CVS commit: [netbsd-7-1] src/sys/compat/sys
Module Name:src Committed By: martin Date: Thu Jan 3 11:15:01 UTC 2019 Modified Files: src/sys/compat/sys [netbsd-7-1]: time_types.h Log Message: Additionally pull up the following for ticket #1668: sys/compat/sys/time_types.h 1.3 include libkern.h or string.h & stddef.h, to get the offsetof() and memset() definitions. To generate a diff of this commit: cvs rdiff -u -r1.1 -r1.1.52.1 src/sys/compat/sys/time_types.h Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/sys/compat/sys/time_types.h diff -u src/sys/compat/sys/time_types.h:1.1 src/sys/compat/sys/time_types.h:1.1.52.1 --- src/sys/compat/sys/time_types.h:1.1 Thu Nov 5 16:59:01 2009 +++ src/sys/compat/sys/time_types.h Thu Jan 3 11:15:01 2019 @@ -1,4 +1,4 @@ -/* $NetBSD: time_types.h,v 1.1 2009/11/05 16:59:01 pooka Exp $ */ +/* $NetBSD: time_types.h,v 1.1.52.1 2019/01/03 11:15:01 martin Exp $ */ /* * Copyright (c) 1982, 1986, 1993 @@ -34,6 +34,13 @@ #ifndef _COMPAT_SYS_TIME_TYPES_H_ #define _COMPAT_SYS_TIME_TYPES_H_ +#ifdef _KERNEL +#include +#else +#include +#include +#endif + /* * Structure returned by gettimeofday(2) system call, * and used in other calls.
CVS commit: [netbsd-7-1] src/sys/compat
Module Name:src Committed By: martin Date: Wed Jan 2 15:26:38 UTC 2019 Modified Files: src/sys/compat/netbsd32 [netbsd-7-1]: netbsd32_compat_14.c netbsd32_conv.h src/sys/compat/sys [netbsd-7-1]: msg.h Log Message: Pull up following revision(s) (requested by maxv in ticket #1668): sys/compat/netbsd32/netbsd32_conv.h: revision 1.37 sys/compat/netbsd32/netbsd32_compat_14.c: revision 1.27 sys/compat/sys/msg.h: revision 1.5 Fix kernel info leaks. + Possible info leak: [len=80, leaked=10] | #0 0x80bad7a7 in kleak_copyout | #1 0x8048e71b in netbsd32___msgctl50 | #2 0x8022fb5b in netbsd32_syscall | #3 0x802096dd in handle_syscall To generate a diff of this commit: cvs rdiff -u -r1.21 -r1.21.82.1 src/sys/compat/netbsd32/netbsd32_compat_14.c cvs rdiff -u -r1.28.4.1 -r1.28.4.1.4.1 \ src/sys/compat/netbsd32/netbsd32_conv.h cvs rdiff -u -r1.4 -r1.4.52.1 src/sys/compat/sys/msg.h Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/sys/compat/netbsd32/netbsd32_compat_14.c diff -u src/sys/compat/netbsd32/netbsd32_compat_14.c:1.21 src/sys/compat/netbsd32/netbsd32_compat_14.c:1.21.82.1 --- src/sys/compat/netbsd32/netbsd32_compat_14.c:1.21 Thu Dec 20 23:03:01 2007 +++ src/sys/compat/netbsd32/netbsd32_compat_14.c Wed Jan 2 15:26:38 2019 @@ -1,4 +1,4 @@ -/* $NetBSD: netbsd32_compat_14.c,v 1.21 2007/12/20 23:03:01 dsl Exp $ */ +/* $NetBSD: netbsd32_compat_14.c,v 1.21.82.1 2019/01/02 15:26:38 martin Exp $ */ /* * Copyright (c) 1999 Eduardo E. Horvath @@ -29,7 +29,7 @@ */ #include -__KERNEL_RCSID(0, "$NetBSD: netbsd32_compat_14.c,v 1.21 2007/12/20 23:03:01 dsl Exp $"); +__KERNEL_RCSID(0, "$NetBSD: netbsd32_compat_14.c,v 1.21.82.1 2019/01/02 15:26:38 martin Exp $"); #include #include @@ -126,6 +126,7 @@ static inline void native_to_netbsd32_msqid_ds14(struct msqid_ds *msqbuf, struct netbsd32_msqid_ds14 *omsqbuf) { + memset(omsqbuf, 0, sizeof(*omsqbuf)); native_to_netbsd32_ipc_perm14(>msg_perm, >msg_perm); #define CVT(x) omsqbuf->x = msqbuf->x Index: src/sys/compat/netbsd32/netbsd32_conv.h diff -u src/sys/compat/netbsd32/netbsd32_conv.h:1.28.4.1 src/sys/compat/netbsd32/netbsd32_conv.h:1.28.4.1.4.1 --- src/sys/compat/netbsd32/netbsd32_conv.h:1.28.4.1 Wed Nov 4 17:46:21 2015 +++ src/sys/compat/netbsd32/netbsd32_conv.h Wed Jan 2 15:26:38 2019 @@ -1,4 +1,4 @@ -/* $NetBSD: netbsd32_conv.h,v 1.28.4.1 2015/11/04 17:46:21 riz Exp $ */ +/* $NetBSD: netbsd32_conv.h,v 1.28.4.1.4.1 2019/01/02 15:26:38 martin Exp $ */ /* * Copyright (c) 1998, 2001 Matthew R. Green @@ -544,6 +544,7 @@ netbsd32_from_msqid_ds50(const struct ms struct netbsd32_msqid_ds50 *ds32p) { + memset(ds32p, 0, sizeof(*ds32p)); netbsd32_from_ipc_perm(>msg_perm, >msg_perm); ds32p->_msg_cbytes = (netbsd32_u_long)dsp->_msg_cbytes; ds32p->msg_qnum = (netbsd32_u_long)dsp->msg_qnum; @@ -560,6 +561,7 @@ netbsd32_from_msqid_ds(const struct msqi struct netbsd32_msqid_ds *ds32p) { + memset(ds32p, 0, sizeof(*ds32p)); netbsd32_from_ipc_perm(>msg_perm, >msg_perm); ds32p->_msg_cbytes = (netbsd32_u_long)dsp->_msg_cbytes; ds32p->msg_qnum = (netbsd32_u_long)dsp->msg_qnum; Index: src/sys/compat/sys/msg.h diff -u src/sys/compat/sys/msg.h:1.4 src/sys/compat/sys/msg.h:1.4.52.1 --- src/sys/compat/sys/msg.h:1.4 Mon Jan 19 19:39:41 2009 +++ src/sys/compat/sys/msg.h Wed Jan 2 15:26:38 2019 @@ -1,4 +1,4 @@ -/* $NetBSD: msg.h,v 1.4 2009/01/19 19:39:41 christos Exp $ */ +/* $NetBSD: msg.h,v 1.4.52.1 2019/01/02 15:26:38 martin Exp $ */ /* * SVID compatible msg.h file @@ -108,6 +108,7 @@ static __inline void __native_to_msqid_ds13(const struct msqid_ds *msqbuf, struct msqid_ds13 *omsqbuf) { + memset(omsqbuf, 0, sizeof(*omsqbuf)); omsqbuf->msg_perm = msqbuf->msg_perm; #define CVT(x) omsqbuf->x = msqbuf->x @@ -149,6 +150,7 @@ static __inline void __native_to_msqid_ds14(const struct msqid_ds *msqbuf, struct msqid_ds14 *omsqbuf) { + memset(omsqbuf, 0, sizeof(*omsqbuf)); __native_to_ipc_perm14(>msg_perm, >msg_perm); #define CVT(x) omsqbuf->x = msqbuf->x
CVS commit: [netbsd-7-1] src/sys/compat/netbsd32
Module Name:src Committed By: martin Date: Wed Nov 21 12:09:54 UTC 2018 Modified Files: src/sys/compat/netbsd32 [netbsd-7-1]: netbsd32_socket.c Log Message: Pull up following revision(s) (requested by maxv in ticket #1652): sys/compat/netbsd32/netbsd32_socket.c: revision 1.48 (via patch) Fix inverted logic, which leads to buffer overflow. Detected by kASan. To generate a diff of this commit: cvs rdiff -u -r1.41.14.1 -r1.41.14.1.6.1 \ src/sys/compat/netbsd32/netbsd32_socket.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/sys/compat/netbsd32/netbsd32_socket.c diff -u src/sys/compat/netbsd32/netbsd32_socket.c:1.41.14.1 src/sys/compat/netbsd32/netbsd32_socket.c:1.41.14.1.6.1 --- src/sys/compat/netbsd32/netbsd32_socket.c:1.41.14.1 Sat Aug 8 15:41:54 2015 +++ src/sys/compat/netbsd32/netbsd32_socket.c Wed Nov 21 12:09:54 2018 @@ -1,4 +1,4 @@ -/* $NetBSD: netbsd32_socket.c,v 1.41.14.1 2015/08/08 15:41:54 martin Exp $ */ +/* $NetBSD: netbsd32_socket.c,v 1.41.14.1.6.1 2018/11/21 12:09:54 martin Exp $ */ /* * Copyright (c) 1998, 2001 Matthew R. Green @@ -27,7 +27,7 @@ */ #include -__KERNEL_RCSID(0, "$NetBSD: netbsd32_socket.c,v 1.41.14.1 2015/08/08 15:41:54 martin Exp $"); +__KERNEL_RCSID(0, "$NetBSD: netbsd32_socket.c,v 1.41.14.1.6.1 2018/11/21 12:09:54 martin Exp $"); #include #include @@ -99,7 +99,7 @@ copyout32_msg_control_mbuf(struct lwp *l } ktrkuser("msgcontrol", cmsg, cmsg->cmsg_len); - error = copyout(, *q, MAX(i, sizeof(cmsg32))); + error = copyout(, *q, MIN(i, sizeof(cmsg32))); if (error) return (error); if (i > CMSG32_LEN(0)) {
CVS commit: [netbsd-7-1] src/sys/compat/linux32/arch/amd64
Module Name:src Committed By: snj Date: Sat Sep 9 16:57:36 UTC 2017 Modified Files: src/sys/compat/linux32/arch/amd64 [netbsd-7-1]: linux32_machdep.c Log Message: Pull up following revision(s) (requested by maxv in ticket #1507): sys/compat/linux32/arch/amd64/linux32_machdep.c: revision 1.39 Fix a ring0 escalation vulnerability in compat_linux32 where the index of %cs is controlled by userland, making it easy to trigger the page fault and get kernel privileges. To generate a diff of this commit: cvs rdiff -u -r1.36 -r1.36.14.1 \ src/sys/compat/linux32/arch/amd64/linux32_machdep.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/sys/compat/linux32/arch/amd64/linux32_machdep.c diff -u src/sys/compat/linux32/arch/amd64/linux32_machdep.c:1.36 src/sys/compat/linux32/arch/amd64/linux32_machdep.c:1.36.14.1 --- src/sys/compat/linux32/arch/amd64/linux32_machdep.c:1.36 Wed Feb 19 21:45:01 2014 +++ src/sys/compat/linux32/arch/amd64/linux32_machdep.c Sat Sep 9 16:57:36 2017 @@ -1,4 +1,4 @@ -/* $NetBSD: linux32_machdep.c,v 1.36 2014/02/19 21:45:01 dsl Exp $ */ +/* $NetBSD: linux32_machdep.c,v 1.36.14.1 2017/09/09 16:57:36 snj Exp $ */ /*- * Copyright (c) 2006 Emmanuel Dreyfus, all rights reserved. @@ -31,7 +31,7 @@ * POSSIBILITY OF SUCH DAMAGE. */ #include -__KERNEL_RCSID(0, "$NetBSD: linux32_machdep.c,v 1.36 2014/02/19 21:45:01 dsl Exp $"); +__KERNEL_RCSID(0, "$NetBSD: linux32_machdep.c,v 1.36.14.1 2017/09/09 16:57:36 snj Exp $"); #include #include @@ -417,8 +417,9 @@ linux32_restore_sigcontext(struct lwp *l /* * Check for security violations. */ - if (((scp->sc_eflags ^ tf->tf_rflags) & PSL_USERSTATIC) != 0 || - !USERMODE(scp->sc_cs, scp->sc_eflags)) + if (((scp->sc_eflags ^ tf->tf_rflags) & PSL_USERSTATIC) != 0) + return EINVAL; + if (!VALID_USER_CSEL32(scp->sc_cs)) return EINVAL; if (scp->sc_fs != 0 && !VALID_USER_DSEL32(scp->sc_fs) &&
CVS commit: [netbsd-7-1] src/sys/compat/svr4_32
Module Name:src Committed By: martin Date: Sat Aug 12 19:09:46 UTC 2017 Modified Files: src/sys/compat/svr4_32 [netbsd-7-1]: svr4_32_signal.c Log Message: Also pull up rev1.30 (accidently missed in ticket #1475) To generate a diff of this commit: cvs rdiff -u -r1.26.70.1 -r1.26.70.2 src/sys/compat/svr4_32/svr4_32_signal.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/sys/compat/svr4_32/svr4_32_signal.c diff -u src/sys/compat/svr4_32/svr4_32_signal.c:1.26.70.1 src/sys/compat/svr4_32/svr4_32_signal.c:1.26.70.2 --- src/sys/compat/svr4_32/svr4_32_signal.c:1.26.70.1 Sat Aug 12 03:59:55 2017 +++ src/sys/compat/svr4_32/svr4_32_signal.c Sat Aug 12 19:09:46 2017 @@ -1,4 +1,4 @@ -/* $NetBSD: svr4_32_signal.c,v 1.26.70.1 2017/08/12 03:59:55 snj Exp $ */ +/* $NetBSD: svr4_32_signal.c,v 1.26.70.2 2017/08/12 19:09:46 martin Exp $ */ /*- * Copyright (c) 1994, 1998 The NetBSD Foundation, Inc. @@ -30,7 +30,7 @@ */ #include -__KERNEL_RCSID(0, "$NetBSD: svr4_32_signal.c,v 1.26.70.1 2017/08/12 03:59:55 snj Exp $"); +__KERNEL_RCSID(0, "$NetBSD: svr4_32_signal.c,v 1.26.70.2 2017/08/12 19:09:46 martin Exp $"); #if defined(_KERNEL_OPT) #include "opt_compat_svr4.h" @@ -397,16 +397,16 @@ svr4_32_sys_signal(struct lwp *l, const nbsa.sa_handler = (sig_t)SCARG(uap, handler); sigemptyset(_mask); nbsa.sa_flags = 0; - error = sigaction1(l, signum, , , NULL, 0); + error = sigaction1(l, native_signo, , , NULL, 0); if (error) - return (error); + return error; *retval = (u_int)(u_long)obsa.sa_handler; - return (0); + return 0; case SVR4_SIGHOLD_MASK: sighold: sigemptyset(); - sigaddset(, signum); + sigaddset(, native_signo); mutex_enter(p->p_lock); error = sigprocmask1(l, SIG_BLOCK, , 0); mutex_exit(p->p_lock); @@ -414,7 +414,7 @@ svr4_32_sys_signal(struct lwp *l, const case SVR4_SIGRELSE_MASK: sigemptyset(); - sigaddset(, signum); + sigaddset(, native_signo); mutex_enter(p->p_lock); error = sigprocmask1(l, SIG_UNBLOCK, , 0); mutex_exit(p->p_lock); @@ -424,17 +424,17 @@ svr4_32_sys_signal(struct lwp *l, const nbsa.sa_handler = SIG_IGN; sigemptyset(_mask); nbsa.sa_flags = 0; - return (sigaction1(l, signum, , 0, NULL, 0)); + return sigaction1(l, native_signo, , 0, NULL, 0); case SVR4_SIGPAUSE_MASK: mutex_enter(p->p_lock); ss = l->l_sigmask; mutex_exit(p->p_lock); - sigdelset(, signum); - return (sigsuspend1(l, )); + sigdelset(, native_signo); + return sigsuspend1(l, ); default: - return (ENOSYS); + return ENOSYS; } }
CVS commit: [netbsd-7-1] src/sys/compat/linux/common
Module Name:src Committed By: snj Date: Sat Aug 12 04:50:11 UTC 2017 Modified Files: src/sys/compat/linux/common [netbsd-7-1]: linux_time.c Log Message: Pull up following revision(s) (requested by mrg in ticket #1486): sys/compat/linux/common/linux_time.c: revision 1.38-1.39 via patch Only let the superuser set the compat_linux timezone. Not really keen to invent a new kauth cookie for this useless purpose. >From Ilja Van Sprundel. -- Put suser check in the right function: settimeofday, not gettimeofday. While here, remove wrong comment. Noted by kre@. To generate a diff of this commit: cvs rdiff -u -r1.37 -r1.37.16.1 src/sys/compat/linux/common/linux_time.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/sys/compat/linux/common/linux_time.c diff -u src/sys/compat/linux/common/linux_time.c:1.37 src/sys/compat/linux/common/linux_time.c:1.37.16.1 --- src/sys/compat/linux/common/linux_time.c:1.37 Mon Jan 13 10:33:03 2014 +++ src/sys/compat/linux/common/linux_time.c Sat Aug 12 04:50:11 2017 @@ -1,4 +1,4 @@ -/* $NetBSD: linux_time.c,v 1.37 2014/01/13 10:33:03 njoly Exp $ */ +/* $NetBSD: linux_time.c,v 1.37.16.1 2017/08/12 04:50:11 snj Exp $ */ /*- * Copyright (c) 2001 The NetBSD Foundation, Inc. @@ -30,7 +30,7 @@ */ #include -__KERNEL_RCSID(0, "$NetBSD: linux_time.c,v 1.37 2014/01/13 10:33:03 njoly Exp $"); +__KERNEL_RCSID(0, "$NetBSD: linux_time.c,v 1.37.16.1 2017/08/12 04:50:11 snj Exp $"); #include #include @@ -102,11 +102,10 @@ linux_sys_settimeofday(struct lwp *l, co return (error); } - /* - * If user is not the superuser, we returned - * after the sys_settimeofday() call. - */ if (SCARG(uap, tzp)) { + if (kauth_authorize_generic(kauth_cred_get(), + KAUTH_GENERIC_ISSUSER, NULL) != 0) + return (EPERM); error = copyin(SCARG(uap, tzp), _sys_tz, sizeof(linux_sys_tz)); if (error) return (error);
CVS commit: [netbsd-7-1] src/sys/compat
Module Name:src Committed By: snj Date: Sat Aug 12 04:16:53 UTC 2017 Modified Files: src/sys/compat/common [netbsd-7-1]: vfs_syscalls_12.c vfs_syscalls_43.c src/sys/compat/ibcs2 [netbsd-7-1]: ibcs2_misc.c src/sys/compat/linux/common [netbsd-7-1]: linux_file64.c linux_misc.c src/sys/compat/linux32/common [netbsd-7-1]: linux32_dirent.c src/sys/compat/osf1 [netbsd-7-1]: osf1_file.c src/sys/compat/sunos [netbsd-7-1]: sunos_misc.c src/sys/compat/sunos32 [netbsd-7-1]: sunos32_misc.c src/sys/compat/svr4 [netbsd-7-1]: svr4_misc.c src/sys/compat/svr4_32 [netbsd-7-1]: svr4_32_misc.c Log Message: Pull up following revision(s) (requested by mrg in ticket #1479): sys/compat/common/vfs_syscalls_12.c: revision 1.34 sys/rump/kern/lib/libsys_sunos/rump_sunos_compat.c: revision 1.2 sys/compat/svr4_32/svr4_32_misc.c: revision 1.78 sys/compat/sunos32/sunos32_misc.c: revision 1.78 sys/compat/linux/common/linux_misc.c: revision 1.239 sys/compat/osf1/osf1_file.c: revision 1.44 sys/compat/common/vfs_syscalls_43.c: revision 1.60 sys/compat/svr4/svr4_misc.c: revision 1.158 sys/compat/ibcs2/ibcs2_misc.c: revision 1.114 sys/compat/linux/common/linux_file64.c: revision 1.59 sys/compat/linux32/common/linux32_dirent.c: revision 1.18 sys/compat/sunos/sunos_misc.c: revision 1.171 Fail, don't panic, on bad dirents from file system. Controllable via puffs from userland. >From Ilja Van Sprundel. To generate a diff of this commit: cvs rdiff -u -r1.30 -r1.30.10.1 src/sys/compat/common/vfs_syscalls_12.c cvs rdiff -u -r1.56.4.1 -r1.56.4.1.4.1 \ src/sys/compat/common/vfs_syscalls_43.c cvs rdiff -u -r1.112 -r1.112.18.1 src/sys/compat/ibcs2/ibcs2_misc.c cvs rdiff -u -r1.55 -r1.55.14.1 src/sys/compat/linux/common/linux_file64.c cvs rdiff -u -r1.229 -r1.229.8.1 src/sys/compat/linux/common/linux_misc.c cvs rdiff -u -r1.13 -r1.13.38.1 \ src/sys/compat/linux32/common/linux32_dirent.c cvs rdiff -u -r1.41.28.1 -r1.41.28.1.6.1 src/sys/compat/osf1/osf1_file.c cvs rdiff -u -r1.168 -r1.168.40.1 src/sys/compat/sunos/sunos_misc.c cvs rdiff -u -r1.74 -r1.74.28.1 src/sys/compat/sunos32/sunos32_misc.c cvs rdiff -u -r1.155 -r1.155.34.1 src/sys/compat/svr4/svr4_misc.c cvs rdiff -u -r1.74 -r1.74.34.1 src/sys/compat/svr4_32/svr4_32_misc.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/sys/compat/common/vfs_syscalls_12.c diff -u src/sys/compat/common/vfs_syscalls_12.c:1.30 src/sys/compat/common/vfs_syscalls_12.c:1.30.10.1 --- src/sys/compat/common/vfs_syscalls_12.c:1.30 Fri Jan 24 22:11:46 2014 +++ src/sys/compat/common/vfs_syscalls_12.c Sat Aug 12 04:16:52 2017 @@ -1,4 +1,4 @@ -/* $NetBSD: vfs_syscalls_12.c,v 1.30 2014/01/24 22:11:46 christos Exp $ */ +/* $NetBSD: vfs_syscalls_12.c,v 1.30.10.1 2017/08/12 04:16:52 snj Exp $ */ /* * Copyright (c) 1989, 1993 @@ -37,7 +37,7 @@ */ #include -__KERNEL_RCSID(0, "$NetBSD: vfs_syscalls_12.c,v 1.30 2014/01/24 22:11:46 christos Exp $"); +__KERNEL_RCSID(0, "$NetBSD: vfs_syscalls_12.c,v 1.30.10.1 2017/08/12 04:16:52 snj Exp $"); #include #include @@ -171,8 +171,10 @@ again: for (cookie = cookiebuf; len > 0; len -= reclen) { bdp = (struct dirent *)inp; reclen = bdp->d_reclen; - if (reclen & 3) - panic(__func__); + if (reclen & 3) { + error = EIO; + goto out; + } if (bdp->d_fileno == 0) { inp += reclen; /* it is a hole; squish it out */ if (cookie) Index: src/sys/compat/common/vfs_syscalls_43.c diff -u src/sys/compat/common/vfs_syscalls_43.c:1.56.4.1 src/sys/compat/common/vfs_syscalls_43.c:1.56.4.1.4.1 --- src/sys/compat/common/vfs_syscalls_43.c:1.56.4.1 Sat Aug 27 15:10:59 2016 +++ src/sys/compat/common/vfs_syscalls_43.c Sat Aug 12 04:16:52 2017 @@ -1,4 +1,4 @@ -/* $NetBSD: vfs_syscalls_43.c,v 1.56.4.1 2016/08/27 15:10:59 bouyer Exp $ */ +/* $NetBSD: vfs_syscalls_43.c,v 1.56.4.1.4.1 2017/08/12 04:16:52 snj Exp $ */ /* * Copyright (c) 1989, 1993 @@ -37,7 +37,7 @@ */ #include -__KERNEL_RCSID(0, "$NetBSD: vfs_syscalls_43.c,v 1.56.4.1 2016/08/27 15:10:59 bouyer Exp $"); +__KERNEL_RCSID(0, "$NetBSD: vfs_syscalls_43.c,v 1.56.4.1.4.1 2017/08/12 04:16:52 snj Exp $"); #if defined(_KERNEL_OPT) #include "opt_compat_netbsd.h" @@ -450,8 +450,10 @@ again: for (cookie = cookiebuf; len > 0; len -= reclen) { bdp = (struct dirent *)inp; reclen = bdp->d_reclen; - if (reclen & 3) - panic(__func__); + if (reclen & 3) { + error = EIO; + goto out; + } if (bdp->d_fileno == 0) { inp += reclen; /* it is a hole; squish it out */ if (cookie) Index: src/sys/compat/ibcs2/ibcs2_misc.c diff -u src/sys/compat/ibcs2/ibcs2_misc.c:1.112 src/sys/compat/ibcs2/ibcs2_misc.c:1.112.18.1 --- src/sys/compat/ibcs2/ibcs2_misc.c:1.112 Tue Oct 2 01:44:27 2012 +++ src/sys/compat/ibcs2/ibcs2_misc.c Sat Aug
CVS commit: [netbsd-7-1] src/sys/compat/ibcs2
Module Name:src Committed By: snj Date: Sat Aug 12 04:09:05 UTC 2017 Modified Files: src/sys/compat/ibcs2 [netbsd-7-1]: ibcs2_exec_coff.c ibcs2_ioctl.c ibcs2_stat.c Log Message: Pull up following revision(s) (requested by mrg in ticket #1477): sys/compat/ibcs2/ibcs2_exec_coff.c: revision 1.27-1.29 sys/compat/ibcs2/ibcs2_ioctl.c: revision 1.46 sys/compat/ibcs2/ibcs2_stat.c: revision 1.49-1.50 Check for NUL termination within the buffer we have. >From Ilja Van Sprundel. -- Make sure we have enough space in the buffer before reading it. >From Ilja Van Sprundel. -- Make sure we move forward over the buffer. >From Ilja Van Sprundel. -- Zero buffers in ibcs2 ioctl to avoid disclosing stack to userland. >From Ilja Van Sprundel. -- Don't drop vnode ref until we're done with mount in ibcs2_stat(v)fs. Nothing else guarantees the mount will stick around. >From Ilja Van Sprundel. -- Little happy on the commit trigger. Actually use the out label. To generate a diff of this commit: cvs rdiff -u -r1.26 -r1.26.16.1 src/sys/compat/ibcs2/ibcs2_exec_coff.c cvs rdiff -u -r1.45 -r1.45.70.1 src/sys/compat/ibcs2/ibcs2_ioctl.c cvs rdiff -u -r1.47 -r1.47.44.1 src/sys/compat/ibcs2/ibcs2_stat.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/sys/compat/ibcs2/ibcs2_exec_coff.c diff -u src/sys/compat/ibcs2/ibcs2_exec_coff.c:1.26 src/sys/compat/ibcs2/ibcs2_exec_coff.c:1.26.16.1 --- src/sys/compat/ibcs2/ibcs2_exec_coff.c:1.26 Fri Oct 25 14:46:35 2013 +++ src/sys/compat/ibcs2/ibcs2_exec_coff.c Sat Aug 12 04:09:05 2017 @@ -1,4 +1,4 @@ -/* $NetBSD: ibcs2_exec_coff.c,v 1.26 2013/10/25 14:46:35 martin Exp $ */ +/* $NetBSD: ibcs2_exec_coff.c,v 1.26.16.1 2017/08/12 04:09:05 snj Exp $ */ /* * Copyright (c) 1994, 1995, 1998 Scott Bartram @@ -35,7 +35,7 @@ */ #include -__KERNEL_RCSID(0, "$NetBSD: ibcs2_exec_coff.c,v 1.26 2013/10/25 14:46:35 martin Exp $"); +__KERNEL_RCSID(0, "$NetBSD: ibcs2_exec_coff.c,v 1.26.16.1 2017/08/12 04:09:05 snj Exp $"); #include #include @@ -454,6 +454,10 @@ exec_ibcs2_coff_prep_zmagic(struct lwp * } bufp = tbuf; while (len) { + if (len < sizeof(struct coff_slhdr)) { +free(tbuf, M_TEMP); +return ENOEXEC; + } slhdr = (struct coff_slhdr *)bufp; if (slhdr->path_index > LONG_MAX / sizeof(long) || @@ -465,7 +469,9 @@ exec_ibcs2_coff_prep_zmagic(struct lwp * /* path_index = slhdr->path_index * sizeof(long); */ entry_len = slhdr->entry_len * sizeof(long); - if (entry_len > len) { + if (entry_len < sizeof(struct coff_slhdr) || + entry_len > len || + strnlen(slhdr->sl_name, entry_len) == entry_len) { free(tbuf, M_TEMP); return ENOEXEC; } Index: src/sys/compat/ibcs2/ibcs2_ioctl.c diff -u src/sys/compat/ibcs2/ibcs2_ioctl.c:1.45 src/sys/compat/ibcs2/ibcs2_ioctl.c:1.45.70.1 --- src/sys/compat/ibcs2/ibcs2_ioctl.c:1.45 Tue Jun 24 10:03:17 2008 +++ src/sys/compat/ibcs2/ibcs2_ioctl.c Sat Aug 12 04:09:05 2017 @@ -1,4 +1,4 @@ -/* $NetBSD: ibcs2_ioctl.c,v 1.45 2008/06/24 10:03:17 gmcgarry Exp $ */ +/* $NetBSD: ibcs2_ioctl.c,v 1.45.70.1 2017/08/12 04:09:05 snj Exp $ */ /* * Copyright (c) 1994, 1995 Scott Bartram @@ -27,7 +27,7 @@ */ #include -__KERNEL_RCSID(0, "$NetBSD: ibcs2_ioctl.c,v 1.45 2008/06/24 10:03:17 gmcgarry Exp $"); +__KERNEL_RCSID(0, "$NetBSD: ibcs2_ioctl.c,v 1.45.70.1 2017/08/12 04:09:05 snj Exp $"); #include #include @@ -402,8 +402,10 @@ ibcs2_sys_ioctl(struct lwp *l, const str if ((error = (*ctl)(fp, TIOCGETA, )) != 0) goto out; + memset(, 0, sizeof(sts)); btios2stios(, ); if (SCARG(uap, cmd) == IBCS2_TCGETA) { + memset(, 0, sizeof(st)); stios2stio(, ); error = copyout(, SCARG(uap, data), sizeof(st)); if (error) @@ -559,6 +561,7 @@ ibcs2_sys_gtty(struct lwp *l, const stru fd_putfile(SCARG(uap, fd)); + memset(, 0, sizeof(itb)); itb.sg_ispeed = tb.sg_ispeed; itb.sg_ospeed = tb.sg_ospeed; itb.sg_erase = tb.sg_erase; Index: src/sys/compat/ibcs2/ibcs2_stat.c diff -u src/sys/compat/ibcs2/ibcs2_stat.c:1.47 src/sys/compat/ibcs2/ibcs2_stat.c:1.47.44.1 --- src/sys/compat/ibcs2/ibcs2_stat.c:1.47 Mon Jun 29 05:08:16 2009 +++ src/sys/compat/ibcs2/ibcs2_stat.c Sat Aug 12 04:09:05 2017 @@ -1,4 +1,4 @@ -/* $NetBSD: ibcs2_stat.c,v 1.47 2009/06/29 05:08:16 dholland Exp $ */ +/* $NetBSD: ibcs2_stat.c,v 1.47.44.1 2017/08/12 04:09:05 snj Exp $ */ /* * Copyright (c) 1995, 1998 Scott Bartram * All rights reserved. @@ -27,7 +27,7 @@ */ #include -__KERNEL_RCSID(0, "$NetBSD: ibcs2_stat.c,v 1.47 2009/06/29 05:08:16 dholland Exp $"); +__KERNEL_RCSID(0, "$NetBSD: ibcs2_stat.c,v 1.47.44.1 2017/08/12 04:09:05 snj Exp $"); #include #include @@ -147,11 +147,13 @@ ibcs2_sys_statfs(struct lwp *l, const st return (error); mp = vp->v_mount; sp = >mnt_stat; - vrele(vp); if ((error = VFS_STATVFS(mp, sp)) != 0) - return (error); +
CVS commit: [netbsd-7-1] src/sys/compat
Module Name:src Committed By: snj Date: Sat Aug 12 03:59:55 UTC 2017 Modified Files: src/sys/compat/svr4 [netbsd-7-1]: svr4_lwp.c svr4_signal.c svr4_stream.c src/sys/compat/svr4_32 [netbsd-7-1]: svr4_32_signal.c Log Message: Pull up following revision(s) (requested by mrg in ticket #1475): sys/compat/svr4/svr4_lwp.c: revision 1.20 sys/compat/svr4/svr4_signal.c: revision 1.67 sys/compat/svr4/svr4_stream.c: revision 1.89-1.91 via patch sys/compat/svr4_32/svr4_32_signal.c: revision 1.29 Fix some of the multitudinous holes in svr4 streams. We should never have enabled this by default; it is a minefield. >From Ilja Van Sprundel. -- Zero stack data before copyout. >From Ilja Van Sprundel. -- Fix indexing of svr4 signals. >From Ilja Van Sprundel. -- Feebly attempt to get this reference counting less bad. This svr4 streams code is bad and it should feel bad. >From Ilja Van Sprundel. -- Check bounds in svr4_sys_putmsg. Check more svr4_strmcmd bounds. svr4 streams code is still a disaster. >From Ilja Van Sprundel. To generate a diff of this commit: cvs rdiff -u -r1.19 -r1.19.50.1 src/sys/compat/svr4/svr4_lwp.c cvs rdiff -u -r1.65.30.1 -r1.65.30.1.6.1 src/sys/compat/svr4/svr4_signal.c cvs rdiff -u -r1.80 -r1.80.8.1 src/sys/compat/svr4/svr4_stream.c cvs rdiff -u -r1.26 -r1.26.70.1 src/sys/compat/svr4_32/svr4_32_signal.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/sys/compat/svr4/svr4_lwp.c diff -u src/sys/compat/svr4/svr4_lwp.c:1.19 src/sys/compat/svr4/svr4_lwp.c:1.19.50.1 --- src/sys/compat/svr4/svr4_lwp.c:1.19 Mon Nov 23 00:46:07 2009 +++ src/sys/compat/svr4/svr4_lwp.c Sat Aug 12 03:59:55 2017 @@ -1,4 +1,4 @@ -/* $NetBSD: svr4_lwp.c,v 1.19 2009/11/23 00:46:07 rmind Exp $ */ +/* $NetBSD: svr4_lwp.c,v 1.19.50.1 2017/08/12 03:59:55 snj Exp $ */ /*- * Copyright (c) 1999 The NetBSD Foundation, Inc. @@ -30,7 +30,7 @@ */ #include -__KERNEL_RCSID(0, "$NetBSD: svr4_lwp.c,v 1.19 2009/11/23 00:46:07 rmind Exp $"); +__KERNEL_RCSID(0, "$NetBSD: svr4_lwp.c,v 1.19.50.1 2017/08/12 03:59:55 snj Exp $"); #include #include @@ -108,6 +108,8 @@ svr4_sys__lwp_info(struct lwp *l, const struct svr4_lwpinfo lwpinfo; int error; + memset(, 0, sizeof(lwpinfo)); + /* XXX NJWLWP */ TIMEVAL_TO_TIMESPEC(>l_proc->p_stats->p_ru.ru_stime, _stime); TIMEVAL_TO_TIMESPEC(>l_proc->p_stats->p_ru.ru_utime, _utime); Index: src/sys/compat/svr4/svr4_signal.c diff -u src/sys/compat/svr4/svr4_signal.c:1.65.30.1 src/sys/compat/svr4/svr4_signal.c:1.65.30.1.6.1 --- src/sys/compat/svr4/svr4_signal.c:1.65.30.1 Sat Jan 17 12:10:53 2015 +++ src/sys/compat/svr4/svr4_signal.c Sat Aug 12 03:59:55 2017 @@ -1,4 +1,4 @@ -/* $NetBSD: svr4_signal.c,v 1.65.30.1 2015/01/17 12:10:53 martin Exp $ */ +/* $NetBSD: svr4_signal.c,v 1.65.30.1.6.1 2017/08/12 03:59:55 snj Exp $ */ /*- * Copyright (c) 1994, 1998 The NetBSD Foundation, Inc. @@ -30,7 +30,7 @@ */ #include -__KERNEL_RCSID(0, "$NetBSD: svr4_signal.c,v 1.65.30.1 2015/01/17 12:10:53 martin Exp $"); +__KERNEL_RCSID(0, "$NetBSD: svr4_signal.c,v 1.65.30.1.6.1 2017/08/12 03:59:55 snj Exp $"); #include #include @@ -72,6 +72,21 @@ void native_to_svr4_sigaction(const stru extern const int native_to_svr4_signo[]; extern const int svr4_to_native_signo[]; +static int +svr4_decode_signum(int signum, int *native_signo, int *sigcall) +{ + + if (SVR4_SIGNO(signum) >= SVR4_NSIG) + return EINVAL; + + if (native_signo) + *native_signo = svr4_to_native_signo[SVR4_SIGNO(signum)]; + if (sigcall) + *sigcall = SVR4_SIGCALL(signum); + + return 0; +} + static inline void svr4_sigfillset(svr4_sigset_t *s) { @@ -173,6 +188,7 @@ svr4_sys_sigaction(struct lwp *l, const } */ struct svr4_sigaction nssa, ossa; struct sigaction nbsa, obsa; + int native_signo; int error; if (SCARG(uap, nsa)) { @@ -181,7 +197,12 @@ svr4_sys_sigaction(struct lwp *l, const return (error); svr4_to_native_sigaction(, ); } - error = sigaction1(l, svr4_to_native_signo[SVR4_SIGNO(SCARG(uap, signum))], + + error = svr4_decode_signum(SCARG(uap, signum), _signo, NULL); + if (error) + return error; + + error = sigaction1(l, native_signo, SCARG(uap, nsa) ? : 0, SCARG(uap, osa) ? : 0, NULL, 0); if (error) @@ -216,16 +237,18 @@ svr4_sys_signal(struct lwp *l, const str syscallarg(int) signum; syscallarg(svr4_sig_t) handler; } */ - int signum = svr4_to_native_signo[SVR4_SIGNO(SCARG(uap, signum))]; + int native_signo, sigcall; struct proc *p = l->l_proc; struct sigaction nbsa, obsa; sigset_t ss; int error; - if (signum <= 0 || signum >= SVR4_NSIG) - return (EINVAL); + error = svr4_decode_signum(SCARG(uap, signum), _signo, + ); + if (error) + return error; - switch (SVR4_SIGCALL(SCARG(uap, signum))) { + switch (sigcall) { case SVR4_SIGDEFER_MASK: if (SCARG(uap, handler) == SVR4_SIG_HOLD)