CVS commit: [netbsd-7-1] src/sys/dev/ic
Module Name:src
Committed By: martin
Date: Tue Dec 17 16:34:26 UTC 2019
Modified Files:
src/sys/dev/ic [netbsd-7-1]: ath.c
Log Message:
Pull up following revision(s) (requested by christos in ticket #1718):
sys/dev/ic/ath.c: revision 1.129
Protect network ioctls from non-authorized users. (Ilja Van Sprundel)
To generate a diff of this commit:
cvs rdiff -u -r1.116 -r1.116.10.1 src/sys/dev/ic/ath.c
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
Modified files:
Index: src/sys/dev/ic/ath.c
diff -u src/sys/dev/ic/ath.c:1.116 src/sys/dev/ic/ath.c:1.116.10.1
--- src/sys/dev/ic/ath.c:1.116 Thu Sep 12 12:17:53 2013
+++ src/sys/dev/ic/ath.c Tue Dec 17 16:34:26 2019
@@ -1,4 +1,4 @@
-/* $NetBSD: ath.c,v 1.116 2013/09/12 12:17:53 martin Exp $ */
+/* $NetBSD: ath.c,v 1.116.10.1 2019/12/17 16:34:26 martin Exp $ */
/*-
* Copyright (c) 2002-2005 Sam Leffler, Errno Consulting
@@ -41,7 +41,7 @@
__FBSDID("$FreeBSD: src/sys/dev/ath/if_ath.c,v 1.104 2005/09/16 10:09:23 ru Exp $");
#endif
#ifdef __NetBSD__
-__KERNEL_RCSID(0, "$NetBSD: ath.c,v 1.116 2013/09/12 12:17:53 martin Exp $");
+__KERNEL_RCSID(0, "$NetBSD: ath.c,v 1.116.10.1 2019/12/17 16:34:26 martin Exp $");
#endif
/*
@@ -69,6 +69,7 @@ __KERNEL_RCSID(0, "$NetBSD: ath.c,v 1.11
#include
#include
#include
+#include
#include
#include
@@ -5362,6 +5363,12 @@ ath_ioctl(struct ifnet *ifp, u_long cmd,
return copyout(>sc_stats,
ifr->ifr_data, sizeof (sc->sc_stats));
case SIOCGATHDIAG:
+ error = kauth_authorize_network(curlwp->l_cred,
+ KAUTH_NETWORK_INTERFACE,
+ KAUTH_REQ_NETWORK_INTERFACE_SETPRIV, ifp, KAUTH_ARG(cmd),
+ NULL);
+ if (error)
+ break;
error = ath_ioctl_diag(sc, (struct ath_diag *) ifr);
break;
default:
CVS commit: [netbsd-7-1] src/sys/dev
Module Name:src
Committed By: martin
Date: Sun Dec 8 10:26:37 UTC 2019
Modified Files:
src/sys/dev [netbsd-7-1]: cons.c
Log Message:
Pull up following revision(s) (requested by riastradh in ticket #1717):
sys/dev/cons.c: revision 1.76
sys/dev/cons.c: revision 1.77
Fix reference count leak in cons(4).
Don't forget to vrele after you're done, folks!
Restore historical $Hdr$ tag after git cvsexportcommit nixed it.
To generate a diff of this commit:
cvs rdiff -u -r1.72.2.1 -r1.72.2.1.6.1 src/sys/dev/cons.c
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
Modified files:
Index: src/sys/dev/cons.c
diff -u src/sys/dev/cons.c:1.72.2.1 src/sys/dev/cons.c:1.72.2.1.6.1
--- src/sys/dev/cons.c:1.72.2.1 Mon Mar 9 08:00:46 2015
+++ src/sys/dev/cons.c Sun Dec 8 10:26:36 2019
@@ -1,4 +1,4 @@
-/* $NetBSD: cons.c,v 1.72.2.1 2015/03/09 08:00:46 snj Exp $ */
+/* $NetBSD: cons.c,v 1.72.2.1.6.1 2019/12/08 10:26:36 martin Exp $ */
/*
* Copyright (c) 1988 University of Utah.
@@ -39,7 +39,7 @@
*/
#include
-__KERNEL_RCSID(0, "$NetBSD: cons.c,v 1.72.2.1 2015/03/09 08:00:46 snj Exp $");
+__KERNEL_RCSID(0, "$NetBSD: cons.c,v 1.72.2.1.6.1 2019/12/08 10:26:36 martin Exp $");
#include
#include
@@ -150,6 +150,7 @@ cnclose(dev_t dev, int flag, int mode, s
if (error == 0) {
error = VOP_CLOSE(vp, flag, kauth_cred_get());
VOP_UNLOCK(vp);
+ vrele(vp);
}
return error;
}
CVS commit: [netbsd-7-1] src/sys/dev/scsipi
Module Name:src
Committed By: martin
Date: Thu Mar 7 16:50:58 UTC 2019
Modified Files:
src/sys/dev/scsipi [netbsd-7-1]: files.scsipi st.c
Log Message:
Pull up following revision(s) (requested by kardel in ticket #1682):
sys/dev/scsipi/st.c: revision 1.236 (patch)
sys/dev/scsipi/st.c: revision 1.237
sys/dev/scsipi/files.scsipi: revision 1.42
Fix PR kern/53949:
Fix inconsistent/incomplete file mark handling to conform again
to mtio(4) at close(2) time. This was necessary as the PREVENT/ALLOW
bracket was reduced from a whole mount session to cover only the
open(2)/close(2) time on ~2002-03-22. The rationale was to allow
robots and humans to change the media during a mount session.
Unfortunately this lead to file marks being written to potentially other
media at the beginning on drives that used the two file marks as EOM
pattern. In order for that to happen the media had to be removed after
data and at most one file mark had been written before removal.
The mount error message has been clarified and a warning about
potential data/file mark lossage on UNIT ATTENTION
during an active mount session with unfinished file marks has been
added.
While there, fix, but disable the commented SUN compatibility to write
final file marks by opening and immediately closing the device
in O_WRONLY mode. That code has not been working since around 1998.
It can now be enabled with options ST_SUNCOMPAT.
Additionally debug output coverage has been extended.
Correct printing type of b_blkno (int64_t) in st.c
Fixes build with kUBSan on NetBSD/i386.
Fix, but disable the commented SUN compatibility in st.c to write
final file marks by opening and immediately closing the device
in O_WRONLY mode. That code has not been working since around 1998.
It can now be enabled with options ST_SUNCOMPAT.
To generate a diff of this commit:
cvs rdiff -u -r1.41 -r1.41.150.1 src/sys/dev/scsipi/files.scsipi
cvs rdiff -u -r1.226 -r1.226.10.1 src/sys/dev/scsipi/st.c
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
Modified files:
Index: src/sys/dev/scsipi/files.scsipi
diff -u src/sys/dev/scsipi/files.scsipi:1.41 src/sys/dev/scsipi/files.scsipi:1.41.150.1
--- src/sys/dev/scsipi/files.scsipi:1.41 Sun Dec 11 12:23:50 2005
+++ src/sys/dev/scsipi/files.scsipi Thu Mar 7 16:50:58 2019
@@ -1,11 +1,12 @@
-# $NetBSD: files.scsipi,v 1.41 2005/12/11 12:23:50 christos Exp $
+# $NetBSD: files.scsipi,v 1.41.150.1 2019/03/07 16:50:58 martin Exp $
#
# Config file and device description for machine-independent SCSI code.
# Included by ports that need it. Ports that use it must provide
# their own "major" declarations for the appropriate devices.
defflag opt_scsi.h SCSIVERBOSE ST_ENABLE_EARLYWARN
-SES_ENABLE_PASSTHROUGH SCSI_OLD_NOINQUIRY
+ST_SUNCOMPAT SES_ENABLE_PASSTHROUGH
+SCSI_OLD_NOINQUIRY
defparam opt_scsi.h ST_MOUNT_DELAY SDRETRIES SD_IO_TIMEOUT
defflag opt_scsipi_debug.h SCSIPI_DEBUG
Index: src/sys/dev/scsipi/st.c
diff -u src/sys/dev/scsipi/st.c:1.226 src/sys/dev/scsipi/st.c:1.226.10.1
--- src/sys/dev/scsipi/st.c:1.226 Sun Aug 10 16:44:36 2014
+++ src/sys/dev/scsipi/st.c Thu Mar 7 16:50:58 2019
@@ -1,4 +1,4 @@
-/* $NetBSD: st.c,v 1.226 2014/08/10 16:44:36 tls Exp $ */
+/* $NetBSD: st.c,v 1.226.10.1 2019/03/07 16:50:58 martin Exp $ */
/*-
* Copyright (c) 1998, 2004 The NetBSD Foundation, Inc.
@@ -50,7 +50,7 @@
*/
#include
-__KERNEL_RCSID(0, "$NetBSD: st.c,v 1.226 2014/08/10 16:44:36 tls Exp $");
+__KERNEL_RCSID(0, "$NetBSD: st.c,v 1.226.10.1 2019/03/07 16:50:58 martin Exp $");
#include "opt_scsi.h"
@@ -605,6 +605,30 @@ stopen(dev_t dev, int flags, int mode, s
*/
if ((st->flags & ST_MOUNTED) || ST_MOUNT_DELAY == 0 ||
(st->mt_key != SKEY_NOT_READY)) {
+ device_printf(st->sc_dev,
+ "mount error (sense key=%d) - "
+ "terminating mount session\n",
+ st->mt_key);
+ /*
+ * the following should not trigger unless
+ * something serious happened while the device
+ * was open (PREVENT MEDIUM REMOVAL in effect)
+ */
+ if (st->flags & ST_WRITTEN &&
+ st->mt_key == SKEY_UNIT_ATTENTION) {
+/*
+ * device / media state may have changed
+ * refrain from writing missing file marks
+ * onto potentially newly inserted/formatted
+ * media (e. g. emergency EJECT/RESET/etc.)
+ */
+st->flags &= ~(ST_WRITTEN|ST_FM_WRITTEN);
+
+device_printf(st->sc_dev,
+"CAUTION: file marks/data may be missing"
+" - ASC = 0x%02x, ASCQ = 0x%02x\n",
+ st->asc, st->ascq);
+ }
goto bad;
}
@@ -713,15 +737,30 @@ stclose(dev_t dev, int flags, int mode,
*/
stxx = st->flags & (ST_WRITTEN | ST_FM_WRITTEN);
- if (((flags & FWRITE) && stxx == ST_WRITTEN) ||
- ((flags & O_ACCMODE) == FWRITE && stxx == 0)) {
- int nm;
+ if ((flags & FWRITE) != 0) {
+
CVS commit: [netbsd-7-1] src/sys/dev/ppbus
Module Name:src Committed By: martin Date: Tue Mar 20 17:34:05 UTC 2018 Modified Files: src/sys/dev/ppbus [netbsd-7-1]: if_plip.c Log Message: Pull up following revision(s) (requested by msaitoh in ticket #1579): sys/dev/ppbus/if_plip.c: revision 1.28 spl leak, found by Mootja To generate a diff of this commit: cvs rdiff -u -r1.25 -r1.25.10.1 src/sys/dev/ppbus/if_plip.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/sys/dev/ppbus/if_plip.c diff -u src/sys/dev/ppbus/if_plip.c:1.25 src/sys/dev/ppbus/if_plip.c:1.25.10.1 --- src/sys/dev/ppbus/if_plip.c:1.25 Thu Jun 5 23:48:16 2014 +++ src/sys/dev/ppbus/if_plip.c Tue Mar 20 17:34:05 2018 @@ -1,4 +1,4 @@ -/* $NetBSD: if_plip.c,v 1.25 2014/06/05 23:48:16 rmind Exp $ */ +/* $NetBSD: if_plip.c,v 1.25.10.1 2018/03/20 17:34:05 martin Exp $ */ /*- * Copyright (c) 1997 Poul-Henning Kamp @@ -31,7 +31,7 @@ */ #include -__KERNEL_RCSID(0, "$NetBSD: if_plip.c,v 1.25 2014/06/05 23:48:16 rmind Exp $"); +__KERNEL_RCSID(0, "$NetBSD: if_plip.c,v 1.25.10.1 2018/03/20 17:34:05 martin Exp $"); /* * Parallel port TCP/IP interfaces added. I looked at the driver from @@ -445,6 +445,7 @@ lpioctl(struct ifnet *ifp, u_long cmd, v case AF_INET: break; default: + splx(s); return EAFNOSUPPORT; } break;
CVS commit: [netbsd-7-1] src/sys/dev/pci
Module Name:src Committed By: snj Date: Mon Nov 6 09:21:48 UTC 2017 Modified Files: src/sys/dev/pci [netbsd-7-1]: if_wm.c Log Message: Pull up following revision(s) (requested by kardel in ticket #1385): sys/dev/pci/if_wm.c: revision 1.497 PR kern/52039: use same safeguard as for the 82578 To generate a diff of this commit: cvs rdiff -u -r1.289.2.13 -r1.289.2.13.2.1 src/sys/dev/pci/if_wm.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/sys/dev/pci/if_wm.c diff -u src/sys/dev/pci/if_wm.c:1.289.2.13 src/sys/dev/pci/if_wm.c:1.289.2.13.2.1 --- src/sys/dev/pci/if_wm.c:1.289.2.13 Thu Mar 9 06:28:36 2017 +++ src/sys/dev/pci/if_wm.c Mon Nov 6 09:21:48 2017 @@ -1,4 +1,4 @@ -/* $NetBSD: if_wm.c,v 1.289.2.13 2017/03/09 06:28:36 snj Exp $ */ +/* $NetBSD: if_wm.c,v 1.289.2.13.2.1 2017/11/06 09:21:48 snj Exp $ */ /* * Copyright (c) 2001, 2002, 2003, 2004 Wasabi Systems, Inc. @@ -84,7 +84,7 @@ */ #include -__KERNEL_RCSID(0, "$NetBSD: if_wm.c,v 1.289.2.13 2017/03/09 06:28:36 snj Exp $"); +__KERNEL_RCSID(0, "$NetBSD: if_wm.c,v 1.289.2.13.2.1 2017/11/06 09:21:48 snj Exp $"); #include #include @@ -11153,7 +11153,7 @@ wm_enable_wakeup(struct wm_softc *sc) /* Assume that the PHY is copper */ child = LIST_FIRST(>sc_mii.mii_phys); - if (child->mii_mpd_rev <= 2) + if ((child != NULL) && (child->mii_mpd_rev <= 2)) sc->sc_mii.mii_writereg(sc->sc_dev, 1, (768 << 5) | 25, 0x0444); /* magic num */ }
CVS commit: [netbsd-7-1] src/sys/dev/sysmon
Module Name:src Committed By: snj Date: Tue Oct 24 09:24:53 UTC 2017 Modified Files: src/sys/dev/sysmon [netbsd-7-1]: sysmon_envsys.c Log Message: Fix fallout from ticket #1511: It's rnd_detach_source, not rnd_detach_sources. To generate a diff of this commit: cvs rdiff -u -r1.127.2.1.6.1 -r1.127.2.1.6.2 \ src/sys/dev/sysmon/sysmon_envsys.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/sys/dev/sysmon/sysmon_envsys.c diff -u src/sys/dev/sysmon/sysmon_envsys.c:1.127.2.1.6.1 src/sys/dev/sysmon/sysmon_envsys.c:1.127.2.1.6.2 --- src/sys/dev/sysmon/sysmon_envsys.c:1.127.2.1.6.1 Mon Oct 23 18:57:09 2017 +++ src/sys/dev/sysmon/sysmon_envsys.c Tue Oct 24 09:24:53 2017 @@ -1,4 +1,4 @@ -/* $NetBSD: sysmon_envsys.c,v 1.127.2.1.6.1 2017/10/23 18:57:09 snj Exp $ */ +/* $NetBSD: sysmon_envsys.c,v 1.127.2.1.6.2 2017/10/24 09:24:53 snj Exp $ */ /*- * Copyright (c) 2007, 2008 Juan Romero Pardines. @@ -64,7 +64,7 @@ */ #include -__KERNEL_RCSID(0, "$NetBSD: sysmon_envsys.c,v 1.127.2.1.6.1 2017/10/23 18:57:09 snj Exp $"); +__KERNEL_RCSID(0, "$NetBSD: sysmon_envsys.c,v 1.127.2.1.6.2 2017/10/24 09:24:53 snj Exp $"); #include #include @@ -1210,7 +1210,7 @@ sme_remove_userprops(void) * Detach from entropy collection */ if (edata->flags & ENVSYS_FHAS_ENTROPY) -rnd_detach_sources(>rnd_src); +rnd_detach_source(>rnd_src); /* * Finally, remove any old limits event, then
CVS commit: [netbsd-7-1] src/sys/dev
Module Name:src Committed By: snj Date: Mon Oct 23 19:27:43 UTC 2017 Modified Files: src/sys/dev [netbsd-7-1]: cgd.c Log Message: Pull up following revision(s) (requested by kamil in ticket #1518): sys/dev/cgd.c: revision 1.113 PR kern/52630: The cgd(4) module requires des and blowfish symbols This has been exposed with the MODULAR kernel. kobj_checksyms, 979: [cgd]: linker error: symbol `BF_set_key' not found kobj_checksyms, 979: [cgd]: linker error: symbol `des_key_sched' not found kobj_checksyms, 979: [cgd]: linker error: symbol `des_ede3_cbc_encrypt' not found WARNING: module error: unable to affix module `cgd', error 8 Reviewed by To generate a diff of this commit: cvs rdiff -u -r1.90.2.1.4.1 -r1.90.2.1.4.2 src/sys/dev/cgd.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/sys/dev/cgd.c diff -u src/sys/dev/cgd.c:1.90.2.1.4.1 src/sys/dev/cgd.c:1.90.2.1.4.2 --- src/sys/dev/cgd.c:1.90.2.1.4.1 Sat Jul 8 16:13:55 2017 +++ src/sys/dev/cgd.c Mon Oct 23 19:27:43 2017 @@ -1,4 +1,4 @@ -/* $NetBSD: cgd.c,v 1.90.2.1.4.1 2017/07/08 16:13:55 snj Exp $ */ +/* $NetBSD: cgd.c,v 1.90.2.1.4.2 2017/10/23 19:27:43 snj Exp $ */ /*- * Copyright (c) 2002 The NetBSD Foundation, Inc. @@ -30,7 +30,7 @@ */ #include -__KERNEL_RCSID(0, "$NetBSD: cgd.c,v 1.90.2.1.4.1 2017/07/08 16:13:55 snj Exp $"); +__KERNEL_RCSID(0, "$NetBSD: cgd.c,v 1.90.2.1.4.2 2017/10/23 19:27:43 snj Exp $"); #include #include @@ -998,7 +998,7 @@ hexprint(const char *start, void *buf, i } #endif -MODULE(MODULE_CLASS_DRIVER, cgd, "dk_subr"); +MODULE(MODULE_CLASS_DRIVER, cgd, "blowfish,des,dk_subr"); #ifdef _MODULE CFDRIVER_DECL(cgd, DV_DISK, NULL);
CVS commit: [netbsd-7-1] src/sys/dev/sysmon
Module Name:src Committed By: snj Date: Mon Oct 23 18:57:10 UTC 2017 Modified Files: src/sys/dev/sysmon [netbsd-7-1]: sysmon_envsys.c Log Message: Apply patch (requested by pgoyette in ticket #1511): Detach the rndsrc before re-attaching it. To generate a diff of this commit: cvs rdiff -u -r1.127.2.1 -r1.127.2.1.6.1 src/sys/dev/sysmon/sysmon_envsys.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/sys/dev/sysmon/sysmon_envsys.c diff -u src/sys/dev/sysmon/sysmon_envsys.c:1.127.2.1 src/sys/dev/sysmon/sysmon_envsys.c:1.127.2.1.6.1 --- src/sys/dev/sysmon/sysmon_envsys.c:1.127.2.1 Mon Apr 6 18:45:30 2015 +++ src/sys/dev/sysmon/sysmon_envsys.c Mon Oct 23 18:57:09 2017 @@ -1,4 +1,4 @@ -/* $NetBSD: sysmon_envsys.c,v 1.127.2.1 2015/04/06 18:45:30 snj Exp $ */ +/* $NetBSD: sysmon_envsys.c,v 1.127.2.1.6.1 2017/10/23 18:57:09 snj Exp $ */ /*- * Copyright (c) 2007, 2008 Juan Romero Pardines. @@ -64,7 +64,7 @@ */ #include -__KERNEL_RCSID(0, "$NetBSD: sysmon_envsys.c,v 1.127.2.1 2015/04/06 18:45:30 snj Exp $"); +__KERNEL_RCSID(0, "$NetBSD: sysmon_envsys.c,v 1.127.2.1.6.1 2017/10/23 18:57:09 snj Exp $"); #include #include @@ -1207,6 +1207,12 @@ sme_remove_userprops(void) } /* + * Detach from entropy collection + */ + if (edata->flags & ENVSYS_FHAS_ENTROPY) +rnd_detach_sources(>rnd_src); + + /* * Finally, remove any old limits event, then * install a new event (which will update the * dictionary)
CVS commit: [netbsd-7-1] src/sys/dev
Module Name:src
Committed By: snj
Date: Sat Aug 19 05:19:30 UTC 2017
Modified Files:
src/sys/dev [netbsd-7-1]: vnd.c
Log Message:
Pull up following revision(s) (requested by mrg in ticket #1476):
sys/dev/vnd.c: revision 1.260, 1.262 via patch
Put in a litany of judicious bounds checks around vnd headers.
Thought I was done with this crap after I rewrote vndcompress(1)!
>From Ilja Van Sprundel.
--
Appease toxic bullshit warning from gcc.
If you have a better way to write a useful bounds check that happens
to always pass on LP64 but doesn't always on LP32, without making it
fail to compile on LP64 or making it an #ifdef conditional on LP32,
please put it in here instead.
To generate a diff of this commit:
cvs rdiff -u -r1.232.2.4 -r1.232.2.4.4.1 src/sys/dev/vnd.c
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
Modified files:
Index: src/sys/dev/vnd.c
diff -u src/sys/dev/vnd.c:1.232.2.4 src/sys/dev/vnd.c:1.232.2.4.4.1
--- src/sys/dev/vnd.c:1.232.2.4 Wed Nov 18 08:48:46 2015
+++ src/sys/dev/vnd.c Sat Aug 19 05:19:30 2017
@@ -1,4 +1,4 @@
-/* $NetBSD: vnd.c,v 1.232.2.4 2015/11/18 08:48:46 msaitoh Exp $ */
+/* $NetBSD: vnd.c,v 1.232.2.4.4.1 2017/08/19 05:19:30 snj Exp $ */
/*-
* Copyright (c) 1996, 1997, 1998, 2008 The NetBSD Foundation, Inc.
@@ -91,7 +91,7 @@
*/
#include
-__KERNEL_RCSID(0, "$NetBSD: vnd.c,v 1.232.2.4 2015/11/18 08:48:46 msaitoh Exp $");
+__KERNEL_RCSID(0, "$NetBSD: vnd.c,v 1.232.2.4.4.1 2017/08/19 05:19:30 snj Exp $");
#if defined(_KERNEL_OPT)
#include "opt_vnd.h"
@@ -1238,6 +1238,13 @@ vndioctl(dev_t dev, u_long cmd, void *da
VOP_UNLOCK(nd.ni_vp);
goto close_and_exit;
}
+
+ if (ntohl(ch->block_size) == 0 ||
+ ntohl(ch->num_blocks) > UINT32_MAX - 1) {
+free(ch, M_TEMP);
+VOP_UNLOCK(nd.ni_vp);
+goto close_and_exit;
+ }
/* save some header info */
vnd->sc_comp_blksz = ntohl(ch->block_size);
@@ -1249,20 +1256,40 @@ vndioctl(dev_t dev, u_long cmd, void *da
error = EINVAL;
goto close_and_exit;
}
- if (sizeof(struct vnd_comp_header) +
- sizeof(u_int64_t) * vnd->sc_comp_numoffs >
- vattr.va_size) {
+ KASSERT(0 < vnd->sc_comp_blksz);
+ KASSERT(0 < vnd->sc_comp_numoffs);
+ /*
+ * @#^@!$& gcc -Wtype-limits refuses to let me
+ * write SIZE_MAX/sizeof(uint64_t) < numoffs,
+ * because the range of the type on amd64 makes
+ * the comparisons always false.
+ */
+#if SIZE_MAX <= UINT32_MAX*(64/CHAR_BIT)
+ if (SIZE_MAX/sizeof(uint64_t) < vnd->sc_comp_numoffs) {
+VOP_UNLOCK(nd.ni_vp);
+error = EINVAL;
+goto close_and_exit;
+ }
+#endif
+ if ((vattr.va_size < sizeof(struct vnd_comp_header)) ||
+ (vattr.va_size - sizeof(struct vnd_comp_header) <
+sizeof(uint64_t)*vnd->sc_comp_numoffs) ||
+ (UQUAD_MAX/vnd->sc_comp_blksz <
+vnd->sc_comp_numoffs - 1)) {
VOP_UNLOCK(nd.ni_vp);
error = EINVAL;
goto close_and_exit;
}
/* set decompressed file size */
+ KASSERT(vnd->sc_comp_numoffs - 1 <=
+ UQUAD_MAX/vnd->sc_comp_blksz);
vattr.va_size =
((u_quad_t)vnd->sc_comp_numoffs - 1) *
(u_quad_t)vnd->sc_comp_blksz;
/* allocate space for all the compressed offsets */
+ __CTASSERT(UINT32_MAX <= UQUAD_MAX/sizeof(uint64_t));
vnd->sc_comp_offsets =
malloc(sizeof(u_int64_t) * vnd->sc_comp_numoffs,
M_DEVBUF, M_WAITOK);
CVS commit: [netbsd-7-1] src/sys/dev/ic
Module Name:src
Committed By: snj
Date: Sat Aug 12 04:28:55 UTC 2017
Modified Files:
src/sys/dev/ic [netbsd-7-1]: ciss.c
Log Message:
Pull up following revision(s) (requested by mrg in ticket #1483):
sys/dev/ic/ciss.c: revision 1.37
Reject negative indices from userland.
To generate a diff of this commit:
cvs rdiff -u -r1.32 -r1.32.12.1 src/sys/dev/ic/ciss.c
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
Modified files:
Index: src/sys/dev/ic/ciss.c
diff -u src/sys/dev/ic/ciss.c:1.32 src/sys/dev/ic/ciss.c:1.32.12.1
--- src/sys/dev/ic/ciss.c:1.32 Thu Oct 17 21:24:24 2013
+++ src/sys/dev/ic/ciss.c Sat Aug 12 04:28:55 2017
@@ -1,4 +1,4 @@
-/* $NetBSD: ciss.c,v 1.32 2013/10/17 21:24:24 christos Exp $ */
+/* $NetBSD: ciss.c,v 1.32.12.1 2017/08/12 04:28:55 snj Exp $ */
/* $OpenBSD: ciss.c,v 1.68 2013/05/30 16:15:02 deraadt Exp $ */
/*
@@ -19,7 +19,7 @@
*/
#include
-__KERNEL_RCSID(0, "$NetBSD: ciss.c,v 1.32 2013/10/17 21:24:24 christos Exp $");
+__KERNEL_RCSID(0, "$NetBSD: ciss.c,v 1.32.12.1 2017/08/12 04:28:55 snj Exp $");
#include "bio.h"
@@ -1274,12 +1274,12 @@ ciss_ioctl(device_t dev, u_long cmd, voi
/* FALLTHROUGH */
case BIOCDISK:
bd = (struct bioc_disk *)addr;
- if (bd->bd_volid > sc->maxunits) {
+ if (bd->bd_volid < 0 || bd->bd_volid > sc->maxunits) {
error = EINVAL;
break;
}
ldp = sc->sc_lds[0];
- if (!ldp || (pd = bd->bd_diskid) > ldp->ndrives) {
+ if (!ldp || (pd = bd->bd_diskid) < 0 || pd > ldp->ndrives) {
error = EINVAL;
break;
}
@@ -1380,7 +1380,7 @@ ciss_ioctl_vol(struct ciss_softc *sc, st
int error = 0;
u_int blks;
- if (bv->bv_volid > sc->maxunits) {
+ if (bv->bv_volid < 0 || bv->bv_volid > sc->maxunits) {
return EINVAL;
}
ldp = sc->sc_lds[bv->bv_volid];
CVS commit: [netbsd-7-1] src/sys/dev/ic
Module Name:src
Committed By: snj
Date: Sat Aug 12 04:23:19 UTC 2017
Modified Files:
src/sys/dev/ic [netbsd-7-1]: isp_netbsd.c
Log Message:
Pull up following revision(s) (requested by mrg in ticket #1482):
sys/dev/ic/isp_netbsd.c: revision 1.89
Reject out-of-bounds channel index.
>From Ilja Van Sprundel.
To generate a diff of this commit:
cvs rdiff -u -r1.86 -r1.86.20.1 src/sys/dev/ic/isp_netbsd.c
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
Modified files:
Index: src/sys/dev/ic/isp_netbsd.c
diff -u src/sys/dev/ic/isp_netbsd.c:1.86 src/sys/dev/ic/isp_netbsd.c:1.86.20.1
--- src/sys/dev/ic/isp_netbsd.c:1.86 Tue Aug 21 15:53:07 2012
+++ src/sys/dev/ic/isp_netbsd.c Sat Aug 12 04:23:19 2017
@@ -1,4 +1,4 @@
-/* $NetBSD: isp_netbsd.c,v 1.86 2012/08/21 15:53:07 bouyer Exp $ */
+/* $NetBSD: isp_netbsd.c,v 1.86.20.1 2017/08/12 04:23:19 snj Exp $ */
/*
* Platform (NetBSD) dependent common attachment code for Qlogic adapters.
*/
@@ -33,7 +33,7 @@
*/
#include
-__KERNEL_RCSID(0, "$NetBSD: isp_netbsd.c,v 1.86 2012/08/21 15:53:07 bouyer Exp $");
+__KERNEL_RCSID(0, "$NetBSD: isp_netbsd.c,v 1.86.20.1 2017/08/12 04:23:19 snj Exp $");
#include
#include
@@ -475,6 +475,10 @@ ispioctl(struct scsipi_channel *chan, u_
}
lim = local.count;
channel = local.channel;
+ if (channel >= isp->isp_nchan) {
+ retval = EINVAL;
+ break;
+ }
ua = *(isp_dlist_t **)addr;
uptr = >wwns[0];
CVS commit: [netbsd-7-1] src/sys/dev/ic
Module Name:src
Committed By: snj
Date: Sat Aug 12 03:48:33 UTC 2017
Modified Files:
src/sys/dev/ic [netbsd-7-1]: bwi.c
Log Message:
Pull up following revision(s) (requested by mrg in ticket #1474):
sys/dev/ic/bwi.c: revision 1.32
Check for M_EXT in m->m_flags, whether m is NULL, after MCLGET.
>From Ilja Van Sprundel.
To generate a diff of this commit:
cvs rdiff -u -r1.24.4.1 -r1.24.4.1.6.1 src/sys/dev/ic/bwi.c
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
Modified files:
Index: src/sys/dev/ic/bwi.c
diff -u src/sys/dev/ic/bwi.c:1.24.4.1 src/sys/dev/ic/bwi.c:1.24.4.1.6.1
--- src/sys/dev/ic/bwi.c:1.24.4.1 Tue Apr 21 04:55:15 2015
+++ src/sys/dev/ic/bwi.c Sat Aug 12 03:48:33 2017
@@ -1,4 +1,4 @@
-/* $NetBSD: bwi.c,v 1.24.4.1 2015/04/21 04:55:15 snj Exp $ */
+/* $NetBSD: bwi.c,v 1.24.4.1.6.1 2017/08/12 03:48:33 snj Exp $ */
/* $OpenBSD: bwi.c,v 1.74 2008/02/25 21:13:30 mglocker Exp $ */
/*
@@ -48,7 +48,7 @@
#include
-__KERNEL_RCSID(0, "$NetBSD: bwi.c,v 1.24.4.1 2015/04/21 04:55:15 snj Exp $");
+__KERNEL_RCSID(0, "$NetBSD: bwi.c,v 1.24.4.1.6.1 2017/08/12 03:48:33 snj Exp $");
#include
#include
@@ -8292,7 +8292,7 @@ bwi_newbuf(struct bwi_softc *sc, int buf
if (m == NULL)
return (ENOBUFS);
MCLGET(m, init ? M_WAITOK : M_DONTWAIT);
- if (m == NULL) {
+ if ((m->m_flags & M_EXT) == 0) {
error = ENOBUFS;
/*
CVS commit: [netbsd-7-1] src/sys/dev/ic
Module Name:src
Committed By: snj
Date: Sat Aug 12 03:44:39 UTC 2017
Modified Files:
src/sys/dev/ic [netbsd-7-1]: dm9000.c
Log Message:
Pull up following revision(s) (requested by mrg in ticket #1473):
sys/dev/ic/dm9000.c: revision 1.12
Check for MCLGET failure in dme_alloc_receive_buffer.
>From Ilja Van Sprundel.
To generate a diff of this commit:
cvs rdiff -u -r1.4.22.1 -r1.4.22.1.6.1 src/sys/dev/ic/dm9000.c
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
Modified files:
Index: src/sys/dev/ic/dm9000.c
diff -u src/sys/dev/ic/dm9000.c:1.4.22.1 src/sys/dev/ic/dm9000.c:1.4.22.1.6.1
--- src/sys/dev/ic/dm9000.c:1.4.22.1 Fri Jan 2 20:24:14 2015
+++ src/sys/dev/ic/dm9000.c Sat Aug 12 03:44:39 2017
@@ -1,4 +1,4 @@
-/* $NetBSD: dm9000.c,v 1.4.22.1 2015/01/02 20:24:14 martin Exp $ */
+/* $NetBSD: dm9000.c,v 1.4.22.1.6.1 2017/08/12 03:44:39 snj Exp $ */
/*
* Copyright (c) 2009 Paul Fleischer
@@ -1122,8 +1122,13 @@ dme_alloc_receive_buffer(struct ifnet *i
sizeof(struct ether_header);
/* All our frames have the CRC attached */
m->m_flags |= M_HASFCS;
- if (m->m_pkthdr.len + pad > MHLEN )
+ if (m->m_pkthdr.len + pad > MHLEN) {
MCLGET(m, M_DONTWAIT);
+ if ((m->m_flags & M_EXT) == 0) {
+ m_freem(m);
+ return NULL;
+ }
+ }
m->m_data += pad;
m->m_len = frame_length + (frame_length % sc->sc_data_width);
CVS commit: [netbsd-7-1] src/sys/dev/ic
Module Name:src
Committed By: snj
Date: Sat Aug 12 03:42:33 UTC 2017
Modified Files:
src/sys/dev/ic [netbsd-7-1]: dp83932.c
Log Message:
Pull up following revision(s) (requested by mrg in ticket #1472):
sys/dev/ic/dp83932.c: revision 1.41
Plug mbuf leak on MCLGET failure in sonic_rxintr.
>From Ilja Van Sprundel.
To generate a diff of this commit:
cvs rdiff -u -r1.36 -r1.36.12.1 src/sys/dev/ic/dp83932.c
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
Modified files:
Index: src/sys/dev/ic/dp83932.c
diff -u src/sys/dev/ic/dp83932.c:1.36 src/sys/dev/ic/dp83932.c:1.36.12.1
--- src/sys/dev/ic/dp83932.c:1.36 Fri Oct 25 21:29:28 2013
+++ src/sys/dev/ic/dp83932.c Sat Aug 12 03:42:33 2017
@@ -1,4 +1,4 @@
-/* $NetBSD: dp83932.c,v 1.36 2013/10/25 21:29:28 martin Exp $ */
+/* $NetBSD: dp83932.c,v 1.36.12.1 2017/08/12 03:42:33 snj Exp $ */
/*-
* Copyright (c) 2001 The NetBSD Foundation, Inc.
@@ -35,7 +35,7 @@
*/
#include
-__KERNEL_RCSID(0, "$NetBSD: dp83932.c,v 1.36 2013/10/25 21:29:28 martin Exp $");
+__KERNEL_RCSID(0, "$NetBSD: dp83932.c,v 1.36.12.1 2017/08/12 03:42:33 snj Exp $");
#include
@@ -785,8 +785,10 @@ sonic_rxintr(struct sonic_softc *sc)
goto dropit;
if (len > (MHLEN - 2)) {
MCLGET(m, M_DONTWAIT);
-if ((m->m_flags & M_EXT) == 0)
+if ((m->m_flags & M_EXT) == 0) {
+ m_freem(m);
goto dropit;
+}
}
m->m_data += 2;
/*
CVS commit: [netbsd-7-1] src/sys/dev/ic
Module Name:src
Committed By: snj
Date: Sat Aug 12 03:30:09 UTC 2017
Modified Files:
src/sys/dev/ic [netbsd-7-1]: i82596.c
Log Message:
Pull up following revision(s) (requested by mrg in ticket #1471):
sys/dev/ic/i82596.c: revision 1.37
Null out sc_rx_mbuf[i] after m_freem to avoid double-free later.
>From Ilja Van Sprundel.
Also null out sc_tx_mbuf[i] after m_freem, out of paranoia.
XXX Not entirely clear to how tx mbufs are freed, but no way to test
this since it's ews4800mips- and hp700-only, so not keen to make any
more elaborate changes...
To generate a diff of this commit:
cvs rdiff -u -r1.31.4.1 -r1.31.4.1.6.1 src/sys/dev/ic/i82596.c
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
Modified files:
Index: src/sys/dev/ic/i82596.c
diff -u src/sys/dev/ic/i82596.c:1.31.4.1 src/sys/dev/ic/i82596.c:1.31.4.1.6.1
--- src/sys/dev/ic/i82596.c:1.31.4.1 Sat Feb 21 19:27:49 2015
+++ src/sys/dev/ic/i82596.c Sat Aug 12 03:30:08 2017
@@ -1,4 +1,4 @@
-/* $NetBSD: i82596.c,v 1.31.4.1 2015/02/21 19:27:49 martin Exp $ */
+/* $NetBSD: i82596.c,v 1.31.4.1.6.1 2017/08/12 03:30:08 snj Exp $ */
/*
* Copyright (c) 2003 Jochen Kunz.
@@ -43,7 +43,7 @@
*/
#include
-__KERNEL_RCSID(0, "$NetBSD: i82596.c,v 1.31.4.1 2015/02/21 19:27:49 martin Exp $");
+__KERNEL_RCSID(0, "$NetBSD: i82596.c,v 1.31.4.1.6.1 2017/08/12 03:30:08 snj Exp $");
/* autoconfig and device stuff */
#include
@@ -754,6 +754,7 @@ iee_start(struct ifnet *ifp)
printf("%s: iee_start: can't allocate mbuf\n",
device_xname(sc->sc_dev));
m_freem(sc->sc_tx_mbuf[t]);
+sc->sc_tx_mbuf[t] = NULL;
t--;
continue;
}
@@ -763,6 +764,7 @@ iee_start(struct ifnet *ifp)
printf("%s: iee_start: can't allocate mbuf "
"cluster\n", device_xname(sc->sc_dev));
m_freem(sc->sc_tx_mbuf[t]);
+sc->sc_tx_mbuf[t] = NULL;
m_freem(m);
t--;
continue;
@@ -778,6 +780,7 @@ iee_start(struct ifnet *ifp)
printf("%s: iee_start: can't load TX DMA map\n",
device_xname(sc->sc_dev));
m_freem(sc->sc_tx_mbuf[t]);
+sc->sc_tx_mbuf[t] = NULL;
t--;
continue;
}
@@ -927,6 +930,7 @@ iee_init(struct ifnet *ifp)
printf("%s: iee_init: can't allocate mbuf"
" cluster\n", device_xname(sc->sc_dev));
m_freem(sc->sc_rx_mbuf[r]);
+sc->sc_rx_mbuf[r] = NULL;
err = 1;
break;
}
@@ -940,6 +944,7 @@ iee_init(struct ifnet *ifp)
printf("%s: iee_init: can't create RX "
"DMA map\n", device_xname(sc->sc_dev));
m_freem(sc->sc_rx_mbuf[r]);
+sc->sc_rx_mbuf[r] = NULL;
err = 1;
break;
}
@@ -949,6 +954,7 @@ iee_init(struct ifnet *ifp)
device_xname(sc->sc_dev));
bus_dmamap_destroy(sc->sc_dmat, sc->sc_rx_map[r]);
m_freem(sc->sc_rx_mbuf[r]);
+ sc->sc_rx_mbuf[r] = NULL;
err = 1;
break;
}
CVS commit: [netbsd-7-1] src/sys/dev/pci
Module Name:src
Committed By: snj
Date: Sat Aug 12 03:26:39 UTC 2017
Modified Files:
src/sys/dev/pci [netbsd-7-1]: if_et.c
Log Message:
Pull up following revision(s) (requested by mrg in ticket #1470):
sys/dev/pci/if_et.c: revision 1.15
Check for MCLGET failure in et_newbuf.
>From Ilja Van Sprundel.
To generate a diff of this commit:
cvs rdiff -u -r1.8.4.1 -r1.8.4.1.6.1 src/sys/dev/pci/if_et.c
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
Modified files:
Index: src/sys/dev/pci/if_et.c
diff -u src/sys/dev/pci/if_et.c:1.8.4.1 src/sys/dev/pci/if_et.c:1.8.4.1.6.1
--- src/sys/dev/pci/if_et.c:1.8.4.1 Tue Aug 4 21:16:43 2015
+++ src/sys/dev/pci/if_et.c Sat Aug 12 03:26:39 2017
@@ -1,4 +1,4 @@
-/* $NetBSD: if_et.c,v 1.8.4.1 2015/08/04 21:16:43 snj Exp $ */
+/* $NetBSD: if_et.c,v 1.8.4.1.6.1 2017/08/12 03:26:39 snj Exp $ */
/* $OpenBSD: if_et.c,v 1.11 2008/06/08 06:18:07 jsg Exp $ */
/*
* Copyright (c) 2007 The DragonFly Project. All rights reserved.
@@ -37,7 +37,7 @@
*/
#include
-__KERNEL_RCSID(0, "$NetBSD: if_et.c,v 1.8.4.1 2015/08/04 21:16:43 snj Exp $");
+__KERNEL_RCSID(0, "$NetBSD: if_et.c,v 1.8.4.1.6.1 2017/08/12 03:26:39 snj Exp $");
#include "opt_inet.h"
#include "vlan.h"
@@ -2028,6 +2028,10 @@ et_newbuf(struct et_rxbuf_data *rbd, int
if (m == NULL)
return (ENOBUFS);
MCLGET(m, init ? M_WAITOK : M_DONTWAIT);
+ if ((m->m_flags & M_EXT) == 0) {
+ m_freem(m);
+ return (ENOBUFS);
+ }
len = MCLBYTES;
} else {
MGETHDR(m, init ? M_WAITOK : M_DONTWAIT, MT_DATA);
CVS commit: [netbsd-7-1] src/sys/dev/pci
Module Name:src
Committed By: snj
Date: Sat Aug 12 03:23:45 UTC 2017
Modified Files:
src/sys/dev/pci [netbsd-7-1]: if_ipw.c
Log Message:
Pull up following revision(s) (requested by mrg in ticket #1469):
sys/dev/pci/if_ipw.c: revision 1.65
Null out sbuf->m on failure to avoid double-free later.
>From Ilja Van Sprundel.
Also null out sbuf->map out of paranoia.
To generate a diff of this commit:
cvs rdiff -u -r1.57 -r1.57.12.1 src/sys/dev/pci/if_ipw.c
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
Modified files:
Index: src/sys/dev/pci/if_ipw.c
diff -u src/sys/dev/pci/if_ipw.c:1.57 src/sys/dev/pci/if_ipw.c:1.57.12.1
--- src/sys/dev/pci/if_ipw.c:1.57 Sat Mar 29 19:28:24 2014
+++ src/sys/dev/pci/if_ipw.c Sat Aug 12 03:23:45 2017
@@ -1,4 +1,4 @@
-/* $NetBSD: if_ipw.c,v 1.57 2014/03/29 19:28:24 christos Exp $ */
+/* $NetBSD: if_ipw.c,v 1.57.12.1 2017/08/12 03:23:45 snj Exp $ */
/* FreeBSD: src/sys/dev/ipw/if_ipw.c,v 1.15 2005/11/13 17:17:40 damien Exp */
/*-
@@ -29,7 +29,7 @@
*/
#include
-__KERNEL_RCSID(0, "$NetBSD: if_ipw.c,v 1.57 2014/03/29 19:28:24 christos Exp $");
+__KERNEL_RCSID(0, "$NetBSD: if_ipw.c,v 1.57.12.1 2017/08/12 03:23:45 snj Exp $");
/*-
* Intel(R) PRO/Wireless 2100 MiniPCI driver
@@ -592,6 +592,7 @@ ipw_dma_alloc(struct ipw_softc *sc)
MCLGET(sbuf->m, M_DONTWAIT);
if (!(sbuf->m->m_flags & M_EXT)) {
m_freem(sbuf->m);
+ sbuf->m = NULL;
aprint_error_dev(sc->sc_dev, "could not allocate rx mbuf cluster\n");
error = ENOMEM;
goto fail;
@@ -604,6 +605,7 @@ ipw_dma_alloc(struct ipw_softc *sc)
if (error != 0) {
aprint_error_dev(sc->sc_dev, "could not create rxbuf dma map\n");
m_freem(sbuf->m);
+ sbuf->m = NULL;
goto fail;
}
@@ -611,7 +613,9 @@ ipw_dma_alloc(struct ipw_softc *sc)
sbuf->m, BUS_DMA_READ | BUS_DMA_NOWAIT);
if (error != 0) {
bus_dmamap_destroy(sc->sc_dmat, sbuf->map);
+ sbuf->map = NULL;
m_freem(sbuf->m);
+ sbuf->m = NULL;
aprint_error_dev(sc->sc_dev, "could not map rxbuf dma memory\n");
goto fail;
}
CVS commit: [netbsd-7-1] src/sys/dev/usb
Module Name:src Committed By: snj Date: Wed Aug 9 06:35:16 UTC 2017 Modified Files: src/sys/dev/usb [netbsd-7-1]: if_ural.c Log Message: Pull up following revision(s) (requested by skrll in ticket #1462): sys/dev/usb/if_ural.c: revision 1.52 Free the RX list if ural_alloc_rx_list fails part way through. Reported by Ilja Van Sprundel. To generate a diff of this commit: cvs rdiff -u -r1.44 -r1.44.20.1 src/sys/dev/usb/if_ural.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/sys/dev/usb/if_ural.c diff -u src/sys/dev/usb/if_ural.c:1.44 src/sys/dev/usb/if_ural.c:1.44.20.1 --- src/sys/dev/usb/if_ural.c:1.44 Tue Jan 22 12:40:43 2013 +++ src/sys/dev/usb/if_ural.c Wed Aug 9 06:35:16 2017 @@ -1,4 +1,4 @@ -/* $NetBSD: if_ural.c,v 1.44 2013/01/22 12:40:43 jmcneill Exp $ */ +/* $NetBSD: if_ural.c,v 1.44.20.1 2017/08/09 06:35:16 snj Exp $ */ /* $FreeBSD: /repoman/r/ncvs/src/sys/dev/usb/if_ural.c,v 1.40 2006/06/02 23:14:40 sam Exp $ */ /*- @@ -24,7 +24,7 @@ */ #include -__KERNEL_RCSID(0, "$NetBSD: if_ural.c,v 1.44 2013/01/22 12:40:43 jmcneill Exp $"); +__KERNEL_RCSID(0, "$NetBSD: if_ural.c,v 1.44.20.1 2017/08/09 06:35:16 snj Exp $"); #include #include @@ -674,7 +674,7 @@ ural_alloc_rx_list(struct ural_softc *sc return 0; -fail: ural_free_tx_list(sc); +fail: ural_free_rx_list(sc); return error; }
CVS commit: [netbsd-7-1] src/sys/dev
Module Name:src
Committed By: snj
Date: Wed Aug 9 06:21:18 UTC 2017
Modified Files:
src/sys/dev [netbsd-7-1]: auconv.c
src/sys/dev/ic [netbsd-7-1]: ac97.c
src/sys/dev/pci [netbsd-7-1]: azalia_codec.c
Log Message:
Pull up following revision(s) (requested by nat in ticket #1460):
sys/dev/auconv.c: revision 1.30 via patch
sys/dev/ic/ac97.c: revision 1.97 via patch
sys/dev/pci/azalia_codec.c: revision 1.81 via patch
Mixer device bounds checking.
Analysis by Ilja van Sprundel.
To generate a diff of this commit:
cvs rdiff -u -r1.25 -r1.25.36.1 src/sys/dev/auconv.c
cvs rdiff -u -r1.95.12.1 -r1.95.12.1.6.1 src/sys/dev/ic/ac97.c
cvs rdiff -u -r1.79 -r1.79.36.1 src/sys/dev/pci/azalia_codec.c
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
Modified files:
Index: src/sys/dev/auconv.c
diff -u src/sys/dev/auconv.c:1.25 src/sys/dev/auconv.c:1.25.36.1
--- src/sys/dev/auconv.c:1.25 Wed Nov 23 23:07:31 2011
+++ src/sys/dev/auconv.c Wed Aug 9 06:21:18 2017
@@ -1,4 +1,4 @@
-/* $NetBSD: auconv.c,v 1.25 2011/11/23 23:07:31 jmcneill Exp $ */
+/* $NetBSD: auconv.c,v 1.25.36.1 2017/08/09 06:21:18 snj Exp $ */
/*
* Copyright (c) 1996 The NetBSD Foundation, Inc.
@@ -35,7 +35,7 @@
*/
#include
-__KERNEL_RCSID(0, "$NetBSD: auconv.c,v 1.25 2011/11/23 23:07:31 jmcneill Exp $");
+__KERNEL_RCSID(0, "$NetBSD: auconv.c,v 1.25.36.1 2017/08/09 06:21:18 snj Exp $");
#include
#include
@@ -1162,7 +1162,7 @@ int
auconv_query_encoding(const struct audio_encoding_set *encodings,
audio_encoding_t *aep)
{
- if (aep->index >= encodings->size)
+ if (aep->index < 0 || aep->index >= encodings->size)
return EINVAL;
strlcpy(aep->name, encodings->items[aep->index].name,
MAX_AUDIO_DEV_LEN);
Index: src/sys/dev/ic/ac97.c
diff -u src/sys/dev/ic/ac97.c:1.95.12.1 src/sys/dev/ic/ac97.c:1.95.12.1.6.1
--- src/sys/dev/ic/ac97.c:1.95.12.1 Sun Jul 5 20:37:01 2015
+++ src/sys/dev/ic/ac97.c Wed Aug 9 06:21:18 2017
@@ -1,4 +1,4 @@
-/* $NetBSD: ac97.c,v 1.95.12.1 2015/07/05 20:37:01 snj Exp $ */
+/* $NetBSD: ac97.c,v 1.95.12.1.6.1 2017/08/09 06:21:18 snj Exp $ */
/* $OpenBSD: ac97.c,v 1.8 2000/07/19 09:01:35 csapuntz Exp $ */
/*
@@ -63,7 +63,7 @@
*/
#include
-__KERNEL_RCSID(0, "$NetBSD: ac97.c,v 1.95.12.1 2015/07/05 20:37:01 snj Exp $");
+__KERNEL_RCSID(0, "$NetBSD: ac97.c,v 1.95.12.1.6.1 2017/08/09 06:21:18 snj Exp $");
#include
#include
@@ -1677,7 +1677,7 @@ ac97_query_devinfo(struct ac97_codec_if
const char *name;
as = (struct ac97_softc *)codec_if;
- if (dip->index < as->num_source_info) {
+ if (dip->index >= 0 && dip->index < as->num_source_info) {
si = >source_info[dip->index];
dip->type = si->type;
dip->mixer_class = si->mixer_class;
Index: src/sys/dev/pci/azalia_codec.c
diff -u src/sys/dev/pci/azalia_codec.c:1.79 src/sys/dev/pci/azalia_codec.c:1.79.36.1
--- src/sys/dev/pci/azalia_codec.c:1.79 Wed Nov 23 23:07:35 2011
+++ src/sys/dev/pci/azalia_codec.c Wed Aug 9 06:21:18 2017
@@ -1,4 +1,4 @@
-/* $NetBSD: azalia_codec.c,v 1.79 2011/11/23 23:07:35 jmcneill Exp $ */
+/* $NetBSD: azalia_codec.c,v 1.79.36.1 2017/08/09 06:21:18 snj Exp $ */
/*-
* Copyright (c) 2005, 2008 The NetBSD Foundation, Inc.
@@ -30,7 +30,7 @@
*/
#include
-__KERNEL_RCSID(0, "$NetBSD: azalia_codec.c,v 1.79 2011/11/23 23:07:35 jmcneill Exp $");
+__KERNEL_RCSID(0, "$NetBSD: azalia_codec.c,v 1.79.36.1 2017/08/09 06:21:18 snj Exp $");
#include
#include
@@ -2074,7 +2074,7 @@ generic_set_port(codec_t *this, mixer_ct
{
const mixer_item_t *m;
- if (mc->dev >= this->nmixers)
+ if (mc->dev < 0 || mc->dev >= this->nmixers)
return ENXIO;
m = >mixers[mc->dev];
if (mc->type != m->devinfo.type)
@@ -2089,7 +2089,7 @@ generic_get_port(codec_t *this, mixer_ct
{
const mixer_item_t *m;
- if (mc->dev >= this->nmixers)
+ if (mc->dev < 0 || mc->dev >= this->nmixers)
return ENXIO;
m = >mixers[mc->dev];
mc->type = m->devinfo.type;
@@ -2328,7 +2328,7 @@ alc260_set_port(codec_t *this, mixer_ctr
uint32_t value;
int err;
- if (mc->dev >= this->nmixers)
+ if (mc->dev < 0 || mc->dev >= this->nmixers)
return ENXIO;
m = >mixers[mc->dev];
if (mc->type != m->devinfo.type)
@@ -2386,7 +2386,7 @@ alc260_get_port(codec_t *this, mixer_ctr
{
const mixer_item_t *m;
- if (mc->dev >= this->nmixers)
+ if (mc->dev < 0 || mc->dev >= this->nmixers)
return ENXIO;
m = >mixers[mc->dev];
mc->type = m->devinfo.type;
@@ -2895,7 +2895,7 @@ alc882_set_port(codec_t *this, mixer_ctr
uint32_t mask, bit;
int i, err;
- if (mc->dev >= this->nmixers)
+ if (mc->dev < 0 || mc->dev >= this->nmixers)
return ENXIO;
m = >mixers[mc->dev];
if (mc->type != m->devinfo.type)
@@ -2929,7 +2929,7 @@ alc882_get_port(codec_t *this, mixer_ctr
uint32_t mask, bit, result;
int i, err;
- if (mc->dev >= this->nmixers)
+ if (mc->dev < 0 || mc->dev >= this->nmixers)
return ENXIO;
m
CVS commit: [netbsd-7-1] src/sys/dev
Module Name:src Committed By: snj Date: Sat Jul 8 16:13:55 UTC 2017 Modified Files: src/sys/dev [netbsd-7-1]: cgd.c Log Message: Apply patch (requested by chs in ticket #1429): Avoid crashes by checking if a cgd device has been configured before processing most ioctls, and failing with ENXIO if the device is not configured. To generate a diff of this commit: cvs rdiff -u -r1.90.2.1 -r1.90.2.1.4.1 src/sys/dev/cgd.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/sys/dev/cgd.c diff -u src/sys/dev/cgd.c:1.90.2.1 src/sys/dev/cgd.c:1.90.2.1.4.1 --- src/sys/dev/cgd.c:1.90.2.1 Wed Nov 4 16:25:17 2015 +++ src/sys/dev/cgd.c Sat Jul 8 16:13:55 2017 @@ -1,4 +1,4 @@ -/* $NetBSD: cgd.c,v 1.90.2.1 2015/11/04 16:25:17 riz Exp $ */ +/* $NetBSD: cgd.c,v 1.90.2.1.4.1 2017/07/08 16:13:55 snj Exp $ */ /*- * Copyright (c) 2002 The NetBSD Foundation, Inc. @@ -30,7 +30,7 @@ */ #include -__KERNEL_RCSID(0, "$NetBSD: cgd.c,v 1.90.2.1 2015/11/04 16:25:17 riz Exp $"); +__KERNEL_RCSID(0, "$NetBSD: cgd.c,v 1.90.2.1.4.1 2017/07/08 16:13:55 snj Exp $"); #include #include @@ -586,12 +586,16 @@ cgdioctl(dev_t dev, u_long cmd, void *da */ if ((flag & FWRITE) == 0) return (EBADF); + if ((dksc->sc_flags & DKF_INITED) == 0) + return ENXIO; /* * We pass this call down to the underlying disk. */ return VOP_IOCTL(cs->sc_tvn, cmd, data, flag, l->l_cred); default: + if ((dksc->sc_flags & DKF_INITED) == 0) + return ENXIO; return dk_ioctl(di, dksc, dev, cmd, data, flag, l); } }
