!VALID_USER_CSEL32(scp->sc_cs)) return EINVAL; if (scp->sc_fs != 0 && !VALID_USER_DSEL32(scp->sc_fs) &&
CVS commit: [netbsd-6-0] src/sys/compat/linux/common
Module Name:src
Committed By: snj
Date: Sat Aug 19 05:03:57 UTC 2017
Modified Files:
src/sys/compat/linux/common [netbsd-6-0]: linux_time.c
Log Message:
Pull up following revision(s) (requested by mrg in ticket #1489):
sys/compat/linux/common/linux_time.c: 1.38-1.39 via patch
Only let the superuser set the compat_linux timezone.
Not really keen to invent a new kauth cookie for this useless purpose.
>From Ilja Van Sprundel.
--
Put suser check in the right function: settimeofday, not gettimeofday.
While here, remove wrong comment.
Noted by kre@.
To generate a diff of this commit:
cvs rdiff -u -r1.35 -r1.35.12.1 src/sys/compat/linux/common/linux_time.c
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
Modified files:
Index: src/sys/compat/linux/common/linux_time.c
diff -u src/sys/compat/linux/common/linux_time.c:1.35 src/sys/compat/linux/common/linux_time.c:1.35.12.1
--- src/sys/compat/linux/common/linux_time.c:1.35 Fri Nov 18 04:07:44 2011
+++ src/sys/compat/linux/common/linux_time.c Sat Aug 19 05:03:57 2017
@@ -1,4 +1,4 @@
-/* $NetBSD: linux_time.c,v 1.35 2011/11/18 04:07:44 christos Exp $ */
+/* $NetBSD: linux_time.c,v 1.35.12.1 2017/08/19 05:03:57 snj Exp $ */
/*-
* Copyright (c) 2001 The NetBSD Foundation, Inc.
@@ -30,7 +30,7 @@
*/
#include
-__KERNEL_RCSID(0, "$NetBSD: linux_time.c,v 1.35 2011/11/18 04:07:44 christos Exp $");
+__KERNEL_RCSID(0, "$NetBSD: linux_time.c,v 1.35.12.1 2017/08/19 05:03:57 snj Exp $");
#include
#include
@@ -109,11 +109,10 @@ linux_sys_settimeofday(struct lwp *l, co
return (error);
}
- /*
- * If user is not the superuser, we returned
- * after the sys_settimeofday() call.
- */
if (SCARG(uap, tzp)) {
+ if (kauth_authorize_generic(kauth_cred_get(),
+ KAUTH_GENERIC_ISSUSER, NULL) != 0)
+ return (EPERM);
error = copyin(SCARG(uap, tzp), _sys_tz, sizeof(linux_sys_tz));
if (error)
return (error);
CVS commit: [netbsd-6-0] src/sys/compat
Module Name:src
Committed By: snj
Date: Sat Aug 19 04:19:56 UTC 2017
Modified Files:
src/sys/compat/common [netbsd-6-0]: vfs_syscalls_12.c vfs_syscalls_43.c
src/sys/compat/ibcs2 [netbsd-6-0]: ibcs2_misc.c
src/sys/compat/linux/common [netbsd-6-0]: linux_file64.c linux_misc.c
src/sys/compat/linux32/common [netbsd-6-0]: linux32_dirent.c
src/sys/compat/osf1 [netbsd-6-0]: osf1_file.c
src/sys/compat/sunos [netbsd-6-0]: sunos_misc.c
src/sys/compat/sunos32 [netbsd-6-0]: sunos32_misc.c
src/sys/compat/svr4 [netbsd-6-0]: svr4_misc.c
src/sys/compat/svr4_32 [netbsd-6-0]: svr4_32_misc.c
Log Message:
Pull up following revision(s) (requested by mrg in ticket #1483):
sys/compat/common/vfs_syscalls_12.c: revision 1.34
sys/compat/svr4_32/svr4_32_misc.c: revision 1.78
sys/compat/sunos32/sunos32_misc.c: revision 1.78
sys/compat/linux/common/linux_misc.c: revision 1.239
sys/compat/osf1/osf1_file.c: revision 1.44
sys/compat/common/vfs_syscalls_43.c: revision 1.60
sys/compat/svr4/svr4_misc.c: revision 1.158
sys/compat/ibcs2/ibcs2_misc.c: revision 1.114
sys/compat/linux/common/linux_file64.c: revision 1.59
sys/compat/linux32/common/linux32_dirent.c: revision 1.18
sys/compat/sunos/sunos_misc.c: revision 1.171
Fail, don't panic, on bad dirents from file system.
Controllable via puffs from userland.
>From Ilja Van Sprundel.
To generate a diff of this commit:
cvs rdiff -u -r1.29.18.1 -r1.29.18.2 src/sys/compat/common/vfs_syscalls_12.c
cvs rdiff -u -r1.54.20.2 -r1.54.20.3 src/sys/compat/common/vfs_syscalls_43.c
cvs rdiff -u -r1.111 -r1.111.20.1 src/sys/compat/ibcs2/ibcs2_misc.c
cvs rdiff -u -r1.53 -r1.53.14.1 src/sys/compat/linux/common/linux_file64.c
cvs rdiff -u -r1.219 -r1.219.14.1 src/sys/compat/linux/common/linux_misc.c
cvs rdiff -u -r1.13 -r1.13.14.1 \
src/sys/compat/linux32/common/linux32_dirent.c
cvs rdiff -u -r1.41.14.1 -r1.41.14.2 src/sys/compat/osf1/osf1_file.c
cvs rdiff -u -r1.168 -r1.168.20.1 src/sys/compat/sunos/sunos_misc.c
cvs rdiff -u -r1.74 -r1.74.8.1 src/sys/compat/sunos32/sunos32_misc.c
cvs rdiff -u -r1.155 -r1.155.14.1 src/sys/compat/svr4/svr4_misc.c
cvs rdiff -u -r1.74 -r1.74.14.1 src/sys/compat/svr4_32/svr4_32_misc.c
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
Modified files:
Index: src/sys/compat/common/vfs_syscalls_12.c
diff -u src/sys/compat/common/vfs_syscalls_12.c:1.29.18.1 src/sys/compat/common/vfs_syscalls_12.c:1.29.18.2
--- src/sys/compat/common/vfs_syscalls_12.c:1.29.18.1 Sat Aug 12 16:20:59 2017
+++ src/sys/compat/common/vfs_syscalls_12.c Sat Aug 19 04:19:55 2017
@@ -1,4 +1,4 @@
-/* $NetBSD: vfs_syscalls_12.c,v 1.29.18.1 2017/08/12 16:20:59 snj Exp $ */
+/* $NetBSD: vfs_syscalls_12.c,v 1.29.18.2 2017/08/19 04:19:55 snj Exp $ */
/*
* Copyright (c) 1989, 1993
@@ -37,7 +37,7 @@
*/
#include
-__KERNEL_RCSID(0, "$NetBSD: vfs_syscalls_12.c,v 1.29.18.1 2017/08/12 16:20:59 snj Exp $");
+__KERNEL_RCSID(0, "$NetBSD: vfs_syscalls_12.c,v 1.29.18.2 2017/08/19 04:19:55 snj Exp $");
#include
#include
@@ -171,8 +171,10 @@ again:
for (cookie = cookiebuf; len > 0; len -= reclen) {
bdp = (struct dirent *)inp;
reclen = bdp->d_reclen;
- if (reclen & 3)
- panic(__func__);
+ if (reclen & 3) {
+ error = EIO;
+ goto out;
+ }
if (bdp->d_fileno == 0) {
inp += reclen; /* it is a hole; squish it out */
if (cookie)
Index: src/sys/compat/common/vfs_syscalls_43.c
diff -u src/sys/compat/common/vfs_syscalls_43.c:1.54.20.2 src/sys/compat/common/vfs_syscalls_43.c:1.54.20.3
--- src/sys/compat/common/vfs_syscalls_43.c:1.54.20.2 Sat Aug 12 16:20:59 2017
+++ src/sys/compat/common/vfs_syscalls_43.c Sat Aug 19 04:19:55 2017
@@ -1,4 +1,4 @@
-/* $NetBSD: vfs_syscalls_43.c,v 1.54.20.2 2017/08/12 16:20:59 snj Exp $ */
+/* $NetBSD: vfs_syscalls_43.c,v 1.54.20.3 2017/08/19 04:19:55 snj Exp $ */
/*
* Copyright (c) 1989, 1993
@@ -37,7 +37,7 @@
*/
#include
-__KERNEL_RCSID(0, "$NetBSD: vfs_syscalls_43.c,v 1.54.20.2 2017/08/12 16:20:59 snj Exp $");
+__KERNEL_RCSID(0, "$NetBSD: vfs_syscalls_43.c,v 1.54.20.3 2017/08/19 04:19:55 snj Exp $");
#if defined(_KERNEL_OPT)
#include "opt_compat_netbsd.h"
@@ -448,8 +448,10 @@ again:
for (cookie = cookiebuf; len > 0; len -= reclen) {
bdp = (struct dirent *)inp;
reclen = bdp->d_reclen;
- if (reclen & 3)
- panic(__func__);
+ if (reclen & 3) {
+ error = EIO;
+ goto out;
+ }
if (bdp->d_fileno == 0) {
inp += reclen; /* it is a hole; squish it out */
if (cookie)
Index: src/sys/compat/ibcs2/ibcs2_misc.c
diff -u src/sys/compat/ibcs2/ibcs2_misc.c:1.111 src/sys/compat/ibcs2/ibcs2_misc.c:1.111.20.1
--- src/sys/compat/ibcs2/ibcs2_misc.c:1.111 Thu Jun 24 13:03:06 2010
+++ src/sys/compat/ibcs2/ibcs2_misc.c Sat Aug 19 04:19:55 2017
@@ -1,4 +1,4 @@
-/* $NetBSD: ibcs2_misc.c,v 1.111 2010/06/24
CVS commit: [netbsd-6-0] src/sys/compat/ibcs2
Module Name:src
Committed By: snj
Date: Sat Aug 19 04:13:48 UTC 2017
Modified Files:
src/sys/compat/ibcs2 [netbsd-6-0]: ibcs2_exec_coff.c ibcs2_ioctl.c
ibcs2_stat.c
Log Message:
Pull up following revision(s) (requested by mrg in ticket #1481):
sys/compat/ibcs2/ibcs2_exec_coff.c: 1.27-1.29
sys/compat/ibcs2/ibcs2_ioctl.c: 1.46
sys/compat/ibcs2/ibcs2_stat.c: 1.49-1.50
Check for NUL termination within the buffer we have.
>From Ilja Van Sprundel.
--
Make sure we have enough space in the buffer before reading it.
>From Ilja Van Sprundel.
--
Make sure we move forward over the buffer.
>From Ilja Van Sprundel.
--
Zero buffers in ibcs2 ioctl to avoid disclosing stack to userland.
>From Ilja Van Sprundel.
--
Don't drop vnode ref until we're done with mount in ibcs2_stat(v)fs.
Nothing else guarantees the mount will stick around.
>From Ilja Van Sprundel.
--
Little happy on the commit trigger. Actually use the out label.
To generate a diff of this commit:
cvs rdiff -u -r1.25 -r1.25.20.1 src/sys/compat/ibcs2/ibcs2_exec_coff.c
cvs rdiff -u -r1.45 -r1.45.42.1 src/sys/compat/ibcs2/ibcs2_ioctl.c
cvs rdiff -u -r1.47 -r1.47.24.1 src/sys/compat/ibcs2/ibcs2_stat.c
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
Modified files:
Index: src/sys/compat/ibcs2/ibcs2_exec_coff.c
diff -u src/sys/compat/ibcs2/ibcs2_exec_coff.c:1.25 src/sys/compat/ibcs2/ibcs2_exec_coff.c:1.25.20.1
--- src/sys/compat/ibcs2/ibcs2_exec_coff.c:1.25 Thu Jul 22 03:19:02 2010
+++ src/sys/compat/ibcs2/ibcs2_exec_coff.c Sat Aug 19 04:13:48 2017
@@ -1,4 +1,4 @@
-/* $NetBSD: ibcs2_exec_coff.c,v 1.25 2010/07/22 03:19:02 christos Exp $ */
+/* $NetBSD: ibcs2_exec_coff.c,v 1.25.20.1 2017/08/19 04:13:48 snj Exp $ */
/*
* Copyright (c) 1994, 1995, 1998 Scott Bartram
@@ -35,7 +35,7 @@
*/
#include
-__KERNEL_RCSID(0, "$NetBSD: ibcs2_exec_coff.c,v 1.25 2010/07/22 03:19:02 christos Exp $");
+__KERNEL_RCSID(0, "$NetBSD: ibcs2_exec_coff.c,v 1.25.20.1 2017/08/19 04:13:48 snj Exp $");
#include
#include
@@ -454,6 +454,10 @@ exec_ibcs2_coff_prep_zmagic(struct lwp *
}
bufp = tbuf;
while (len) {
+ if (len < sizeof(struct coff_slhdr)) {
+free(tbuf, M_TEMP);
+return ENOEXEC;
+ }
slhdr = (struct coff_slhdr *)bufp;
if (slhdr->path_index > LONG_MAX / sizeof(long) ||
@@ -465,7 +469,9 @@ exec_ibcs2_coff_prep_zmagic(struct lwp *
path_index = slhdr->path_index * sizeof(long);
entry_len = slhdr->entry_len * sizeof(long);
- if (entry_len > len) {
+ if (entry_len < sizeof(struct coff_slhdr) ||
+ entry_len > len ||
+ strnlen(slhdr->sl_name, entry_len) == entry_len) {
free(tbuf, M_TEMP);
return ENOEXEC;
}
Index: src/sys/compat/ibcs2/ibcs2_ioctl.c
diff -u src/sys/compat/ibcs2/ibcs2_ioctl.c:1.45 src/sys/compat/ibcs2/ibcs2_ioctl.c:1.45.42.1
--- src/sys/compat/ibcs2/ibcs2_ioctl.c:1.45 Tue Jun 24 10:03:17 2008
+++ src/sys/compat/ibcs2/ibcs2_ioctl.c Sat Aug 19 04:13:48 2017
@@ -1,4 +1,4 @@
-/* $NetBSD: ibcs2_ioctl.c,v 1.45 2008/06/24 10:03:17 gmcgarry Exp $ */
+/* $NetBSD: ibcs2_ioctl.c,v 1.45.42.1 2017/08/19 04:13:48 snj Exp $ */
/*
* Copyright (c) 1994, 1995 Scott Bartram
@@ -27,7 +27,7 @@
*/
#include
-__KERNEL_RCSID(0, "$NetBSD: ibcs2_ioctl.c,v 1.45 2008/06/24 10:03:17 gmcgarry Exp $");
+__KERNEL_RCSID(0, "$NetBSD: ibcs2_ioctl.c,v 1.45.42.1 2017/08/19 04:13:48 snj Exp $");
#include
#include
@@ -402,8 +402,10 @@ ibcs2_sys_ioctl(struct lwp *l, const str
if ((error = (*ctl)(fp, TIOCGETA, )) != 0)
goto out;
+ memset(, 0, sizeof(sts));
btios2stios(, );
if (SCARG(uap, cmd) == IBCS2_TCGETA) {
+ memset(, 0, sizeof(st));
stios2stio(, );
error = copyout(, SCARG(uap, data), sizeof(st));
if (error)
@@ -559,6 +561,7 @@ ibcs2_sys_gtty(struct lwp *l, const stru
fd_putfile(SCARG(uap, fd));
+ memset(, 0, sizeof(itb));
itb.sg_ispeed = tb.sg_ispeed;
itb.sg_ospeed = tb.sg_ospeed;
itb.sg_erase = tb.sg_erase;
Index: src/sys/compat/ibcs2/ibcs2_stat.c
diff -u src/sys/compat/ibcs2/ibcs2_stat.c:1.47 src/sys/compat/ibcs2/ibcs2_stat.c:1.47.24.1
--- src/sys/compat/ibcs2/ibcs2_stat.c:1.47 Mon Jun 29 05:08:16 2009
+++ src/sys/compat/ibcs2/ibcs2_stat.c Sat Aug 19 04:13:48 2017
@@ -1,4 +1,4 @@
-/* $NetBSD: ibcs2_stat.c,v 1.47 2009/06/29 05:08:16 dholland Exp $ */
+/* $NetBSD: ibcs2_stat.c,v 1.47.24.1 2017/08/19 04:13:48 snj Exp $ */
/*
* Copyright (c) 1995, 1998 Scott Bartram
* All rights reserved.
@@ -27,7 +27,7 @@
*/
#include
-__KERNEL_RCSID(0, "$NetBSD: ibcs2_stat.c,v 1.47 2009/06/29 05:08:16 dholland Exp $");
+__KERNEL_RCSID(0, "$NetBSD: ibcs2_stat.c,v 1.47.24.1 2017/08/19 04:13:48 snj Exp $");
#include
#include
@@ -147,11 +147,13 @@ ibcs2_sys_statfs(struct lwp *l, const st
return (error);
mp = vp->v_mount;
sp = >mnt_stat;
- vrele(vp);
if ((error = VFS_STATVFS(mp, sp)) != 0)
- return (error);
+ goto out;
sp->f_flag =
CVS commit: [netbsd-6-0] src/sys/compat/svr4_32
Module Name:src Committed By: snj Date: Sat Aug 19 04:01:28 UTC 2017 Modified Files: src/sys/compat/svr4_32 [netbsd-6-0]: svr4_32_signal.c Log Message: Pull up following revision(s) (requested by martin in ticket #1481): sys/compat/svr4_32/svr4_32_signal.c: 1.30 make it compile again. To generate a diff of this commit: cvs rdiff -u -r1.26.46.1 -r1.26.46.2 src/sys/compat/svr4_32/svr4_32_signal.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/sys/compat/svr4_32/svr4_32_signal.c diff -u src/sys/compat/svr4_32/svr4_32_signal.c:1.26.46.1 src/sys/compat/svr4_32/svr4_32_signal.c:1.26.46.2 --- src/sys/compat/svr4_32/svr4_32_signal.c:1.26.46.1 Sat Aug 19 03:40:46 2017 +++ src/sys/compat/svr4_32/svr4_32_signal.c Sat Aug 19 04:01:28 2017 @@ -1,4 +1,4 @@ -/* $NetBSD: svr4_32_signal.c,v 1.26.46.1 2017/08/19 03:40:46 snj Exp $ */ +/* $NetBSD: svr4_32_signal.c,v 1.26.46.2 2017/08/19 04:01:28 snj Exp $ */ /*- * Copyright (c) 1994, 1998 The NetBSD Foundation, Inc. @@ -30,7 +30,7 @@ */ #include -__KERNEL_RCSID(0, "$NetBSD: svr4_32_signal.c,v 1.26.46.1 2017/08/19 03:40:46 snj Exp $"); +__KERNEL_RCSID(0, "$NetBSD: svr4_32_signal.c,v 1.26.46.2 2017/08/19 04:01:28 snj Exp $"); #if defined(_KERNEL_OPT) #include "opt_compat_svr4.h" @@ -397,16 +397,16 @@ svr4_32_sys_signal(struct lwp *l, const nbsa.sa_handler = (sig_t)SCARG(uap, handler); sigemptyset(_mask); nbsa.sa_flags = 0; - error = sigaction1(l, signum, , , NULL, 0); + error = sigaction1(l, native_signo, , , NULL, 0); if (error) - return (error); + return error; *retval = (u_int)(u_long)obsa.sa_handler; - return (0); + return 0; case SVR4_SIGHOLD_MASK: sighold: sigemptyset(); - sigaddset(, signum); + sigaddset(, native_signo); mutex_enter(p->p_lock); error = sigprocmask1(l, SIG_BLOCK, , 0); mutex_exit(p->p_lock); @@ -414,7 +414,7 @@ svr4_32_sys_signal(struct lwp *l, const case SVR4_SIGRELSE_MASK: sigemptyset(); - sigaddset(, signum); + sigaddset(, native_signo); mutex_enter(p->p_lock); error = sigprocmask1(l, SIG_UNBLOCK, , 0); mutex_exit(p->p_lock); @@ -424,17 +424,17 @@ svr4_32_sys_signal(struct lwp *l, const nbsa.sa_handler = SIG_IGN; sigemptyset(_mask); nbsa.sa_flags = 0; - return (sigaction1(l, signum, , 0, NULL, 0)); + return sigaction1(l, native_signo, , 0, NULL, 0); case SVR4_SIGPAUSE_MASK: mutex_enter(p->p_lock); ss = l->l_sigmask; mutex_exit(p->p_lock); - sigdelset(, signum); - return (sigsuspend1(l, )); + sigdelset(, native_signo); + return sigsuspend1(l, ); default: - return (ENOSYS); + return ENOSYS; } }
CVS commit: [netbsd-6-0] src/sys/compat
Module Name:src
Committed By: snj
Date: Sat Aug 19 03:40:46 UTC 2017
Modified Files:
src/sys/compat/svr4 [netbsd-6-0]: svr4_lwp.c svr4_signal.c
svr4_stream.c
src/sys/compat/svr4_32 [netbsd-6-0]: svr4_32_signal.c
Log Message:
Pull up following revision(s) (requested by mrg in ticket #1479):
sys/compat/svr4/svr4_lwp.c: 1.20
sys/compat/svr4/svr4_signal.c: 1.67
sys/compat/svr4/svr4_stream.c: 1.89-1.91 via patch
sys/compat/svr4_32/svr4_32_signal.c: 1.29
Fix some of the multitudinous holes in svr4 streams.
We should never have enabled this by default; it is a minefield.
>From Ilja Van Sprundel.
--
Zero stack data before copyout.
>From Ilja Van Sprundel.
--
Fix indexing of svr4 signals.
>From Ilja Van Sprundel.
--
Feebly attempt to get this reference counting less bad.
This svr4 streams code is bad and it should feel bad.
>From Ilja Van Sprundel.
--
Check bounds in svr4_sys_putmsg. Check more svr4_strmcmd bounds.
svr4 streams code is still a disaster.
>From Ilja Van Sprundel.
To generate a diff of this commit:
cvs rdiff -u -r1.19 -r1.19.24.1 src/sys/compat/svr4/svr4_lwp.c
cvs rdiff -u -r1.65 -r1.65.16.1 src/sys/compat/svr4/svr4_signal.c
cvs rdiff -u -r1.79 -r1.79.14.1 src/sys/compat/svr4/svr4_stream.c
cvs rdiff -u -r1.26 -r1.26.46.1 src/sys/compat/svr4_32/svr4_32_signal.c
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
Modified files:
Index: src/sys/compat/svr4/svr4_lwp.c
diff -u src/sys/compat/svr4/svr4_lwp.c:1.19 src/sys/compat/svr4/svr4_lwp.c:1.19.24.1
--- src/sys/compat/svr4/svr4_lwp.c:1.19 Mon Nov 23 00:46:07 2009
+++ src/sys/compat/svr4/svr4_lwp.c Sat Aug 19 03:40:46 2017
@@ -1,4 +1,4 @@
-/* $NetBSD: svr4_lwp.c,v 1.19 2009/11/23 00:46:07 rmind Exp $ */
+/* $NetBSD: svr4_lwp.c,v 1.19.24.1 2017/08/19 03:40:46 snj Exp $ */
/*-
* Copyright (c) 1999 The NetBSD Foundation, Inc.
@@ -30,7 +30,7 @@
*/
#include
-__KERNEL_RCSID(0, "$NetBSD: svr4_lwp.c,v 1.19 2009/11/23 00:46:07 rmind Exp $");
+__KERNEL_RCSID(0, "$NetBSD: svr4_lwp.c,v 1.19.24.1 2017/08/19 03:40:46 snj Exp $");
#include
#include
@@ -108,6 +108,8 @@ svr4_sys__lwp_info(struct lwp *l, const
struct svr4_lwpinfo lwpinfo;
int error;
+ memset(, 0, sizeof(lwpinfo));
+
/* XXX NJWLWP */
TIMEVAL_TO_TIMESPEC(>l_proc->p_stats->p_ru.ru_stime, _stime);
TIMEVAL_TO_TIMESPEC(>l_proc->p_stats->p_ru.ru_utime, _utime);
Index: src/sys/compat/svr4/svr4_signal.c
diff -u src/sys/compat/svr4/svr4_signal.c:1.65 src/sys/compat/svr4/svr4_signal.c:1.65.16.1
--- src/sys/compat/svr4/svr4_signal.c:1.65 Thu Feb 3 21:45:31 2011
+++ src/sys/compat/svr4/svr4_signal.c Sat Aug 19 03:40:46 2017
@@ -1,4 +1,4 @@
-/* $NetBSD: svr4_signal.c,v 1.65 2011/02/03 21:45:31 joerg Exp $ */
+/* $NetBSD: svr4_signal.c,v 1.65.16.1 2017/08/19 03:40:46 snj Exp $ */
/*-
* Copyright (c) 1994, 1998 The NetBSD Foundation, Inc.
@@ -30,7 +30,7 @@
*/
#include
-__KERNEL_RCSID(0, "$NetBSD: svr4_signal.c,v 1.65 2011/02/03 21:45:31 joerg Exp $");
+__KERNEL_RCSID(0, "$NetBSD: svr4_signal.c,v 1.65.16.1 2017/08/19 03:40:46 snj Exp $");
#include
#include
@@ -73,6 +73,21 @@ void native_to_svr4_sigaction(const stru
extern const int native_to_svr4_signo[];
extern const int svr4_to_native_signo[];
+static int
+svr4_decode_signum(int signum, int *native_signo, int *sigcall)
+{
+
+ if (SVR4_SIGNO(signum) >= SVR4_NSIG)
+ return EINVAL;
+
+ if (native_signo)
+ *native_signo = svr4_to_native_signo[SVR4_SIGNO(signum)];
+ if (sigcall)
+ *sigcall = SVR4_SIGCALL(signum);
+
+ return 0;
+}
+
static inline void
svr4_sigfillset(svr4_sigset_t *s)
{
@@ -174,6 +189,7 @@ svr4_sys_sigaction(struct lwp *l, const
} */
struct svr4_sigaction nssa, ossa;
struct sigaction nbsa, obsa;
+ int native_signo;
int error;
if (SCARG(uap, nsa)) {
@@ -182,7 +198,12 @@ svr4_sys_sigaction(struct lwp *l, const
return (error);
svr4_to_native_sigaction(, );
}
- error = sigaction1(l, svr4_to_native_signo[SVR4_SIGNO(SCARG(uap, signum))],
+
+ error = svr4_decode_signum(SCARG(uap, signum), _signo, NULL);
+ if (error)
+ return error;
+
+ error = sigaction1(l, native_signo,
SCARG(uap, nsa) ? : 0, SCARG(uap, osa) ? : 0,
NULL, 0);
if (error)
@@ -217,16 +238,18 @@ svr4_sys_signal(struct lwp *l, const str
syscallarg(int) signum;
syscallarg(svr4_sig_t) handler;
} */
- int signum = svr4_to_native_signo[SVR4_SIGNO(SCARG(uap, signum))];
+ int native_signo, sigcall;
struct proc *p = l->l_proc;
struct sigaction nbsa, obsa;
sigset_t ss;
int error;
- if (signum <= 0 || signum >= SVR4_NSIG)
- return (EINVAL);
+ error = svr4_decode_signum(SCARG(uap, signum), _signo,
+ );
+ if (error)
+ return error;
- switch (SVR4_SIGCALL(SCARG(uap, signum))) {
+ switch (sigcall) {
case SVR4_SIGDEFER_MASK:
if (SCARG(uap, handler) == SVR4_SIG_HOLD)
goto sighold;
@@ -236,7 +259,7 @@ svr4_sys_signal(struct lwp *l, const str
CVS commit: [netbsd-6-0] src/sys/compat
Module Name:src
Committed By: snj
Date: Sat Aug 12 16:20:59 UTC 2017
Modified Files:
src/sys/compat/common [netbsd-6-0]: vfs_syscalls_12.c vfs_syscalls_43.c
src/sys/compat/sys [netbsd-6-0]: dirent.h
Log Message:
Pull up following revision(s) (requested by mrg in ticket #1469):
sys/compat/common/vfs_syscalls_12.c: revision 1.30
sys/compat/common/vfs_syscalls_43.c: revision 1.56
sys/compat/sys/dirent.h: revision 1.3
It is wishful thinking that vn_readdir will return dirent12 structures.
--
Fix the compat-4.3 getdirentries call (pre d_type). This is used in NetBSD-0.9.
--
add a struct for the 4.3BSD struct direct
To generate a diff of this commit:
cvs rdiff -u -r1.29 -r1.29.18.1 src/sys/compat/common/vfs_syscalls_12.c
cvs rdiff -u -r1.54.20.1 -r1.54.20.2 src/sys/compat/common/vfs_syscalls_43.c
cvs rdiff -u -r1.2 -r1.2.124.1 src/sys/compat/sys/dirent.h
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
Modified files:
Index: src/sys/compat/common/vfs_syscalls_12.c
diff -u src/sys/compat/common/vfs_syscalls_12.c:1.29 src/sys/compat/common/vfs_syscalls_12.c:1.29.18.1
--- src/sys/compat/common/vfs_syscalls_12.c:1.29 Wed Jan 19 10:21:16 2011
+++ src/sys/compat/common/vfs_syscalls_12.c Sat Aug 12 16:20:59 2017
@@ -1,4 +1,4 @@
-/* $NetBSD: vfs_syscalls_12.c,v 1.29 2011/01/19 10:21:16 tsutsui Exp $ */
+/* $NetBSD: vfs_syscalls_12.c,v 1.29.18.1 2017/08/12 16:20:59 snj Exp $ */
/*
* Copyright (c) 1989, 1993
@@ -37,7 +37,7 @@
*/
#include
-__KERNEL_RCSID(0, "$NetBSD: vfs_syscalls_12.c,v 1.29 2011/01/19 10:21:16 tsutsui Exp $");
+__KERNEL_RCSID(0, "$NetBSD: vfs_syscalls_12.c,v 1.29.18.1 2017/08/12 16:20:59 snj Exp $");
#include
#include
@@ -56,6 +56,7 @@ __KERNEL_RCSID(0, "$NetBSD: vfs_syscalls
#include
#include
+#include
/*
* Convert from a new to an old stat structure.
@@ -96,28 +97,140 @@ compat_12_sys_getdirentries(struct lwp *
syscallarg(u_int) count;
syscallarg(long *) basep;
} */
+ struct dirent *bdp;
+ struct vnode *vp;
+ char *inp, *tbuf; /* Current-format */
+ int len, reclen; /* Current-format */
+ char *outp; /* Dirent12-format */
+ int resid, old_reclen = 0; /* Dirent12-format */
struct file *fp;
- int error, done;
+ struct uio auio;
+ struct iovec aiov;
+ struct dirent12 idb;
+ off_t off; /* true file offset */
+ int buflen, error, eofflag, nbytes;
+ struct vattr va;
+ off_t *cookiebuf = NULL, *cookie;
+ int ncookies;
long loff;
-
+
/* fd_getvnode() will use the descriptor for us */
if ((error = fd_getvnode(SCARG(uap, fd), )) != 0)
- return error;
+ return (error);
+
if ((fp->f_flag & FREAD) == 0) {
error = EBADF;
- goto out;
+ goto out1;
+ }
+
+ vp = (struct vnode *)fp->f_data;
+ if (vp->v_type != VDIR) {
+ error = ENOTDIR;
+ goto out1;
}
+ vn_lock(vp, LK_SHARED | LK_RETRY);
+ error = VOP_GETATTR(vp, , l->l_cred);
+ VOP_UNLOCK(vp);
+ if (error)
+ goto out1;
+
loff = fp->f_offset;
+ nbytes = SCARG(uap, count);
+ buflen = min(MAXBSIZE, nbytes);
+ if (buflen < va.va_blocksize)
+ buflen = va.va_blocksize;
+ tbuf = malloc(buflen, M_TEMP, M_WAITOK);
+
+ vn_lock(vp, LK_EXCLUSIVE | LK_RETRY);
+ off = fp->f_offset;
+again:
+ aiov.iov_base = tbuf;
+ aiov.iov_len = buflen;
+ auio.uio_iov =
+ auio.uio_iovcnt = 1;
+ auio.uio_rw = UIO_READ;
+ auio.uio_resid = buflen;
+ auio.uio_offset = off;
+ UIO_SETUP_SYSSPACE();
+ /*
+ * First we read into the malloc'ed buffer, then
+ * we massage it into user space, one record at a time.
+ */
+ error = VOP_READDIR(vp, , fp->f_cred, , ,
+ );
+ if (error)
+ goto out;
+
+ inp = tbuf;
+ outp = SCARG(uap, buf);
+ resid = nbytes;
+ if ((len = buflen - auio.uio_resid) == 0)
+ goto eof;
+
+ for (cookie = cookiebuf; len > 0; len -= reclen) {
+ bdp = (struct dirent *)inp;
+ reclen = bdp->d_reclen;
+ if (reclen & 3)
+ panic(__func__);
+ if (bdp->d_fileno == 0) {
+ inp += reclen; /* it is a hole; squish it out */
+ if (cookie)
+off = *cookie++;
+ else
+off += reclen;
+ continue;
+ }
+ old_reclen = _DIRENT_RECLEN(, bdp->d_namlen);
+ if (reclen > len || resid < old_reclen) {
+ /* entry too big for buffer, so just stop */
+ outp++;
+ break;
+ }
+ /*
+ * Massage in place to make a Dirent12-shaped dirent (otherwise
+ * we have to worry about touching user memory outside of
+ * the copyout() call).
+ */
+ idb.d_fileno = (uint32_t)bdp->d_fileno;
+ idb.d_reclen = (uint16_t)old_reclen;
+ idb.d_type = (uint8_t)bdp->d_type;
+ idb.d_namlen = (uint8_t)bdp->d_namlen;
+ strcpy(idb.d_name, bdp->d_name);
+ if ((error = copyout(, outp, old_reclen)))
+ goto out;
+ /* advance past this real entry */
+ inp += reclen;
+ if (cookie)
+ off = *cookie++; /* each entry points to itself */
+ else
+ off += reclen;
+ /* advance output past Dirent12-shaped entry */
+ outp += old_reclen;
+ resid -= old_reclen;
+ }
- error = vn_readdir(fp,
CVS commit: [netbsd-6-0] src/sys/compat/linux/arch/amd64
Module Name:src
Committed By: snj
Date: Tue Feb 14 16:57:57 UTC 2017
Modified Files:
src/sys/compat/linux/arch/amd64 [netbsd-6-0]: linux_machdep.c
Log Message:
Pull up following revision(s) (requested by maxv in ticket #1433):
sys/compat/linux/arch/amd64/linux_machdep.c: 1.50, 1.51
Don't let userland choose %rip. This is the Intel Sysret vulnerability
again.
--
Make sure %rip is in userland. This is harmless, since the return to
userland is made with iret instead of sysret in this path. While here, use
size_t.
To generate a diff of this commit:
cvs rdiff -u -r1.39 -r1.39.10.1 \
src/sys/compat/linux/arch/amd64/linux_machdep.c
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
Modified files:
Index: src/sys/compat/linux/arch/amd64/linux_machdep.c
diff -u src/sys/compat/linux/arch/amd64/linux_machdep.c:1.39 src/sys/compat/linux/arch/amd64/linux_machdep.c:1.39.10.1
--- src/sys/compat/linux/arch/amd64/linux_machdep.c:1.39 Fri Nov 18 04:07:43 2011
+++ src/sys/compat/linux/arch/amd64/linux_machdep.c Tue Feb 14 16:57:57 2017
@@ -1,4 +1,4 @@
-/* $NetBSD: linux_machdep.c,v 1.39 2011/11/18 04:07:43 christos Exp $ */
+/* $NetBSD: linux_machdep.c,v 1.39.10.1 2017/02/14 16:57:57 snj Exp $ */
/*-
* Copyright (c) 2005 Emmanuel Dreyfus, all rights reserved.
@@ -33,7 +33,7 @@
#include
-__KERNEL_RCSID(0, "$NetBSD: linux_machdep.c,v 1.39 2011/11/18 04:07:43 christos Exp $");
+__KERNEL_RCSID(0, "$NetBSD: linux_machdep.c,v 1.39.10.1 2017/02/14 16:57:57 snj Exp $");
#include
#include
@@ -254,7 +254,12 @@ linux_sendsig(const ksiginfo_t *ksi, con
if (error != 0) {
sigexit(l, SIGILL);
return;
- }
+ }
+
+ if ((vaddr_t)catcher >= VM_MAXUSER_ADDRESS) {
+ sigexit(l, SIGILL);
+ return;
+ }
linux_buildcontext(l, catcher, sp);
tf->tf_rdi = sigframe.info.lsi_signo;
@@ -485,7 +490,7 @@ linux_usertrap(struct lwp *l, vaddr_t tr
{
struct trapframe *tf = arg;
uint64_t retaddr;
- int vsyscallnr;
+ size_t vsyscallnr;
/*
* Check for a vsyscall. %rip must be the fault address,
@@ -515,6 +520,8 @@ linux_usertrap(struct lwp *l, vaddr_t tr
*/
if (copyin((void *)tf->tf_rsp, , sizeof retaddr) != 0)
return 0;
+ if ((vaddr_t)retaddr >= VM_MAXUSER_ADDRESS)
+ return 0;
tf->tf_rip = retaddr;
tf->tf_rax = linux_vsyscall_to_syscall[vsyscallnr];
tf->tf_rsp += 8; /* "pop" the return address */
CVS commit: [netbsd-6-0] src/sys/compat/common
Module Name:src
Committed By: bouyer
Date: Sat Aug 27 14:51:50 UTC 2016
Modified Files:
src/sys/compat/common [netbsd-6-0]: vfs_syscalls_43.c
Log Message:
Pull up following revision(s) (requested by mrg in ticket #1400):
sys/compat/common/vfs_syscalls_43.c: revision 1.58
fill in the tv_nsec parts of the converted timespec in cvtstat().
To generate a diff of this commit:
cvs rdiff -u -r1.54 -r1.54.20.1 src/sys/compat/common/vfs_syscalls_43.c
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
Modified files:
Index: src/sys/compat/common/vfs_syscalls_43.c
diff -u src/sys/compat/common/vfs_syscalls_43.c:1.54 src/sys/compat/common/vfs_syscalls_43.c:1.54.20.1
--- src/sys/compat/common/vfs_syscalls_43.c:1.54 Fri Nov 19 06:44:36 2010
+++ src/sys/compat/common/vfs_syscalls_43.c Sat Aug 27 14:51:50 2016
@@ -1,4 +1,4 @@
-/* $NetBSD: vfs_syscalls_43.c,v 1.54 2010/11/19 06:44:36 dholland Exp $ */
+/* $NetBSD: vfs_syscalls_43.c,v 1.54.20.1 2016/08/27 14:51:50 bouyer Exp $ */
/*
* Copyright (c) 1989, 1993
@@ -37,7 +37,7 @@
*/
#include
-__KERNEL_RCSID(0, "$NetBSD: vfs_syscalls_43.c,v 1.54 2010/11/19 06:44:36 dholland Exp $");
+__KERNEL_RCSID(0, "$NetBSD: vfs_syscalls_43.c,v 1.54.20.1 2016/08/27 14:51:50 bouyer Exp $");
#if defined(_KERNEL_OPT)
#include "opt_compat_netbsd.h"
@@ -72,15 +72,42 @@ __KERNEL_RCSID(0, "$NetBSD: vfs_syscalls
#include
+static void cvttimespec(struct timespec *, struct timespec50 *);
static void cvtstat(struct stat *, struct stat43 *);
/*
+ * Convert from an old to a new timespec structure.
+ */
+static void
+cvttimespec(struct timespec *ts, struct timespec50 *ots)
+{
+
+ if (ts->tv_sec > INT_MAX) {
+#if defined(DEBUG) || 1
+ static bool first = true;
+
+ if (first) {
+ first = false;
+ printf("%s[%s:%d]: time_t does not fit\n",
+ __func__, curlwp->l_proc->p_comm,
+ curlwp->l_lid);
+ }
+#endif
+ ots->tv_sec = INT_MAX;
+ } else
+ ots->tv_sec = ts->tv_sec;
+ ots->tv_nsec = ts->tv_nsec;
+}
+
+/*
* Convert from an old to a new stat structure.
*/
static void
cvtstat(struct stat *st, struct stat43 *ost)
{
+ /* Handle any padding. */
+ memset(ost, 0, sizeof *ost);
ost->st_dev = st->st_dev;
ost->st_ino = st->st_ino;
ost->st_mode = st->st_mode & 0x;
@@ -92,9 +119,9 @@ cvtstat(struct stat *st, struct stat43 *
ost->st_size = st->st_size;
else
ost->st_size = -2;
- ost->st_atime = st->st_atime;
- ost->st_mtime = st->st_mtime;
- ost->st_ctime = st->st_ctime;
+ cvttimespec(>st_atimespec, >st_atimespec);
+ cvttimespec(>st_mtimespec, >st_mtimespec);
+ cvttimespec(>st_ctimespec, >st_ctimespec);
ost->st_blksize = st->st_blksize;
ost->st_blocks = st->st_blocks;
ost->st_flags = st->st_flags;
CVS commit: [netbsd-6-0] src/sys/compat/netbsd32
Module Name:src
Committed By: martin
Date: Thu Apr 21 15:25:52 UTC 2016
Modified Files:
src/sys/compat/netbsd32 [netbsd-6-0]: netbsd32_socket.c
Log Message:
Pull up following revision(s) (requested by christos in ticket #1378):
sys/compat/netbsd32/netbsd32_socket.c: revision 1.42
Memory leak, triggerable from an unprivileged user.
To generate a diff of this commit:
cvs rdiff -u -r1.39.2.2 -r1.39.2.2.4.1 \
src/sys/compat/netbsd32/netbsd32_socket.c
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
Modified files:
Index: src/sys/compat/netbsd32/netbsd32_socket.c
diff -u src/sys/compat/netbsd32/netbsd32_socket.c:1.39.2.2 src/sys/compat/netbsd32/netbsd32_socket.c:1.39.2.2.4.1
--- src/sys/compat/netbsd32/netbsd32_socket.c:1.39.2.2 Sat Aug 18 22:01:40 2012
+++ src/sys/compat/netbsd32/netbsd32_socket.c Thu Apr 21 15:25:52 2016
@@ -1,4 +1,4 @@
-/* $NetBSD: netbsd32_socket.c,v 1.39.2.2 2012/08/18 22:01:40 riz Exp $ */
+/* $NetBSD: netbsd32_socket.c,v 1.39.2.2.4.1 2016/04/21 15:25:52 martin Exp $ */
/*
* Copyright (c) 1998, 2001 Matthew R. Green
@@ -27,7 +27,7 @@
*/
#include
-__KERNEL_RCSID(0, "$NetBSD: netbsd32_socket.c,v 1.39.2.2 2012/08/18 22:01:40 riz Exp $");
+__KERNEL_RCSID(0, "$NetBSD: netbsd32_socket.c,v 1.39.2.2.4.1 2016/04/21 15:25:52 martin Exp $");
#include
#include
@@ -331,7 +331,7 @@ netbsd32_sendmsg(struct lwp *l, const st
} */
struct msghdr msg;
struct netbsd32_msghdr msg32;
- struct iovec aiov[UIO_SMALLIOV], *iov;
+ struct iovec aiov[UIO_SMALLIOV], *iov = aiov;
struct netbsd32_iovec *iov32;
size_t iovsz;
int error;
@@ -346,6 +346,7 @@ netbsd32_sendmsg(struct lwp *l, const st
error = copyin32_msg_control(l, );
if (error)
return (error);
+ /* From here on, msg.msg_control is allocated */
} else {
msg.msg_control = NULL;
msg.msg_controllen = 0;
@@ -353,23 +354,32 @@ netbsd32_sendmsg(struct lwp *l, const st
iovsz = msg.msg_iovlen * sizeof(struct iovec);
if ((u_int)msg.msg_iovlen > UIO_SMALLIOV) {
- if ((u_int)msg.msg_iovlen > IOV_MAX)
- return (EMSGSIZE);
+ if ((u_int)msg.msg_iovlen > IOV_MAX) {
+ error = EMSGSIZE;
+ goto out;
+ }
iov = kmem_alloc(iovsz, KM_SLEEP);
- } else
- iov = aiov;
+ }
iov32 = NETBSD32PTR64(msg32.msg_iov);
error = netbsd32_to_iovecin(iov32, iov, msg.msg_iovlen);
if (error)
- goto done;
+ goto out;
msg.msg_iov = iov;
error = do_sys_sendmsg(l, SCARG(uap, s), , SCARG(uap, flags), retval);
-done:
+ /* msg.msg_control freed by do_sys_sendmsg() */
+
if (iov != aiov)
kmem_free(iov, iovsz);
return (error);
+
+out:
+ if (iov != aiov)
+ kmem_free(iov, iovsz);
+ if (msg.msg_control)
+ m_free(msg.msg_control);
+ return error;
}
int
CVS commit: [netbsd-6-0] src/sys/compat/linux/arch
Module Name:src
Committed By: bouyer
Date: Sun Nov 15 20:42:37 UTC 2015
Modified Files:
src/sys/compat/linux/arch/arm [netbsd-6-0]: linux_ptrace.c
src/sys/compat/linux/arch/i386 [netbsd-6-0]: linux_ptrace.c
src/sys/compat/linux/arch/powerpc [netbsd-6-0]: linux_ptrace.c
Log Message:
Pull up following revision(s) (requested by pgoyette in ticket #1335):
sys/compat/linux/arch/i386/linux_ptrace.c: revision 1.31
sys/compat/linux/arch/arm/linux_ptrace.c: revision 1.19
sys/compat/linux/arch/powerpc/linux_ptrace.c: revision 1.29
Don't release proc_lock until we're done looking at things that are
protected by the lock, particularly p_stat and p_waited. Found by
Robert Elz.
XXX Pullup to NetBSD-7, -6, -6-0, and -6-1
To generate a diff of this commit:
cvs rdiff -u -r1.16 -r1.16.18.1 src/sys/compat/linux/arch/arm/linux_ptrace.c
cvs rdiff -u -r1.26 -r1.26.20.1 src/sys/compat/linux/arch/i386/linux_ptrace.c
cvs rdiff -u -r1.23 -r1.23.20.1 \
src/sys/compat/linux/arch/powerpc/linux_ptrace.c
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
Modified files:
Index: src/sys/compat/linux/arch/arm/linux_ptrace.c
diff -u src/sys/compat/linux/arch/arm/linux_ptrace.c:1.16 src/sys/compat/linux/arch/arm/linux_ptrace.c:1.16.18.1
--- src/sys/compat/linux/arch/arm/linux_ptrace.c:1.16 Wed Jul 7 01:30:33 2010
+++ src/sys/compat/linux/arch/arm/linux_ptrace.c Sun Nov 15 20:42:36 2015
@@ -1,4 +1,4 @@
-/* $NetBSD: linux_ptrace.c,v 1.16 2010/07/07 01:30:33 chs Exp $ */
+/* $NetBSD: linux_ptrace.c,v 1.16.18.1 2015/11/15 20:42:36 bouyer Exp $ */
/*-
* Copyright (c) 1999 The NetBSD Foundation, Inc.
@@ -31,7 +31,7 @@
#include
-__KERNEL_RCSID(0, "$NetBSD: linux_ptrace.c,v 1.16 2010/07/07 01:30:33 chs Exp $");
+__KERNEL_RCSID(0, "$NetBSD: linux_ptrace.c,v 1.16.18.1 2015/11/15 20:42:36 bouyer Exp $");
#include
#include
@@ -140,7 +140,6 @@ linux_sys_ptrace_arch(struct lwp *l, con
goto out;
}
mutex_enter(t->p_lock);
- mutex_exit(proc_lock);
/*
* You cannot do what you want to the process if:
@@ -148,6 +147,7 @@ linux_sys_ptrace_arch(struct lwp *l, con
*/
if (!ISSET(t->p_slflag, PSL_TRACED)) {
mutex_exit(t->p_lock);
+ mutex_exit(proc_lock);
error = EPERM;
goto out;
}
@@ -160,9 +160,11 @@ linux_sys_ptrace_arch(struct lwp *l, con
if (ISSET(t->p_slflag, PSL_FSTRACE) || t->p_pptr != p ||
t->p_stat != SSTOP || !t->p_waited) {
mutex_exit(t->p_lock);
+ mutex_exit(proc_lock);
error = EBUSY;
goto out;
}
+ mutex_exit(proc_lock);
/* XXX: ptrace needs revamp for multi-threading support. */
if (t->p_nlwps > 1) {
mutex_exit(t->p_lock);
Index: src/sys/compat/linux/arch/i386/linux_ptrace.c
diff -u src/sys/compat/linux/arch/i386/linux_ptrace.c:1.26 src/sys/compat/linux/arch/i386/linux_ptrace.c:1.26.20.1
--- src/sys/compat/linux/arch/i386/linux_ptrace.c:1.26 Wed Jul 7 01:30:34 2010
+++ src/sys/compat/linux/arch/i386/linux_ptrace.c Sun Nov 15 20:42:36 2015
@@ -1,4 +1,4 @@
-/* $NetBSD: linux_ptrace.c,v 1.26 2010/07/07 01:30:34 chs Exp $ */
+/* $NetBSD: linux_ptrace.c,v 1.26.20.1 2015/11/15 20:42:36 bouyer Exp $ */
/*-
* Copyright (c) 1999 The NetBSD Foundation, Inc.
@@ -30,7 +30,7 @@
*/
#include
-__KERNEL_RCSID(0, "$NetBSD: linux_ptrace.c,v 1.26 2010/07/07 01:30:34 chs Exp $");
+__KERNEL_RCSID(0, "$NetBSD: linux_ptrace.c,v 1.26.20.1 2015/11/15 20:42:36 bouyer Exp $");
#include
#include
@@ -184,7 +184,6 @@ linux_sys_ptrace_arch(struct lwp *l, con
return ESRCH;
}
mutex_enter(t->p_lock);
- mutex_exit(proc_lock);
/*
* You cannot do what you want to the process if:
@@ -192,6 +191,7 @@ linux_sys_ptrace_arch(struct lwp *l, con
*/
if (!ISSET(t->p_slflag, PSL_TRACED)) {
mutex_exit(t->p_lock);
+ mutex_exit(proc_lock);
error = EPERM;
goto out;
}
@@ -204,9 +204,11 @@ linux_sys_ptrace_arch(struct lwp *l, con
if (ISSET(t->p_slflag, PSL_FSTRACE) || t->p_pptr != p ||
t->p_stat != SSTOP || !t->p_waited) {
mutex_exit(t->p_lock);
+ mutex_exit(proc_lock);
error = EBUSY;
goto out;
}
+ mutex_exit(proc_lock);
/* XXX: ptrace needs revamp for multi-threading support. */
if (t->p_nlwps > 1) {
mutex_exit(t->p_lock);
Index: src/sys/compat/linux/arch/powerpc/linux_ptrace.c
diff -u src/sys/compat/linux/arch/powerpc/linux_ptrace.c:1.23 src/sys/compat/linux/arch/powerpc/linux_ptrace.c:1.23.20.1
--- src/sys/compat/linux/arch/powerpc/linux_ptrace.c:1.23 Thu Jul 1 02:38:28 2010
+++ src/sys/compat/linux/arch/powerpc/linux_ptrace.c Sun Nov 15 20:42:36 2015
@@ -1,4 +1,4 @@
-/* $NetBSD: linux_ptrace.c,v 1.23 2010/07/01 02:38:28 rmind Exp $ */
+/* $NetBSD: linux_ptrace.c,v 1.23.20.1 2015/11/15 20:42:36 bouyer Exp $ */
/*-
* Copyright (c) 1999, 2001 The NetBSD Foundation, Inc.
@@ -30,7 +30,7 @@
*/
#include
-__KERNEL_RCSID(0, "$NetBSD: linux_ptrace.c,v 1.23 2010/07/01 02:38:28 rmind Exp $");
+__KERNEL_RCSID(0,
CVS commit: [netbsd-6-0] src/sys/compat/osf1
Module Name:src Committed By: bouyer Date: Sun Nov 15 20:48:44 UTC 2015 Modified Files: src/sys/compat/osf1 [netbsd-6-0]: osf1_socket.c Log Message: Pull up following revision(s) (requested by maxv in ticket #1338): sys/compat/osf1/osf1_socket.c: revision 1.21 easy kmem_alloc(0) ok shm@ To generate a diff of this commit: cvs rdiff -u -r1.20 -r1.20.20.1 src/sys/compat/osf1/osf1_socket.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/sys/compat/osf1/osf1_socket.c diff -u src/sys/compat/osf1/osf1_socket.c:1.20 src/sys/compat/osf1/osf1_socket.c:1.20.20.1 --- src/sys/compat/osf1/osf1_socket.c:1.20 Fri Apr 23 15:19:21 2010 +++ src/sys/compat/osf1/osf1_socket.c Sun Nov 15 20:48:44 2015 @@ -1,4 +1,4 @@ -/* $NetBSD: osf1_socket.c,v 1.20 2010/04/23 15:19:21 rmind Exp $ */ +/* $NetBSD: osf1_socket.c,v 1.20.20.1 2015/11/15 20:48:44 bouyer Exp $ */ /* * Copyright (c) 1999 Christopher G. Demetriou. All rights reserved. @@ -58,7 +58,7 @@ */ #include -__KERNEL_RCSID(0, "$NetBSD: osf1_socket.c,v 1.20 2010/04/23 15:19:21 rmind Exp $"); +__KERNEL_RCSID(0, "$NetBSD: osf1_socket.c,v 1.20.20.1 2015/11/15 20:48:44 bouyer Exp $"); #include #include @@ -116,7 +116,7 @@ osf1_sys_sendmsg_xopen(struct lwp *l, co return (EINVAL); iov_len = bsd_msghdr.msg_iovlen; - if (iov_len > IOV_MAX) + if ((iov_len > IOV_MAX) || (iov_len == 0)) return EMSGSIZE; bsd_iovec = kmem_alloc(iov_len * sizeof(struct iovec), KM_SLEEP); bsd_msghdr.msg_iov = bsd_iovec;
CVS commit: [netbsd-6-0] src/sys/compat/netbsd32
Module Name:src Committed By: martin Date: Sun Aug 2 12:54:34 UTC 2015 Modified Files: src/sys/compat/netbsd32 [netbsd-6-0]: netbsd32_ioctl.c Log Message: Pull up following revision(s) (requested by maxv in ticket #1318): sys/compat/netbsd32/netbsd32_ioctl.c: revision 1.82 Wrong logic. Here, userland can control the size and the data copied, which basically means it can overflow kernel memory. ok martin@ christos@ To generate a diff of this commit: cvs rdiff -u -r1.64 -r1.64.12.1 src/sys/compat/netbsd32/netbsd32_ioctl.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/sys/compat/netbsd32/netbsd32_ioctl.c diff -u src/sys/compat/netbsd32/netbsd32_ioctl.c:1.64 src/sys/compat/netbsd32/netbsd32_ioctl.c:1.64.12.1 --- src/sys/compat/netbsd32/netbsd32_ioctl.c:1.64 Thu Oct 6 03:19:32 2011 +++ src/sys/compat/netbsd32/netbsd32_ioctl.c Sun Aug 2 12:54:34 2015 @@ -1,4 +1,4 @@ -/* $NetBSD: netbsd32_ioctl.c,v 1.64 2011/10/06 03:19:32 macallan Exp $ */ +/* $NetBSD: netbsd32_ioctl.c,v 1.64.12.1 2015/08/02 12:54:34 martin Exp $ */ /* * Copyright (c) 1998, 2001 Matthew R. Green @@ -31,7 +31,7 @@ */ #include sys/cdefs.h -__KERNEL_RCSID(0, $NetBSD: netbsd32_ioctl.c,v 1.64 2011/10/06 03:19:32 macallan Exp $); +__KERNEL_RCSID(0, $NetBSD: netbsd32_ioctl.c,v 1.64.12.1 2015/08/02 12:54:34 martin Exp $); #include sys/param.h #include sys/systm.h @@ -192,7 +192,7 @@ netbsd32_to_if_addrprefreq(const struct strlcpy(ifap-ifap_name, ifap32-ifap_name, sizeof(ifap-ifap_name)); ifap-ifap_preference = ifap32-ifap_preference; memcpy(ifap-ifap_addr, ifap32-ifap_addr, - max(ifap32-ifap_addr.ss_len, _SS_MAXSIZE)); + min(ifap32-ifap_addr.ss_len, _SS_MAXSIZE)); } static inline void @@ -425,7 +425,7 @@ netbsd32_from_if_addrprefreq(const struc strlcpy(ifap32-ifap_name, ifap-ifap_name, sizeof(ifap32-ifap_name)); ifap32-ifap_preference = ifap-ifap_preference; memcpy(ifap32-ifap_addr, ifap-ifap_addr, - max(ifap-ifap_addr.ss_len, _SS_MAXSIZE)); + min(ifap-ifap_addr.ss_len, _SS_MAXSIZE)); } static inline void
CVS commit: [netbsd-6-0] src/sys/compat/netbsd32
Module Name:src
Committed By: martin
Date: Sun Dec 14 14:03:28 UTC 2014
Modified Files:
src/sys/compat/netbsd32 [netbsd-6-0]: netbsd32_compat_30.c
Log Message:
Pull up revision 1.31, requested by maxv in #1209:
Prevent a user-triggerable kmem_alloc(0).
To generate a diff of this commit:
cvs rdiff -u -r1.30 -r1.30.20.1 src/sys/compat/netbsd32/netbsd32_compat_30.c
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
Modified files:
Index: src/sys/compat/netbsd32/netbsd32_compat_30.c
diff -u src/sys/compat/netbsd32/netbsd32_compat_30.c:1.30 src/sys/compat/netbsd32/netbsd32_compat_30.c:1.30.20.1
--- src/sys/compat/netbsd32/netbsd32_compat_30.c:1.30 Fri Apr 23 15:19:20 2010
+++ src/sys/compat/netbsd32/netbsd32_compat_30.c Sun Dec 14 14:03:28 2014
@@ -1,4 +1,4 @@
-/* $NetBSD: netbsd32_compat_30.c,v 1.30 2010/04/23 15:19:20 rmind Exp $ */
+/* $NetBSD: netbsd32_compat_30.c,v 1.30.20.1 2014/12/14 14:03:28 martin Exp $ */
/*
* Copyright (c) 1998, 2001 Matthew R. Green
@@ -27,7 +27,7 @@
*/
#include sys/cdefs.h
-__KERNEL_RCSID(0, $NetBSD: netbsd32_compat_30.c,v 1.30 2010/04/23 15:19:20 rmind Exp $);
+__KERNEL_RCSID(0, $NetBSD: netbsd32_compat_30.c,v 1.30.20.1 2014/12/14 14:03:28 martin Exp $);
#include sys/param.h
#include sys/systm.h
@@ -78,6 +78,9 @@ compat_30_netbsd32_getdents(struct lwp *
error = EBADF;
goto out;
}
+ if (count == 0)
+ goto out;
+
buf = kmem_alloc(count, KM_SLEEP);
error = vn_readdir(fp, buf, UIO_SYSSPACE, count, done, l, 0, 0);
if (error == 0) {
CVS commit: [netbsd-6-0] src/sys/compat/netbsd32
Module Name:src
Committed By: msaitoh
Date: Sun Nov 9 07:10:23 UTC 2014
Modified Files:
src/sys/compat/netbsd32 [netbsd-6-0]: netbsd32_compat_50.c
Log Message:
Pull up following revision(s) (requested by maxv in ticket #1179):
sys/compat/netbsd32/netbsd32_compat_50.c: revision 1.28
fix multiple mistakes:
- error from copyout was ignored
- the wrong size was specified in copyin
- missing locking.
To generate a diff of this commit:
cvs rdiff -u -r1.20.12.1 -r1.20.12.2 \
src/sys/compat/netbsd32/netbsd32_compat_50.c
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
Modified files:
Index: src/sys/compat/netbsd32/netbsd32_compat_50.c
diff -u src/sys/compat/netbsd32/netbsd32_compat_50.c:1.20.12.1 src/sys/compat/netbsd32/netbsd32_compat_50.c:1.20.12.2
--- src/sys/compat/netbsd32/netbsd32_compat_50.c:1.20.12.1 Mon Jun 30 12:10:25 2014
+++ src/sys/compat/netbsd32/netbsd32_compat_50.c Sun Nov 9 07:10:23 2014
@@ -1,4 +1,4 @@
-/* $NetBSD: netbsd32_compat_50.c,v 1.20.12.1 2014/06/30 12:10:25 msaitoh Exp $ */
+/* $NetBSD: netbsd32_compat_50.c,v 1.20.12.2 2014/11/09 07:10:23 msaitoh Exp $ */
/*-
* Copyright (c) 2008 The NetBSD Foundation, Inc.
@@ -36,7 +36,7 @@
* POSSIBILITY OF SUCH DAMAGE.
*/
#include sys/cdefs.h
-__KERNEL_RCSID(0, $NetBSD: netbsd32_compat_50.c,v 1.20.12.1 2014/06/30 12:10:25 msaitoh Exp $);
+__KERNEL_RCSID(0, $NetBSD: netbsd32_compat_50.c,v 1.20.12.2 2014/11/09 07:10:23 msaitoh Exp $);
#if defined(_KERNEL_OPT)
#include opt_sysv.h
@@ -248,30 +248,31 @@ compat_50_netbsd32_adjtime(struct lwp *l
return (error);
if (SCARG_P32(uap, olddelta)) {
+ mutex_spin_enter(timecounter_lock);
atv.tv_sec = time_adjtime / 100;
atv.tv_usec = time_adjtime % 100;
if (atv.tv_usec 0) {
atv.tv_usec += 100;
atv.tv_sec--;
}
- (void) copyout(atv,
- SCARG_P32(uap, olddelta),
- sizeof(atv));
+ mutex_spin_exit(timecounter_lock);
+
+ error = copyout(atv, SCARG_P32(uap, olddelta), sizeof(atv));
if (error)
return (error);
}
if (SCARG_P32(uap, delta)) {
- error = copyin(SCARG_P32(uap, delta), atv,
- sizeof(struct timeval));
+ error = copyin(SCARG_P32(uap, delta), atv, sizeof(atv));
if (error)
return (error);
+ mutex_spin_enter(timecounter_lock);
time_adjtime = (int64_t)atv.tv_sec * 100 + atv.tv_usec;
-
if (time_adjtime)
/* We need to save the system time during shutdown */
time_adjusted |= 1;
+ mutex_spin_exit(timecounter_lock);
}
return 0;
CVS commit: [netbsd-6-0] src/sys/compat/freebsd
Module Name:src Committed By: snj Date: Sun Oct 19 19:36:59 UTC 2014 Modified Files: src/sys/compat/freebsd [netbsd-6-0]: freebsd_sysctl.c Log Message: Pull up following revision(s) (requested by maxv in ticket #1168): sys/compat/freebsd/freebsd_sysctl.c: revision 1.17 I'm not sure reading from an unsanitized userland pointer is a good idea. Some users might be tempted to give 0x01, in which case the kernel will crash. To generate a diff of this commit: cvs rdiff -u -r1.15 -r1.15.28.1 src/sys/compat/freebsd/freebsd_sysctl.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/sys/compat/freebsd/freebsd_sysctl.c diff -u src/sys/compat/freebsd/freebsd_sysctl.c:1.15 src/sys/compat/freebsd/freebsd_sysctl.c:1.15.28.1 --- src/sys/compat/freebsd/freebsd_sysctl.c:1.15 Wed Nov 19 18:36:02 2008 +++ src/sys/compat/freebsd/freebsd_sysctl.c Sun Oct 19 19:36:59 2014 @@ -1,4 +1,4 @@ -/* $NetBSD: freebsd_sysctl.c,v 1.15 2008/11/19 18:36:02 ad Exp $ */ +/* $NetBSD: freebsd_sysctl.c,v 1.15.28.1 2014/10/19 19:36:59 snj Exp $ */ /*- * Copyright (c) 2005 The NetBSD Foundation, Inc. @@ -31,7 +31,7 @@ */ #include sys/cdefs.h -__KERNEL_RCSID(0, $NetBSD: freebsd_sysctl.c,v 1.15 2008/11/19 18:36:02 ad Exp $); +__KERNEL_RCSID(0, $NetBSD: freebsd_sysctl.c,v 1.15.28.1 2014/10/19 19:36:59 snj Exp $); #include sys/param.h #include sys/systm.h @@ -95,7 +95,7 @@ freebsd_sys_sysctl(struct lwp *l, const } */ int error; int name[CTL_MAXNAME]; - size_t newlen, *oldlenp; + size_t newlen, *oldlenp, oldlen; u_int namelen; void *new, *old; @@ -146,9 +146,14 @@ freebsd_sys_sysctl(struct lwp *l, const old = SCARG(uap, old); oldlenp = SCARG(uap, oldlenp); - if (old == NULL || oldlenp == NULL || *oldlenp sizeof(int)) + if (old == NULL || oldlenp == NULL) return(EINVAL); + if ((error = copyin(oldlenp, oldlen, sizeof(oldlen + return (error); + if (oldlen sizeof(int)) + return (EINVAL); + if ((locnew = (char *) malloc(newlen + 1, M_TEMP, M_WAITOK)) == NULL) return(ENOMEM); @@ -168,11 +173,11 @@ freebsd_sys_sysctl(struct lwp *l, const oidlen *= sizeof(int); error = copyout(oid, SCARG(uap, old), -MIN(oidlen, *SCARG(uap, oldlenp))); +MIN(oidlen, oldlen)); if (error) return(error); ktrmibio(-1, UIO_READ, SCARG(uap, old), - MIN(oidlen, *SCARG(uap, oldlenp)), 0); + MIN(oidlen, oldlen), 0); error = copyout(oidlen, SCARG(uap, oldlenp), sizeof(u_int));
CVS commit: [netbsd-6-0] src/sys/compat/osf1
Module Name:src
Committed By: msaitoh
Date: Wed Aug 27 15:02:39 UTC 2014
Modified Files:
src/sys/compat/osf1 [netbsd-6-0]: osf1_file.c
Log Message:
Pull up following revision(s) (requested by maxv in ticket #1141):
sys/compat/osf1/osf1_file.c: revision 1.42
Ensure nbytes 0. Otherwise bad things may happen.
Compile-tested only.
ok christos@
To generate a diff of this commit:
cvs rdiff -u -r1.41 -r1.41.14.1 src/sys/compat/osf1/osf1_file.c
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
Modified files:
Index: src/sys/compat/osf1/osf1_file.c
diff -u src/sys/compat/osf1/osf1_file.c:1.41 src/sys/compat/osf1/osf1_file.c:1.41.14.1
--- src/sys/compat/osf1/osf1_file.c:1.41 Fri Jul 22 10:02:08 2011
+++ src/sys/compat/osf1/osf1_file.c Wed Aug 27 15:02:39 2014
@@ -1,4 +1,4 @@
-/* $NetBSD: osf1_file.c,v 1.41 2011/07/22 10:02:08 njoly Exp $ */
+/* $NetBSD: osf1_file.c,v 1.41.14.1 2014/08/27 15:02:39 msaitoh Exp $ */
/*
* Copyright (c) 1999 Christopher G. Demetriou. All rights reserved.
@@ -58,7 +58,7 @@
*/
#include sys/cdefs.h
-__KERNEL_RCSID(0, $NetBSD: osf1_file.c,v 1.41 2011/07/22 10:02:08 njoly Exp $);
+__KERNEL_RCSID(0, $NetBSD: osf1_file.c,v 1.41.14.1 2014/08/27 15:02:39 msaitoh Exp $);
#if defined(_KERNEL_OPT)
#include opt_syscall_debug.h
@@ -133,7 +133,7 @@ osf1_sys_getdirentries(struct lwp *l, co
/* {
syscallarg(int) fd;
syscallarg(char *) buf;
- syscallarg(u_int) nbytes;
+ syscallarg(int) nbytes;
syscallarg(long *) basep;
} */
struct dirent *bdp;
@@ -151,6 +151,11 @@ osf1_sys_getdirentries(struct lwp *l, co
off_t *cookiebuf = NULL, *cookie;
int ncookies, fd;
+ if (SCARG(uap, nbytes) 0)
+ return EINVAL;
+ if (SCARG(uap, nbytes) == 0)
+ return 0;
+
fd = SCARG(uap, fd);
if ((error = fd_getvnode(fd, fp)) != 0)
return (error);
CVS commit: [netbsd-6-0] src/sys/compat
Module Name:src Committed By: msaitoh Date: Fri Aug 8 03:14:10 UTC 2014 Modified Files: src/sys/compat/linux/common [netbsd-6-0]: linux_socketcall.c src/sys/compat/linux32/common [netbsd-6-0]: linux32_socketcall.c Log Message: Pull up following revision(s) (requested by maxv in ticket #1104): sys/compat/linux32/common/linux32_socketcall.c: revision 1.9 sys/compat/linux/common/linux_socketcall.c: revision 1.44 If SCARG(uap, what) = 0, copyin() will copy (size_t)-1 bytes, and it's not a good idea; but not proven harmful. With the help of njoly@ To generate a diff of this commit: cvs rdiff -u -r1.39 -r1.39.40.1 \ src/sys/compat/linux/common/linux_socketcall.c cvs rdiff -u -r1.7 -r1.7.26.1 \ src/sys/compat/linux32/common/linux32_socketcall.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/sys/compat/linux/common/linux_socketcall.c diff -u src/sys/compat/linux/common/linux_socketcall.c:1.39 src/sys/compat/linux/common/linux_socketcall.c:1.39.40.1 --- src/sys/compat/linux/common/linux_socketcall.c:1.39 Thu Jul 3 14:07:09 2008 +++ src/sys/compat/linux/common/linux_socketcall.c Fri Aug 8 03:14:10 2014 @@ -1,4 +1,4 @@ -/* $NetBSD: linux_socketcall.c,v 1.39 2008/07/03 14:07:09 njoly Exp $ */ +/* $NetBSD: linux_socketcall.c,v 1.39.40.1 2014/08/08 03:14:10 msaitoh Exp $ */ /*- * Copyright (c) 1995, 1998 The NetBSD Foundation, Inc. @@ -30,7 +30,7 @@ */ #include sys/cdefs.h -__KERNEL_RCSID(0, $NetBSD: linux_socketcall.c,v 1.39 2008/07/03 14:07:09 njoly Exp $); +__KERNEL_RCSID(0, $NetBSD: linux_socketcall.c,v 1.39.40.1 2014/08/08 03:14:10 msaitoh Exp $); #include sys/param.h #include sys/kernel.h @@ -123,7 +123,7 @@ linux_sys_socketcall(struct lwp *l, cons struct linux_socketcall_dummy_args lda; int error; - if (SCARG(uap, what) 0 || SCARG(uap, what) LINUX_MAX_SOCKETCALL) + if (SCARG(uap, what) = 0 || SCARG(uap, what) LINUX_MAX_SOCKETCALL) return ENOSYS; if ((error = copyin(SCARG(uap, args), lda, Index: src/sys/compat/linux32/common/linux32_socketcall.c diff -u src/sys/compat/linux32/common/linux32_socketcall.c:1.7 src/sys/compat/linux32/common/linux32_socketcall.c:1.7.26.1 --- src/sys/compat/linux32/common/linux32_socketcall.c:1.7 Wed Nov 19 18:36:04 2008 +++ src/sys/compat/linux32/common/linux32_socketcall.c Fri Aug 8 03:14:10 2014 @@ -1,4 +1,4 @@ -/* $NetBSD: linux32_socketcall.c,v 1.7 2008/11/19 18:36:04 ad Exp $ */ +/* $NetBSD: linux32_socketcall.c,v 1.7.26.1 2014/08/08 03:14:10 msaitoh Exp $ */ /*- * Copyright (c) 2006 Emmanuel Dreyfus, all rights reserved. @@ -31,7 +31,7 @@ * POSSIBILITY OF SUCH DAMAGE. */ #include sys/cdefs.h -__KERNEL_RCSID(0, $NetBSD: linux32_socketcall.c,v 1.7 2008/11/19 18:36:04 ad Exp $); +__KERNEL_RCSID(0, $NetBSD: linux32_socketcall.c,v 1.7.26.1 2014/08/08 03:14:10 msaitoh Exp $); #include sys/types.h #include sys/param.h @@ -96,7 +96,7 @@ linux32_sys_socketcall(struct lwp *l, co union linux32_socketcall_args ua; int error; - if (SCARG(uap, what) 0 || SCARG(uap, what) LINUX32_MAX_SOCKETCALL) + if (SCARG(uap, what) = 0 || SCARG(uap, what) LINUX32_MAX_SOCKETCALL) return ENOSYS; if ((error = copyin(SCARG_P32(uap, args), ua,
CVS commit: [netbsd-6-0] src/sys/compat/netbsd32
Module Name:src Committed By: msaitoh Date: Mon Jun 30 12:10:25 UTC 2014 Modified Files: src/sys/compat/netbsd32 [netbsd-6-0]: netbsd32_compat_50.c netbsd32_event.c Log Message: Pull up following revision(s) (requested by maxv in ticket #1090): sys/compat/netbsd32/netbsd32_compat_50.c: revision 1.24 sys/compat/netbsd32/netbsd32_event.c: revision 1.11 Allocate directly KQ_NEVENTS bytes. Otherwise a user can panic the system. ok christos@ To generate a diff of this commit: cvs rdiff -u -r1.20 -r1.20.12.1 src/sys/compat/netbsd32/netbsd32_compat_50.c cvs rdiff -u -r1.9 -r1.9.16.1 src/sys/compat/netbsd32/netbsd32_event.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/sys/compat/netbsd32/netbsd32_compat_50.c diff -u src/sys/compat/netbsd32/netbsd32_compat_50.c:1.20 src/sys/compat/netbsd32/netbsd32_compat_50.c:1.20.12.1 --- src/sys/compat/netbsd32/netbsd32_compat_50.c:1.20 Fri Nov 18 03:34:13 2011 +++ src/sys/compat/netbsd32/netbsd32_compat_50.c Mon Jun 30 12:10:25 2014 @@ -1,4 +1,4 @@ -/* $NetBSD: netbsd32_compat_50.c,v 1.20 2011/11/18 03:34:13 christos Exp $ */ +/* $NetBSD: netbsd32_compat_50.c,v 1.20.12.1 2014/06/30 12:10:25 msaitoh Exp $ */ /*- * Copyright (c) 2008 The NetBSD Foundation, Inc. @@ -36,7 +36,7 @@ * POSSIBILITY OF SUCH DAMAGE. */ #include sys/cdefs.h -__KERNEL_RCSID(0, $NetBSD: netbsd32_compat_50.c,v 1.20 2011/11/18 03:34:13 christos Exp $); +__KERNEL_RCSID(0, $NetBSD: netbsd32_compat_50.c,v 1.20.12.1 2014/06/30 12:10:25 msaitoh Exp $); #if defined(_KERNEL_OPT) #include opt_sysv.h @@ -631,7 +631,8 @@ compat_50_netbsd32_kevent(struct lwp *l, nchanges = SCARG(uap, nchanges); nevents = SCARG(uap, nevents); - maxalloc = MIN(KQ_NEVENTS, MAX(nchanges, nevents)); + maxalloc = KQ_NEVENTS; + netbsd32_kevent_ops.keo_private = kmem_alloc(maxalloc * sizeof(struct netbsd32_kevent), KM_SLEEP); Index: src/sys/compat/netbsd32/netbsd32_event.c diff -u src/sys/compat/netbsd32/netbsd32_event.c:1.9 src/sys/compat/netbsd32/netbsd32_event.c:1.9.16.1 --- src/sys/compat/netbsd32/netbsd32_event.c:1.9 Mon May 23 21:34:47 2011 +++ src/sys/compat/netbsd32/netbsd32_event.c Mon Jun 30 12:10:25 2014 @@ -1,4 +1,4 @@ -/* $NetBSD: netbsd32_event.c,v 1.9 2011/05/23 21:34:47 joerg Exp $ */ +/* $NetBSD: netbsd32_event.c,v 1.9.16.1 2014/06/30 12:10:25 msaitoh Exp $ */ /* * Copyright (c) 2005 The NetBSD Foundation. @@ -27,7 +27,7 @@ */ #include sys/cdefs.h -__KERNEL_RCSID(0, $NetBSD: netbsd32_event.c,v 1.9 2011/05/23 21:34:47 joerg Exp $); +__KERNEL_RCSID(0, $NetBSD: netbsd32_event.c,v 1.9.16.1 2014/06/30 12:10:25 msaitoh Exp $); #include sys/types.h #include sys/param.h @@ -112,7 +112,8 @@ netbsd32___kevent50(struct lwp *l, nchanges = SCARG(uap, nchanges); nevents = SCARG(uap, nevents); - maxalloc = MIN(KQ_NEVENTS, MAX(nchanges, nevents)); + maxalloc = KQ_NEVENTS; + netbsd32_kevent_ops.keo_private = kmem_alloc(maxalloc * sizeof(struct netbsd32_kevent), KM_SLEEP);
CVS commit: [netbsd-6-0] src/sys/compat/freebsd
Module Name:src
Committed By: msaitoh
Date: Thu Jun 26 04:01:32 UTC 2014
Modified Files:
src/sys/compat/freebsd [netbsd-6-0]: freebsd_sched.c
Log Message:
Pull up following revision(s) (requested by maxv in ticket #1086):
sys/compat/freebsd/freebsd_sched.c 1.20-1.21
Avoid NULL dereference and fix sched param conversion (at least make it
do something). Pointed out by Maxime Villard.
Simplify and clarify.
To generate a diff of this commit:
cvs rdiff -u -r1.19 -r1.19.46.1 src/sys/compat/freebsd/freebsd_sched.c
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
Modified files:
Index: src/sys/compat/freebsd/freebsd_sched.c
diff -u src/sys/compat/freebsd/freebsd_sched.c:1.19 src/sys/compat/freebsd/freebsd_sched.c:1.19.46.1
--- src/sys/compat/freebsd/freebsd_sched.c:1.19 Mon Apr 28 20:23:41 2008
+++ src/sys/compat/freebsd/freebsd_sched.c Thu Jun 26 04:01:32 2014
@@ -1,4 +1,4 @@
-/* $NetBSD: freebsd_sched.c,v 1.19 2008/04/28 20:23:41 martin Exp $ */
+/* $NetBSD: freebsd_sched.c,v 1.19.46.1 2014/06/26 04:01:32 msaitoh Exp $ */
/*-
* Copyright (c) 1999 The NetBSD Foundation, Inc.
@@ -35,7 +35,7 @@
*/
#include sys/cdefs.h
-__KERNEL_RCSID(0, $NetBSD: freebsd_sched.c,v 1.19 2008/04/28 20:23:41 martin Exp $);
+__KERNEL_RCSID(0, $NetBSD: freebsd_sched.c,v 1.19.46.1 2014/06/26 04:01:32 msaitoh Exp $);
#include sys/param.h
#include sys/mount.h
@@ -62,72 +62,72 @@ freebsd_sys_yield(struct lwp *l, const v
*/
static int
sched_freebsd2native(int freebsd_policy,
-struct freebsd_sched_param *freebsd_params, int *native_policy,
+const struct freebsd_sched_param *freebsd_params, int *native_policy,
struct sched_param *native_params)
{
- int error;
-
- error = 0;
+ int p;
switch (freebsd_policy) {
case FREEBSD_SCHED_OTHER:
- *native_policy = SCHED_OTHER;
+ p = SCHED_OTHER;
break;
case FREEBSD_SCHED_FIFO:
- *native_policy = SCHED_FIFO;
+ p = SCHED_FIFO;
break;
case FREEBSD_SCHED_RR:
- *native_policy = SCHED_RR;
+ p = SCHED_RR;
break;
default:
- error = EINVAL;
- break;
+ return EINVAL;
}
- if (freebsd_params != NULL native_params != NULL !error) {
- native_params = (struct sched_param *)freebsd_params;
+ if (native_policy != NULL)
+ *native_policy = p;
+
+ if (freebsd_params != NULL native_params != NULL) {
+ /* XXX: Needs adjustment to do a proper conversion. */
+ native_params-sched_priority = freebsd_params-sched_priority;
}
-
- return (error);
+ return 0;
}
/*
- * XXX: Needs adjustment to do a proper conversion.
*/
static int
-sched_native2freebsd(int native_policy, struct sched_param *native_params,
+sched_native2freebsd(int native_policy, const struct sched_param *native_params,
int *freebsd_policy, struct freebsd_sched_param *freebsd_params)
{
- int error;
-
- error = 0;
+ int p;
switch (native_policy) {
case SCHED_OTHER:
- *freebsd_policy = FREEBSD_SCHED_OTHER;
+ p = FREEBSD_SCHED_OTHER;
break;
case SCHED_FIFO:
- *freebsd_policy = FREEBSD_SCHED_FIFO;
+ p = FREEBSD_SCHED_FIFO;
break;
case SCHED_RR:
- *freebsd_policy = FREEBSD_SCHED_RR;
+ p = FREEBSD_SCHED_RR;
break;
default:
- error = EINVAL;
- break;
+ return EINVAL;
}
- if (native_params != NULL freebsd_params != NULL !error) {
- freebsd_params = (struct freebsd_sched_param *)native_params;
+ if (freebsd_policy != NULL)
+ *freebsd_policy = p;
+
+ if (native_params != NULL freebsd_params != NULL) {
+ /* XXX: Needs adjustment to do a proper conversion. */
+ freebsd_params-sched_priority = native_params-sched_priority;
}
-
- return (error);
+
+ return 0;
}
int
@@ -199,7 +199,7 @@ freebsd_sys_sched_getparam(struct lwp *l
goto out;
out:
- return (error);
+ return error;
}
int
CVS commit: [netbsd-6-0] src/sys/compat/common
Module Name:src
Committed By: bouyer
Date: Tue Dec 17 20:52:13 UTC 2013
Modified Files:
src/sys/compat/common [netbsd-6-0]: compat_util.c
Log Message:
Pull up following revision(s) (requested by martin in ticket #999):
sys/compat/common/compat_util.c: revision 1.45
Free pathbuf in an error path.
From Maxime Villard.
To generate a diff of this commit:
cvs rdiff -u -r1.44 -r1.44.20.1 src/sys/compat/common/compat_util.c
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
Modified files:
Index: src/sys/compat/common/compat_util.c
diff -u src/sys/compat/common/compat_util.c:1.44 src/sys/compat/common/compat_util.c:1.44.20.1
--- src/sys/compat/common/compat_util.c:1.44 Fri Nov 19 06:44:35 2010
+++ src/sys/compat/common/compat_util.c Tue Dec 17 20:52:13 2013
@@ -1,4 +1,4 @@
-/* $NetBSD: compat_util.c,v 1.44 2010/11/19 06:44:35 dholland Exp $ */
+/* $NetBSD: compat_util.c,v 1.44.20.1 2013/12/17 20:52:13 bouyer Exp $ */
/*-
* Copyright (c) 1994 The NetBSD Foundation, Inc.
@@ -58,7 +58,7 @@
*/
#include sys/cdefs.h
-__KERNEL_RCSID(0, $NetBSD: compat_util.c,v 1.44 2010/11/19 06:44:35 dholland Exp $);
+__KERNEL_RCSID(0, $NetBSD: compat_util.c,v 1.44.20.1 2013/12/17 20:52:13 bouyer Exp $);
#include sys/param.h
#include sys/systm.h
@@ -139,6 +139,7 @@ emul_find_interp(struct lwp *l, struct e
error = namei(nd);
if (error != 0) {
epp-ep_interp = NULL;
+ pathbuf_destroy(pb);
return error;
}
CVS commit: [netbsd-6-0] src/sys/compat/netbsd32
Module Name:src Committed By: riz Date: Fri Feb 8 20:46:01 UTC 2013 Modified Files: src/sys/compat/netbsd32 [netbsd-6-0]: netbsd32_execve.c Log Message: Pull up following revision(s) (requested by hannken in ticket #793): sys/compat/netbsd32/netbsd32_execve.c: revision 1.37 netbsd32_posix_spawn_fa_alloc: use the right length for path allocation. This error lead to memory pool corruption when freeing kmem with wrong size. To generate a diff of this commit: cvs rdiff -u -r1.33.2.1 -r1.33.2.1.4.1 \ src/sys/compat/netbsd32/netbsd32_execve.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/sys/compat/netbsd32/netbsd32_execve.c diff -u src/sys/compat/netbsd32/netbsd32_execve.c:1.33.2.1 src/sys/compat/netbsd32/netbsd32_execve.c:1.33.2.1.4.1 --- src/sys/compat/netbsd32/netbsd32_execve.c:1.33.2.1 Thu Apr 12 17:05:38 2012 +++ src/sys/compat/netbsd32/netbsd32_execve.c Fri Feb 8 20:46:01 2013 @@ -1,4 +1,4 @@ -/* $NetBSD: netbsd32_execve.c,v 1.33.2.1 2012/04/12 17:05:38 riz Exp $ */ +/* $NetBSD: netbsd32_execve.c,v 1.33.2.1.4.1 2013/02/08 20:46:01 riz Exp $ */ /* * Copyright (c) 1998, 2001 Matthew R. Green @@ -28,7 +28,7 @@ #include sys/cdefs.h -__KERNEL_RCSID(0, $NetBSD: netbsd32_execve.c,v 1.33.2.1 2012/04/12 17:05:38 riz Exp $); +__KERNEL_RCSID(0, $NetBSD: netbsd32_execve.c,v 1.33.2.1.4.1 2013/02/08 20:46:01 riz Exp $); #include sys/param.h #include sys/systm.h @@ -141,7 +141,7 @@ netbsd32_posix_spawn_fa_alloc(struct pos MAXPATHLEN, slen); if (error) goto out; - fae-fae_path = kmem_alloc(fal, KM_SLEEP); + fae-fae_path = kmem_alloc(slen, KM_SLEEP); memcpy(fae-fae_path, pbuf, slen); fae-fae_oflag = f32-fae_oflag; fae-fae_mode = f32-fae_mode;
CVS commit: [netbsd-6-0] src/sys/compat/netbsd32
Module Name:src
Committed By: riz
Date: Mon Dec 17 00:32:29 UTC 2012
Modified Files:
src/sys/compat/netbsd32 [netbsd-6-0]: netbsd32_fs.c
Log Message:
Pull up following revision(s) (requested by matt in ticket #756):
sys/compat/netbsd32/netbsd32_fs.c: revision 1.64
Fix inverted error check.
To generate a diff of this commit:
cvs rdiff -u -r1.62 -r1.62.6.1 src/sys/compat/netbsd32/netbsd32_fs.c
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
Modified files:
Index: src/sys/compat/netbsd32/netbsd32_fs.c
diff -u src/sys/compat/netbsd32/netbsd32_fs.c:1.62 src/sys/compat/netbsd32/netbsd32_fs.c:1.62.6.1
--- src/sys/compat/netbsd32/netbsd32_fs.c:1.62 Wed Jan 25 14:06:07 2012
+++ src/sys/compat/netbsd32/netbsd32_fs.c Mon Dec 17 00:32:29 2012
@@ -1,4 +1,4 @@
-/* $NetBSD: netbsd32_fs.c,v 1.62 2012/01/25 14:06:07 christos Exp $ */
+/* $NetBSD: netbsd32_fs.c,v 1.62.6.1 2012/12/17 00:32:29 riz Exp $ */
/*
* Copyright (c) 1998, 2001 Matthew R. Green
@@ -27,7 +27,7 @@
*/
#include sys/cdefs.h
-__KERNEL_RCSID(0, $NetBSD: netbsd32_fs.c,v 1.62 2012/01/25 14:06:07 christos Exp $);
+__KERNEL_RCSID(0, $NetBSD: netbsd32_fs.c,v 1.62.6.1 2012/12/17 00:32:29 riz Exp $);
#include sys/param.h
#include sys/systm.h
@@ -595,7 +595,7 @@ netbsd32___fhstat50(struct lwp *l, const
int error;
error = do_fhstat(l, SCARG_P32(uap, fhp), SCARG(uap, fh_size), sb);
- if (error != 0) {
+ if (error == 0) {
netbsd32_from_stat(sb, sb32);
error = copyout(sb32, SCARG_P32(uap, sb), sizeof(sb));
}
