Module Name: src Committed By: mrg Date: Wed Aug 10 01:16:39 UTC 2022
Modified Files: src/sys/dev/raidframe: rf_disks.c rf_driver.c rf_netbsdkintf.c Log Message: raidframe: reject invalid values for numCol and numSpares numCol and numSpares are "int" so they can be "-1" internally, which means negative values need to be rejected, as well as values higher than RF_MAXCOL/RF_MAXSPARES. explicitly nul-terminate all strings coming from userland. some minor CSE that avoids signed arith. this fixes issues in the RAIDFRAME_ADD_HOT_SPARE, RAIDFRAME_CONFIGURE, RAIDFRAME_DELETE_COMPONENT, RAIDFRAME_INCORPORATE_HOT_SPARE, and RAIDFRAME_REBUILD_IN_PLACE ioctl commands. Reported-by: syzbot+b584943ad1f8ab9d4...@syzkaller.appspotmail.com https://syzkaller.appspot.com/bug?id=61e07e418261f8eec8a37a9226725fe31820edd0 https://syzkaller.appspot.com/bug?id=ca0c997b40de81c0f0b44790217731f142003149 https://syzkaller.appspot.com/bug?id=6fc452d228453494655a85264591dd9054cc0b08 https://syzkaller.appspot.com/bug?id=873f0271682713a27adc9a49dd7109c70b35fda3 XXX: pullup-8, pullup-9. ok oster@ riastradh@ To generate a diff of this commit: cvs rdiff -u -r1.92 -r1.93 src/sys/dev/raidframe/rf_disks.c cvs rdiff -u -r1.139 -r1.140 src/sys/dev/raidframe/rf_driver.c cvs rdiff -u -r1.407 -r1.408 src/sys/dev/raidframe/rf_netbsdkintf.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files.