CVS commit: [netbsd-7-1] src/sys/compat/sys
Module Name:src Committed By: martin Date: Thu Jan 3 11:15:01 UTC 2019 Modified Files: src/sys/compat/sys [netbsd-7-1]: time_types.h Log Message: Additionally pull up the following for ticket #1668: sys/compat/sys/time_types.h 1.3 include libkern.h or string.h & stddef.h, to get the offsetof() and memset() definitions. To generate a diff of this commit: cvs rdiff -u -r1.1 -r1.1.52.1 src/sys/compat/sys/time_types.h Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/sys/compat/sys/time_types.h diff -u src/sys/compat/sys/time_types.h:1.1 src/sys/compat/sys/time_types.h:1.1.52.1 --- src/sys/compat/sys/time_types.h:1.1 Thu Nov 5 16:59:01 2009 +++ src/sys/compat/sys/time_types.h Thu Jan 3 11:15:01 2019 @@ -1,4 +1,4 @@ -/* $NetBSD: time_types.h,v 1.1 2009/11/05 16:59:01 pooka Exp $ */ +/* $NetBSD: time_types.h,v 1.1.52.1 2019/01/03 11:15:01 martin Exp $ */ /* * Copyright (c) 1982, 1986, 1993 @@ -34,6 +34,13 @@ #ifndef _COMPAT_SYS_TIME_TYPES_H_ #define _COMPAT_SYS_TIME_TYPES_H_ +#ifdef _KERNEL +#include +#else +#include +#include +#endif + /* * Structure returned by gettimeofday(2) system call, * and used in other calls.
CVS commit: [netbsd-7-1] src/sys/compat
Module Name:src
Committed By: martin
Date: Wed Jan 2 15:26:38 UTC 2019
Modified Files:
src/sys/compat/netbsd32 [netbsd-7-1]: netbsd32_compat_14.c
netbsd32_conv.h
src/sys/compat/sys [netbsd-7-1]: msg.h
Log Message:
Pull up following revision(s) (requested by maxv in ticket #1668):
sys/compat/netbsd32/netbsd32_conv.h: revision 1.37
sys/compat/netbsd32/netbsd32_compat_14.c: revision 1.27
sys/compat/sys/msg.h: revision 1.5
Fix kernel info leaks.
+ Possible info leak: [len=80, leaked=10]
| #0 0x80bad7a7 in kleak_copyout
| #1 0x8048e71b in netbsd32___msgctl50
| #2 0x8022fb5b in netbsd32_syscall
| #3 0x802096dd in handle_syscall
To generate a diff of this commit:
cvs rdiff -u -r1.21 -r1.21.82.1 src/sys/compat/netbsd32/netbsd32_compat_14.c
cvs rdiff -u -r1.28.4.1 -r1.28.4.1.4.1 \
src/sys/compat/netbsd32/netbsd32_conv.h
cvs rdiff -u -r1.4 -r1.4.52.1 src/sys/compat/sys/msg.h
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
Modified files:
Index: src/sys/compat/netbsd32/netbsd32_compat_14.c
diff -u src/sys/compat/netbsd32/netbsd32_compat_14.c:1.21 src/sys/compat/netbsd32/netbsd32_compat_14.c:1.21.82.1
--- src/sys/compat/netbsd32/netbsd32_compat_14.c:1.21 Thu Dec 20 23:03:01 2007
+++ src/sys/compat/netbsd32/netbsd32_compat_14.c Wed Jan 2 15:26:38 2019
@@ -1,4 +1,4 @@
-/* $NetBSD: netbsd32_compat_14.c,v 1.21 2007/12/20 23:03:01 dsl Exp $ */
+/* $NetBSD: netbsd32_compat_14.c,v 1.21.82.1 2019/01/02 15:26:38 martin Exp $ */
/*
* Copyright (c) 1999 Eduardo E. Horvath
@@ -29,7 +29,7 @@
*/
#include
-__KERNEL_RCSID(0, "$NetBSD: netbsd32_compat_14.c,v 1.21 2007/12/20 23:03:01 dsl Exp $");
+__KERNEL_RCSID(0, "$NetBSD: netbsd32_compat_14.c,v 1.21.82.1 2019/01/02 15:26:38 martin Exp $");
#include
#include
@@ -126,6 +126,7 @@ static inline void
native_to_netbsd32_msqid_ds14(struct msqid_ds *msqbuf, struct netbsd32_msqid_ds14 *omsqbuf)
{
+ memset(omsqbuf, 0, sizeof(*omsqbuf));
native_to_netbsd32_ipc_perm14(>msg_perm, >msg_perm);
#define CVT(x) omsqbuf->x = msqbuf->x
Index: src/sys/compat/netbsd32/netbsd32_conv.h
diff -u src/sys/compat/netbsd32/netbsd32_conv.h:1.28.4.1 src/sys/compat/netbsd32/netbsd32_conv.h:1.28.4.1.4.1
--- src/sys/compat/netbsd32/netbsd32_conv.h:1.28.4.1 Wed Nov 4 17:46:21 2015
+++ src/sys/compat/netbsd32/netbsd32_conv.h Wed Jan 2 15:26:38 2019
@@ -1,4 +1,4 @@
-/* $NetBSD: netbsd32_conv.h,v 1.28.4.1 2015/11/04 17:46:21 riz Exp $ */
+/* $NetBSD: netbsd32_conv.h,v 1.28.4.1.4.1 2019/01/02 15:26:38 martin Exp $ */
/*
* Copyright (c) 1998, 2001 Matthew R. Green
@@ -544,6 +544,7 @@ netbsd32_from_msqid_ds50(const struct ms
struct netbsd32_msqid_ds50 *ds32p)
{
+ memset(ds32p, 0, sizeof(*ds32p));
netbsd32_from_ipc_perm(>msg_perm, >msg_perm);
ds32p->_msg_cbytes = (netbsd32_u_long)dsp->_msg_cbytes;
ds32p->msg_qnum = (netbsd32_u_long)dsp->msg_qnum;
@@ -560,6 +561,7 @@ netbsd32_from_msqid_ds(const struct msqi
struct netbsd32_msqid_ds *ds32p)
{
+ memset(ds32p, 0, sizeof(*ds32p));
netbsd32_from_ipc_perm(>msg_perm, >msg_perm);
ds32p->_msg_cbytes = (netbsd32_u_long)dsp->_msg_cbytes;
ds32p->msg_qnum = (netbsd32_u_long)dsp->msg_qnum;
Index: src/sys/compat/sys/msg.h
diff -u src/sys/compat/sys/msg.h:1.4 src/sys/compat/sys/msg.h:1.4.52.1
--- src/sys/compat/sys/msg.h:1.4 Mon Jan 19 19:39:41 2009
+++ src/sys/compat/sys/msg.h Wed Jan 2 15:26:38 2019
@@ -1,4 +1,4 @@
-/* $NetBSD: msg.h,v 1.4 2009/01/19 19:39:41 christos Exp $ */
+/* $NetBSD: msg.h,v 1.4.52.1 2019/01/02 15:26:38 martin Exp $ */
/*
* SVID compatible msg.h file
@@ -108,6 +108,7 @@ static __inline void
__native_to_msqid_ds13(const struct msqid_ds *msqbuf, struct msqid_ds13 *omsqbuf)
{
+ memset(omsqbuf, 0, sizeof(*omsqbuf));
omsqbuf->msg_perm = msqbuf->msg_perm;
#define CVT(x) omsqbuf->x = msqbuf->x
@@ -149,6 +150,7 @@ static __inline void
__native_to_msqid_ds14(const struct msqid_ds *msqbuf, struct msqid_ds14 *omsqbuf)
{
+ memset(omsqbuf, 0, sizeof(*omsqbuf));
__native_to_ipc_perm14(>msg_perm, >msg_perm);
#define CVT(x) omsqbuf->x = msqbuf->x
CVS commit: [netbsd-7-1] src/sys/compat/netbsd32
Module Name:src
Committed By: martin
Date: Wed Nov 21 12:09:54 UTC 2018
Modified Files:
src/sys/compat/netbsd32 [netbsd-7-1]: netbsd32_socket.c
Log Message:
Pull up following revision(s) (requested by maxv in ticket #1652):
sys/compat/netbsd32/netbsd32_socket.c: revision 1.48 (via patch)
Fix inverted logic, which leads to buffer overflow. Detected by kASan.
To generate a diff of this commit:
cvs rdiff -u -r1.41.14.1 -r1.41.14.1.6.1 \
src/sys/compat/netbsd32/netbsd32_socket.c
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
Modified files:
Index: src/sys/compat/netbsd32/netbsd32_socket.c
diff -u src/sys/compat/netbsd32/netbsd32_socket.c:1.41.14.1 src/sys/compat/netbsd32/netbsd32_socket.c:1.41.14.1.6.1
--- src/sys/compat/netbsd32/netbsd32_socket.c:1.41.14.1 Sat Aug 8 15:41:54 2015
+++ src/sys/compat/netbsd32/netbsd32_socket.c Wed Nov 21 12:09:54 2018
@@ -1,4 +1,4 @@
-/* $NetBSD: netbsd32_socket.c,v 1.41.14.1 2015/08/08 15:41:54 martin Exp $ */
+/* $NetBSD: netbsd32_socket.c,v 1.41.14.1.6.1 2018/11/21 12:09:54 martin Exp $ */
/*
* Copyright (c) 1998, 2001 Matthew R. Green
@@ -27,7 +27,7 @@
*/
#include
-__KERNEL_RCSID(0, "$NetBSD: netbsd32_socket.c,v 1.41.14.1 2015/08/08 15:41:54 martin Exp $");
+__KERNEL_RCSID(0, "$NetBSD: netbsd32_socket.c,v 1.41.14.1.6.1 2018/11/21 12:09:54 martin Exp $");
#include
#include
@@ -99,7 +99,7 @@ copyout32_msg_control_mbuf(struct lwp *l
}
ktrkuser("msgcontrol", cmsg, cmsg->cmsg_len);
- error = copyout(, *q, MAX(i, sizeof(cmsg32)));
+ error = copyout(, *q, MIN(i, sizeof(cmsg32)));
if (error)
return (error);
if (i > CMSG32_LEN(0)) {
CVS commit: [netbsd-7-1] src/sys/compat/linux32/arch/amd64
Module Name:src Committed By: snj Date: Sat Sep 9 16:57:36 UTC 2017 Modified Files: src/sys/compat/linux32/arch/amd64 [netbsd-7-1]: linux32_machdep.c Log Message: Pull up following revision(s) (requested by maxv in ticket #1507): sys/compat/linux32/arch/amd64/linux32_machdep.c: revision 1.39 Fix a ring0 escalation vulnerability in compat_linux32 where the index of %cs is controlled by userland, making it easy to trigger the page fault and get kernel privileges. To generate a diff of this commit: cvs rdiff -u -r1.36 -r1.36.14.1 \ src/sys/compat/linux32/arch/amd64/linux32_machdep.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/sys/compat/linux32/arch/amd64/linux32_machdep.c diff -u src/sys/compat/linux32/arch/amd64/linux32_machdep.c:1.36 src/sys/compat/linux32/arch/amd64/linux32_machdep.c:1.36.14.1 --- src/sys/compat/linux32/arch/amd64/linux32_machdep.c:1.36 Wed Feb 19 21:45:01 2014 +++ src/sys/compat/linux32/arch/amd64/linux32_machdep.c Sat Sep 9 16:57:36 2017 @@ -1,4 +1,4 @@ -/* $NetBSD: linux32_machdep.c,v 1.36 2014/02/19 21:45:01 dsl Exp $ */ +/* $NetBSD: linux32_machdep.c,v 1.36.14.1 2017/09/09 16:57:36 snj Exp $ */ /*- * Copyright (c) 2006 Emmanuel Dreyfus, all rights reserved. @@ -31,7 +31,7 @@ * POSSIBILITY OF SUCH DAMAGE. */ #include -__KERNEL_RCSID(0, "$NetBSD: linux32_machdep.c,v 1.36 2014/02/19 21:45:01 dsl Exp $"); +__KERNEL_RCSID(0, "$NetBSD: linux32_machdep.c,v 1.36.14.1 2017/09/09 16:57:36 snj Exp $"); #include #include @@ -417,8 +417,9 @@ linux32_restore_sigcontext(struct lwp *l /* * Check for security violations. */ - if (((scp->sc_eflags ^ tf->tf_rflags) & PSL_USERSTATIC) != 0 || - !USERMODE(scp->sc_cs, scp->sc_eflags)) + if (((scp->sc_eflags ^ tf->tf_rflags) & PSL_USERSTATIC) != 0) + return EINVAL; + if (!VALID_USER_CSEL32(scp->sc_cs)) return EINVAL; if (scp->sc_fs != 0 && !VALID_USER_DSEL32(scp->sc_fs) &&
CVS commit: [netbsd-7-1] src/sys/compat/svr4_32
Module Name:src Committed By: martin Date: Sat Aug 12 19:09:46 UTC 2017 Modified Files: src/sys/compat/svr4_32 [netbsd-7-1]: svr4_32_signal.c Log Message: Also pull up rev1.30 (accidently missed in ticket #1475) To generate a diff of this commit: cvs rdiff -u -r1.26.70.1 -r1.26.70.2 src/sys/compat/svr4_32/svr4_32_signal.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/sys/compat/svr4_32/svr4_32_signal.c diff -u src/sys/compat/svr4_32/svr4_32_signal.c:1.26.70.1 src/sys/compat/svr4_32/svr4_32_signal.c:1.26.70.2 --- src/sys/compat/svr4_32/svr4_32_signal.c:1.26.70.1 Sat Aug 12 03:59:55 2017 +++ src/sys/compat/svr4_32/svr4_32_signal.c Sat Aug 12 19:09:46 2017 @@ -1,4 +1,4 @@ -/* $NetBSD: svr4_32_signal.c,v 1.26.70.1 2017/08/12 03:59:55 snj Exp $ */ +/* $NetBSD: svr4_32_signal.c,v 1.26.70.2 2017/08/12 19:09:46 martin Exp $ */ /*- * Copyright (c) 1994, 1998 The NetBSD Foundation, Inc. @@ -30,7 +30,7 @@ */ #include -__KERNEL_RCSID(0, "$NetBSD: svr4_32_signal.c,v 1.26.70.1 2017/08/12 03:59:55 snj Exp $"); +__KERNEL_RCSID(0, "$NetBSD: svr4_32_signal.c,v 1.26.70.2 2017/08/12 19:09:46 martin Exp $"); #if defined(_KERNEL_OPT) #include "opt_compat_svr4.h" @@ -397,16 +397,16 @@ svr4_32_sys_signal(struct lwp *l, const nbsa.sa_handler = (sig_t)SCARG(uap, handler); sigemptyset(_mask); nbsa.sa_flags = 0; - error = sigaction1(l, signum, , , NULL, 0); + error = sigaction1(l, native_signo, , , NULL, 0); if (error) - return (error); + return error; *retval = (u_int)(u_long)obsa.sa_handler; - return (0); + return 0; case SVR4_SIGHOLD_MASK: sighold: sigemptyset(); - sigaddset(, signum); + sigaddset(, native_signo); mutex_enter(p->p_lock); error = sigprocmask1(l, SIG_BLOCK, , 0); mutex_exit(p->p_lock); @@ -414,7 +414,7 @@ svr4_32_sys_signal(struct lwp *l, const case SVR4_SIGRELSE_MASK: sigemptyset(); - sigaddset(, signum); + sigaddset(, native_signo); mutex_enter(p->p_lock); error = sigprocmask1(l, SIG_UNBLOCK, , 0); mutex_exit(p->p_lock); @@ -424,17 +424,17 @@ svr4_32_sys_signal(struct lwp *l, const nbsa.sa_handler = SIG_IGN; sigemptyset(_mask); nbsa.sa_flags = 0; - return (sigaction1(l, signum, , 0, NULL, 0)); + return sigaction1(l, native_signo, , 0, NULL, 0); case SVR4_SIGPAUSE_MASK: mutex_enter(p->p_lock); ss = l->l_sigmask; mutex_exit(p->p_lock); - sigdelset(, signum); - return (sigsuspend1(l, )); + sigdelset(, native_signo); + return sigsuspend1(l, ); default: - return (ENOSYS); + return ENOSYS; } }
CVS commit: [netbsd-7-1] src/sys/compat/linux/common
Module Name:src
Committed By: snj
Date: Sat Aug 12 04:50:11 UTC 2017
Modified Files:
src/sys/compat/linux/common [netbsd-7-1]: linux_time.c
Log Message:
Pull up following revision(s) (requested by mrg in ticket #1486):
sys/compat/linux/common/linux_time.c: revision 1.38-1.39 via patch
Only let the superuser set the compat_linux timezone.
Not really keen to invent a new kauth cookie for this useless purpose.
>From Ilja Van Sprundel.
--
Put suser check in the right function: settimeofday, not gettimeofday.
While here, remove wrong comment.
Noted by kre@.
To generate a diff of this commit:
cvs rdiff -u -r1.37 -r1.37.16.1 src/sys/compat/linux/common/linux_time.c
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
Modified files:
Index: src/sys/compat/linux/common/linux_time.c
diff -u src/sys/compat/linux/common/linux_time.c:1.37 src/sys/compat/linux/common/linux_time.c:1.37.16.1
--- src/sys/compat/linux/common/linux_time.c:1.37 Mon Jan 13 10:33:03 2014
+++ src/sys/compat/linux/common/linux_time.c Sat Aug 12 04:50:11 2017
@@ -1,4 +1,4 @@
-/* $NetBSD: linux_time.c,v 1.37 2014/01/13 10:33:03 njoly Exp $ */
+/* $NetBSD: linux_time.c,v 1.37.16.1 2017/08/12 04:50:11 snj Exp $ */
/*-
* Copyright (c) 2001 The NetBSD Foundation, Inc.
@@ -30,7 +30,7 @@
*/
#include
-__KERNEL_RCSID(0, "$NetBSD: linux_time.c,v 1.37 2014/01/13 10:33:03 njoly Exp $");
+__KERNEL_RCSID(0, "$NetBSD: linux_time.c,v 1.37.16.1 2017/08/12 04:50:11 snj Exp $");
#include
#include
@@ -102,11 +102,10 @@ linux_sys_settimeofday(struct lwp *l, co
return (error);
}
- /*
- * If user is not the superuser, we returned
- * after the sys_settimeofday() call.
- */
if (SCARG(uap, tzp)) {
+ if (kauth_authorize_generic(kauth_cred_get(),
+ KAUTH_GENERIC_ISSUSER, NULL) != 0)
+ return (EPERM);
error = copyin(SCARG(uap, tzp), _sys_tz, sizeof(linux_sys_tz));
if (error)
return (error);
CVS commit: [netbsd-7-1] src/sys/compat
Module Name:src
Committed By: snj
Date: Sat Aug 12 04:16:53 UTC 2017
Modified Files:
src/sys/compat/common [netbsd-7-1]: vfs_syscalls_12.c vfs_syscalls_43.c
src/sys/compat/ibcs2 [netbsd-7-1]: ibcs2_misc.c
src/sys/compat/linux/common [netbsd-7-1]: linux_file64.c linux_misc.c
src/sys/compat/linux32/common [netbsd-7-1]: linux32_dirent.c
src/sys/compat/osf1 [netbsd-7-1]: osf1_file.c
src/sys/compat/sunos [netbsd-7-1]: sunos_misc.c
src/sys/compat/sunos32 [netbsd-7-1]: sunos32_misc.c
src/sys/compat/svr4 [netbsd-7-1]: svr4_misc.c
src/sys/compat/svr4_32 [netbsd-7-1]: svr4_32_misc.c
Log Message:
Pull up following revision(s) (requested by mrg in ticket #1479):
sys/compat/common/vfs_syscalls_12.c: revision 1.34
sys/rump/kern/lib/libsys_sunos/rump_sunos_compat.c: revision 1.2
sys/compat/svr4_32/svr4_32_misc.c: revision 1.78
sys/compat/sunos32/sunos32_misc.c: revision 1.78
sys/compat/linux/common/linux_misc.c: revision 1.239
sys/compat/osf1/osf1_file.c: revision 1.44
sys/compat/common/vfs_syscalls_43.c: revision 1.60
sys/compat/svr4/svr4_misc.c: revision 1.158
sys/compat/ibcs2/ibcs2_misc.c: revision 1.114
sys/compat/linux/common/linux_file64.c: revision 1.59
sys/compat/linux32/common/linux32_dirent.c: revision 1.18
sys/compat/sunos/sunos_misc.c: revision 1.171
Fail, don't panic, on bad dirents from file system.
Controllable via puffs from userland.
>From Ilja Van Sprundel.
To generate a diff of this commit:
cvs rdiff -u -r1.30 -r1.30.10.1 src/sys/compat/common/vfs_syscalls_12.c
cvs rdiff -u -r1.56.4.1 -r1.56.4.1.4.1 \
src/sys/compat/common/vfs_syscalls_43.c
cvs rdiff -u -r1.112 -r1.112.18.1 src/sys/compat/ibcs2/ibcs2_misc.c
cvs rdiff -u -r1.55 -r1.55.14.1 src/sys/compat/linux/common/linux_file64.c
cvs rdiff -u -r1.229 -r1.229.8.1 src/sys/compat/linux/common/linux_misc.c
cvs rdiff -u -r1.13 -r1.13.38.1 \
src/sys/compat/linux32/common/linux32_dirent.c
cvs rdiff -u -r1.41.28.1 -r1.41.28.1.6.1 src/sys/compat/osf1/osf1_file.c
cvs rdiff -u -r1.168 -r1.168.40.1 src/sys/compat/sunos/sunos_misc.c
cvs rdiff -u -r1.74 -r1.74.28.1 src/sys/compat/sunos32/sunos32_misc.c
cvs rdiff -u -r1.155 -r1.155.34.1 src/sys/compat/svr4/svr4_misc.c
cvs rdiff -u -r1.74 -r1.74.34.1 src/sys/compat/svr4_32/svr4_32_misc.c
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
Modified files:
Index: src/sys/compat/common/vfs_syscalls_12.c
diff -u src/sys/compat/common/vfs_syscalls_12.c:1.30 src/sys/compat/common/vfs_syscalls_12.c:1.30.10.1
--- src/sys/compat/common/vfs_syscalls_12.c:1.30 Fri Jan 24 22:11:46 2014
+++ src/sys/compat/common/vfs_syscalls_12.c Sat Aug 12 04:16:52 2017
@@ -1,4 +1,4 @@
-/* $NetBSD: vfs_syscalls_12.c,v 1.30 2014/01/24 22:11:46 christos Exp $ */
+/* $NetBSD: vfs_syscalls_12.c,v 1.30.10.1 2017/08/12 04:16:52 snj Exp $ */
/*
* Copyright (c) 1989, 1993
@@ -37,7 +37,7 @@
*/
#include
-__KERNEL_RCSID(0, "$NetBSD: vfs_syscalls_12.c,v 1.30 2014/01/24 22:11:46 christos Exp $");
+__KERNEL_RCSID(0, "$NetBSD: vfs_syscalls_12.c,v 1.30.10.1 2017/08/12 04:16:52 snj Exp $");
#include
#include
@@ -171,8 +171,10 @@ again:
for (cookie = cookiebuf; len > 0; len -= reclen) {
bdp = (struct dirent *)inp;
reclen = bdp->d_reclen;
- if (reclen & 3)
- panic(__func__);
+ if (reclen & 3) {
+ error = EIO;
+ goto out;
+ }
if (bdp->d_fileno == 0) {
inp += reclen; /* it is a hole; squish it out */
if (cookie)
Index: src/sys/compat/common/vfs_syscalls_43.c
diff -u src/sys/compat/common/vfs_syscalls_43.c:1.56.4.1 src/sys/compat/common/vfs_syscalls_43.c:1.56.4.1.4.1
--- src/sys/compat/common/vfs_syscalls_43.c:1.56.4.1 Sat Aug 27 15:10:59 2016
+++ src/sys/compat/common/vfs_syscalls_43.c Sat Aug 12 04:16:52 2017
@@ -1,4 +1,4 @@
-/* $NetBSD: vfs_syscalls_43.c,v 1.56.4.1 2016/08/27 15:10:59 bouyer Exp $ */
+/* $NetBSD: vfs_syscalls_43.c,v 1.56.4.1.4.1 2017/08/12 04:16:52 snj Exp $ */
/*
* Copyright (c) 1989, 1993
@@ -37,7 +37,7 @@
*/
#include
-__KERNEL_RCSID(0, "$NetBSD: vfs_syscalls_43.c,v 1.56.4.1 2016/08/27 15:10:59 bouyer Exp $");
+__KERNEL_RCSID(0, "$NetBSD: vfs_syscalls_43.c,v 1.56.4.1.4.1 2017/08/12 04:16:52 snj Exp $");
#if defined(_KERNEL_OPT)
#include "opt_compat_netbsd.h"
@@ -450,8 +450,10 @@ again:
for (cookie = cookiebuf; len > 0; len -= reclen) {
bdp = (struct dirent *)inp;
reclen = bdp->d_reclen;
- if (reclen & 3)
- panic(__func__);
+ if (reclen & 3) {
+ error = EIO;
+ goto out;
+ }
if (bdp->d_fileno == 0) {
inp += reclen; /* it is a hole; squish it out */
if (cookie)
Index: src/sys/compat/ibcs2/ibcs2_misc.c
diff -u src/sys/compat/ibcs2/ibcs2_misc.c:1.112 src/sys/compat/ibcs2/ibcs2_misc.c:1.112.18.1
--- src/sys/compat/ibcs2/ibcs2_misc.c:1.112 Tue Oct 2 01:44:27 2012
+++ src/sys/compat/ibcs2/ibcs2_misc.c Sat Aug
CVS commit: [netbsd-7-1] src/sys/compat/ibcs2
Module Name:src
Committed By: snj
Date: Sat Aug 12 04:09:05 UTC 2017
Modified Files:
src/sys/compat/ibcs2 [netbsd-7-1]: ibcs2_exec_coff.c ibcs2_ioctl.c
ibcs2_stat.c
Log Message:
Pull up following revision(s) (requested by mrg in ticket #1477):
sys/compat/ibcs2/ibcs2_exec_coff.c: revision 1.27-1.29
sys/compat/ibcs2/ibcs2_ioctl.c: revision 1.46
sys/compat/ibcs2/ibcs2_stat.c: revision 1.49-1.50
Check for NUL termination within the buffer we have.
>From Ilja Van Sprundel.
--
Make sure we have enough space in the buffer before reading it.
>From Ilja Van Sprundel.
--
Make sure we move forward over the buffer.
>From Ilja Van Sprundel.
--
Zero buffers in ibcs2 ioctl to avoid disclosing stack to userland.
>From Ilja Van Sprundel.
--
Don't drop vnode ref until we're done with mount in ibcs2_stat(v)fs.
Nothing else guarantees the mount will stick around.
>From Ilja Van Sprundel.
--
Little happy on the commit trigger. Actually use the out label.
To generate a diff of this commit:
cvs rdiff -u -r1.26 -r1.26.16.1 src/sys/compat/ibcs2/ibcs2_exec_coff.c
cvs rdiff -u -r1.45 -r1.45.70.1 src/sys/compat/ibcs2/ibcs2_ioctl.c
cvs rdiff -u -r1.47 -r1.47.44.1 src/sys/compat/ibcs2/ibcs2_stat.c
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
Modified files:
Index: src/sys/compat/ibcs2/ibcs2_exec_coff.c
diff -u src/sys/compat/ibcs2/ibcs2_exec_coff.c:1.26 src/sys/compat/ibcs2/ibcs2_exec_coff.c:1.26.16.1
--- src/sys/compat/ibcs2/ibcs2_exec_coff.c:1.26 Fri Oct 25 14:46:35 2013
+++ src/sys/compat/ibcs2/ibcs2_exec_coff.c Sat Aug 12 04:09:05 2017
@@ -1,4 +1,4 @@
-/* $NetBSD: ibcs2_exec_coff.c,v 1.26 2013/10/25 14:46:35 martin Exp $ */
+/* $NetBSD: ibcs2_exec_coff.c,v 1.26.16.1 2017/08/12 04:09:05 snj Exp $ */
/*
* Copyright (c) 1994, 1995, 1998 Scott Bartram
@@ -35,7 +35,7 @@
*/
#include
-__KERNEL_RCSID(0, "$NetBSD: ibcs2_exec_coff.c,v 1.26 2013/10/25 14:46:35 martin Exp $");
+__KERNEL_RCSID(0, "$NetBSD: ibcs2_exec_coff.c,v 1.26.16.1 2017/08/12 04:09:05 snj Exp $");
#include
#include
@@ -454,6 +454,10 @@ exec_ibcs2_coff_prep_zmagic(struct lwp *
}
bufp = tbuf;
while (len) {
+ if (len < sizeof(struct coff_slhdr)) {
+free(tbuf, M_TEMP);
+return ENOEXEC;
+ }
slhdr = (struct coff_slhdr *)bufp;
if (slhdr->path_index > LONG_MAX / sizeof(long) ||
@@ -465,7 +469,9 @@ exec_ibcs2_coff_prep_zmagic(struct lwp *
/* path_index = slhdr->path_index * sizeof(long); */
entry_len = slhdr->entry_len * sizeof(long);
- if (entry_len > len) {
+ if (entry_len < sizeof(struct coff_slhdr) ||
+ entry_len > len ||
+ strnlen(slhdr->sl_name, entry_len) == entry_len) {
free(tbuf, M_TEMP);
return ENOEXEC;
}
Index: src/sys/compat/ibcs2/ibcs2_ioctl.c
diff -u src/sys/compat/ibcs2/ibcs2_ioctl.c:1.45 src/sys/compat/ibcs2/ibcs2_ioctl.c:1.45.70.1
--- src/sys/compat/ibcs2/ibcs2_ioctl.c:1.45 Tue Jun 24 10:03:17 2008
+++ src/sys/compat/ibcs2/ibcs2_ioctl.c Sat Aug 12 04:09:05 2017
@@ -1,4 +1,4 @@
-/* $NetBSD: ibcs2_ioctl.c,v 1.45 2008/06/24 10:03:17 gmcgarry Exp $ */
+/* $NetBSD: ibcs2_ioctl.c,v 1.45.70.1 2017/08/12 04:09:05 snj Exp $ */
/*
* Copyright (c) 1994, 1995 Scott Bartram
@@ -27,7 +27,7 @@
*/
#include
-__KERNEL_RCSID(0, "$NetBSD: ibcs2_ioctl.c,v 1.45 2008/06/24 10:03:17 gmcgarry Exp $");
+__KERNEL_RCSID(0, "$NetBSD: ibcs2_ioctl.c,v 1.45.70.1 2017/08/12 04:09:05 snj Exp $");
#include
#include
@@ -402,8 +402,10 @@ ibcs2_sys_ioctl(struct lwp *l, const str
if ((error = (*ctl)(fp, TIOCGETA, )) != 0)
goto out;
+ memset(, 0, sizeof(sts));
btios2stios(, );
if (SCARG(uap, cmd) == IBCS2_TCGETA) {
+ memset(, 0, sizeof(st));
stios2stio(, );
error = copyout(, SCARG(uap, data), sizeof(st));
if (error)
@@ -559,6 +561,7 @@ ibcs2_sys_gtty(struct lwp *l, const stru
fd_putfile(SCARG(uap, fd));
+ memset(, 0, sizeof(itb));
itb.sg_ispeed = tb.sg_ispeed;
itb.sg_ospeed = tb.sg_ospeed;
itb.sg_erase = tb.sg_erase;
Index: src/sys/compat/ibcs2/ibcs2_stat.c
diff -u src/sys/compat/ibcs2/ibcs2_stat.c:1.47 src/sys/compat/ibcs2/ibcs2_stat.c:1.47.44.1
--- src/sys/compat/ibcs2/ibcs2_stat.c:1.47 Mon Jun 29 05:08:16 2009
+++ src/sys/compat/ibcs2/ibcs2_stat.c Sat Aug 12 04:09:05 2017
@@ -1,4 +1,4 @@
-/* $NetBSD: ibcs2_stat.c,v 1.47 2009/06/29 05:08:16 dholland Exp $ */
+/* $NetBSD: ibcs2_stat.c,v 1.47.44.1 2017/08/12 04:09:05 snj Exp $ */
/*
* Copyright (c) 1995, 1998 Scott Bartram
* All rights reserved.
@@ -27,7 +27,7 @@
*/
#include
-__KERNEL_RCSID(0, "$NetBSD: ibcs2_stat.c,v 1.47 2009/06/29 05:08:16 dholland Exp $");
+__KERNEL_RCSID(0, "$NetBSD: ibcs2_stat.c,v 1.47.44.1 2017/08/12 04:09:05 snj Exp $");
#include
#include
@@ -147,11 +147,13 @@ ibcs2_sys_statfs(struct lwp *l, const st
return (error);
mp = vp->v_mount;
sp = >mnt_stat;
- vrele(vp);
if ((error = VFS_STATVFS(mp, sp)) != 0)
- return (error);
+
CVS commit: [netbsd-7-1] src/sys/compat
Module Name:src
Committed By: snj
Date: Sat Aug 12 03:59:55 UTC 2017
Modified Files:
src/sys/compat/svr4 [netbsd-7-1]: svr4_lwp.c svr4_signal.c
svr4_stream.c
src/sys/compat/svr4_32 [netbsd-7-1]: svr4_32_signal.c
Log Message:
Pull up following revision(s) (requested by mrg in ticket #1475):
sys/compat/svr4/svr4_lwp.c: revision 1.20
sys/compat/svr4/svr4_signal.c: revision 1.67
sys/compat/svr4/svr4_stream.c: revision 1.89-1.91 via patch
sys/compat/svr4_32/svr4_32_signal.c: revision 1.29
Fix some of the multitudinous holes in svr4 streams.
We should never have enabled this by default; it is a minefield.
>From Ilja Van Sprundel.
--
Zero stack data before copyout.
>From Ilja Van Sprundel.
--
Fix indexing of svr4 signals.
>From Ilja Van Sprundel.
--
Feebly attempt to get this reference counting less bad.
This svr4 streams code is bad and it should feel bad.
>From Ilja Van Sprundel.
--
Check bounds in svr4_sys_putmsg. Check more svr4_strmcmd bounds.
svr4 streams code is still a disaster.
>From Ilja Van Sprundel.
To generate a diff of this commit:
cvs rdiff -u -r1.19 -r1.19.50.1 src/sys/compat/svr4/svr4_lwp.c
cvs rdiff -u -r1.65.30.1 -r1.65.30.1.6.1 src/sys/compat/svr4/svr4_signal.c
cvs rdiff -u -r1.80 -r1.80.8.1 src/sys/compat/svr4/svr4_stream.c
cvs rdiff -u -r1.26 -r1.26.70.1 src/sys/compat/svr4_32/svr4_32_signal.c
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
Modified files:
Index: src/sys/compat/svr4/svr4_lwp.c
diff -u src/sys/compat/svr4/svr4_lwp.c:1.19 src/sys/compat/svr4/svr4_lwp.c:1.19.50.1
--- src/sys/compat/svr4/svr4_lwp.c:1.19 Mon Nov 23 00:46:07 2009
+++ src/sys/compat/svr4/svr4_lwp.c Sat Aug 12 03:59:55 2017
@@ -1,4 +1,4 @@
-/* $NetBSD: svr4_lwp.c,v 1.19 2009/11/23 00:46:07 rmind Exp $ */
+/* $NetBSD: svr4_lwp.c,v 1.19.50.1 2017/08/12 03:59:55 snj Exp $ */
/*-
* Copyright (c) 1999 The NetBSD Foundation, Inc.
@@ -30,7 +30,7 @@
*/
#include
-__KERNEL_RCSID(0, "$NetBSD: svr4_lwp.c,v 1.19 2009/11/23 00:46:07 rmind Exp $");
+__KERNEL_RCSID(0, "$NetBSD: svr4_lwp.c,v 1.19.50.1 2017/08/12 03:59:55 snj Exp $");
#include
#include
@@ -108,6 +108,8 @@ svr4_sys__lwp_info(struct lwp *l, const
struct svr4_lwpinfo lwpinfo;
int error;
+ memset(, 0, sizeof(lwpinfo));
+
/* XXX NJWLWP */
TIMEVAL_TO_TIMESPEC(>l_proc->p_stats->p_ru.ru_stime, _stime);
TIMEVAL_TO_TIMESPEC(>l_proc->p_stats->p_ru.ru_utime, _utime);
Index: src/sys/compat/svr4/svr4_signal.c
diff -u src/sys/compat/svr4/svr4_signal.c:1.65.30.1 src/sys/compat/svr4/svr4_signal.c:1.65.30.1.6.1
--- src/sys/compat/svr4/svr4_signal.c:1.65.30.1 Sat Jan 17 12:10:53 2015
+++ src/sys/compat/svr4/svr4_signal.c Sat Aug 12 03:59:55 2017
@@ -1,4 +1,4 @@
-/* $NetBSD: svr4_signal.c,v 1.65.30.1 2015/01/17 12:10:53 martin Exp $ */
+/* $NetBSD: svr4_signal.c,v 1.65.30.1.6.1 2017/08/12 03:59:55 snj Exp $ */
/*-
* Copyright (c) 1994, 1998 The NetBSD Foundation, Inc.
@@ -30,7 +30,7 @@
*/
#include
-__KERNEL_RCSID(0, "$NetBSD: svr4_signal.c,v 1.65.30.1 2015/01/17 12:10:53 martin Exp $");
+__KERNEL_RCSID(0, "$NetBSD: svr4_signal.c,v 1.65.30.1.6.1 2017/08/12 03:59:55 snj Exp $");
#include
#include
@@ -72,6 +72,21 @@ void native_to_svr4_sigaction(const stru
extern const int native_to_svr4_signo[];
extern const int svr4_to_native_signo[];
+static int
+svr4_decode_signum(int signum, int *native_signo, int *sigcall)
+{
+
+ if (SVR4_SIGNO(signum) >= SVR4_NSIG)
+ return EINVAL;
+
+ if (native_signo)
+ *native_signo = svr4_to_native_signo[SVR4_SIGNO(signum)];
+ if (sigcall)
+ *sigcall = SVR4_SIGCALL(signum);
+
+ return 0;
+}
+
static inline void
svr4_sigfillset(svr4_sigset_t *s)
{
@@ -173,6 +188,7 @@ svr4_sys_sigaction(struct lwp *l, const
} */
struct svr4_sigaction nssa, ossa;
struct sigaction nbsa, obsa;
+ int native_signo;
int error;
if (SCARG(uap, nsa)) {
@@ -181,7 +197,12 @@ svr4_sys_sigaction(struct lwp *l, const
return (error);
svr4_to_native_sigaction(, );
}
- error = sigaction1(l, svr4_to_native_signo[SVR4_SIGNO(SCARG(uap, signum))],
+
+ error = svr4_decode_signum(SCARG(uap, signum), _signo, NULL);
+ if (error)
+ return error;
+
+ error = sigaction1(l, native_signo,
SCARG(uap, nsa) ? : 0, SCARG(uap, osa) ? : 0,
NULL, 0);
if (error)
@@ -216,16 +237,18 @@ svr4_sys_signal(struct lwp *l, const str
syscallarg(int) signum;
syscallarg(svr4_sig_t) handler;
} */
- int signum = svr4_to_native_signo[SVR4_SIGNO(SCARG(uap, signum))];
+ int native_signo, sigcall;
struct proc *p = l->l_proc;
struct sigaction nbsa, obsa;
sigset_t ss;
int error;
- if (signum <= 0 || signum >= SVR4_NSIG)
- return (EINVAL);
+ error = svr4_decode_signum(SCARG(uap, signum), _signo,
+ );
+ if (error)
+ return error;
- switch (SVR4_SIGCALL(SCARG(uap, signum))) {
+ switch (sigcall) {
case SVR4_SIGDEFER_MASK:
if (SCARG(uap, handler) == SVR4_SIG_HOLD)
