Module Name: src
Committed By: snj
Date: Thu Jun 15 05:53:00 UTC 2017
Modified Files:
src/sys/arch/ews4800mips/sbd [netbsd-7]: fb_sbdio.c
src/sys/arch/pmax/ibus [netbsd-7]: pm.c
src/sys/dev/hpc [netbsd-7]: bivideo.c
src/sys/dev/ic [netbsd-7]: sti.c
Log Message:
Pull up following revision(s) (requested by spz in ticket #1432):
sys/arch/ews4800mips/sbd/fb_sbdio.c: revision 1.16
sys/arch/pmax/ibus/pm.c: revision 1.13
sys/dev/hpc/bivideo.c: revision 1.34
sys/dev/ic/sti.c: revision 1.19
correct size checks so they cannot be circumvented by integer overflows
reported by CTurt, thanks for the notification
To generate a diff of this commit:
cvs rdiff -u -r1.13.4.1 -r1.13.4.2 src/sys/arch/ews4800mips/sbd/fb_sbdio.c
cvs rdiff -u -r1.12 -r1.12.4.1 src/sys/arch/pmax/ibus/pm.c
cvs rdiff -u -r1.33 -r1.33.12.1 src/sys/dev/hpc/bivideo.c
cvs rdiff -u -r1.18 -r1.18.2.1 src/sys/dev/ic/sti.c
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
Modified files:
Index: src/sys/arch/ews4800mips/sbd/fb_sbdio.c
diff -u src/sys/arch/ews4800mips/sbd/fb_sbdio.c:1.13.4.1 src/sys/arch/ews4800mips/sbd/fb_sbdio.c:1.13.4.2
--- src/sys/arch/ews4800mips/sbd/fb_sbdio.c:1.13.4.1 Mon Nov 10 17:59:56 2014
+++ src/sys/arch/ews4800mips/sbd/fb_sbdio.c Thu Jun 15 05:52:59 2017
@@ -1,4 +1,4 @@
-/* $NetBSD: fb_sbdio.c,v 1.13.4.1 2014/11/10 17:59:56 snj Exp $ */
+/* $NetBSD: fb_sbdio.c,v 1.13.4.2 2017/06/15 05:52:59 snj Exp $ */
/*-
* Copyright (c) 2004, 2005 The NetBSD Foundation, Inc.
@@ -32,7 +32,7 @@
#define WIRED_FB_TLB
#include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: fb_sbdio.c,v 1.13.4.1 2014/11/10 17:59:56 snj Exp $");
+__KERNEL_RCSID(0, "$NetBSD: fb_sbdio.c,v 1.13.4.2 2017/06/15 05:52:59 snj Exp $");
#include <sys/param.h>
#include <sys/systm.h>
@@ -303,6 +303,8 @@ _fb_ioctl(void *v, void *vs, u_long cmd,
if (ri->ri_flg == RI_FORCEMONO)
break;
ga_clut_get(ga);
+ if (cmap->index >= 256 || cmap->count > 256 - cmap->index)
+ return (EINVAL);
for (i = 0; i < cmap->count; i++) {
cmap->red[i] = ga->clut[cmap->index + i][0];
cmap->green[i] = ga->clut[cmap->index + i][1];
@@ -313,6 +315,8 @@ _fb_ioctl(void *v, void *vs, u_long cmd,
case WSDISPLAYIO_PUTCMAP:
if (ri->ri_flg == RI_FORCEMONO)
break;
+ if (cmap->index >= 256 || cmap->count > 256 - cmap->index)
+ return (EINVAL);
for (i = 0; i < cmap->count; i++) {
ga->clut[cmap->index + i][0] = cmap->red[i];
ga->clut[cmap->index + i][1] = cmap->green[i];
Index: src/sys/arch/pmax/ibus/pm.c
diff -u src/sys/arch/pmax/ibus/pm.c:1.12 src/sys/arch/pmax/ibus/pm.c:1.12.4.1
--- src/sys/arch/pmax/ibus/pm.c:1.12 Sun Nov 10 20:09:52 2013
+++ src/sys/arch/pmax/ibus/pm.c Thu Jun 15 05:52:59 2017
@@ -1,4 +1,4 @@
-/* $NetBSD: pm.c,v 1.12 2013/11/10 20:09:52 christos Exp $ */
+/* $NetBSD: pm.c,v 1.12.4.1 2017/06/15 05:52:59 snj Exp $ */
/*-
* Copyright (c) 2002, 2003 The NetBSD Foundation, Inc.
@@ -30,7 +30,7 @@
*/
#include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: pm.c,v 1.12 2013/11/10 20:09:52 christos Exp $");
+__KERNEL_RCSID(0, "$NetBSD: pm.c,v 1.12.4.1 2017/06/15 05:52:59 snj Exp $");
#include <sys/param.h>
#include <sys/buf.h>
@@ -666,7 +666,7 @@ pm_get_cmap(struct pm_softc *sc, struct
index = p->index;
count = p->count;
- if (index >= sc->sc_cmap_size || (index + count) > sc->sc_cmap_size)
+ if (index >= sc->sc_cmap_size || count > sc->sc_cmap_size - index)
return (EINVAL);
if ((rv = copyout(&sc->sc_cmap.r[index], p->red, count)) != 0)
@@ -685,7 +685,7 @@ pm_set_cmap(struct pm_softc *sc, struct
index = p->index;
count = p->count;
- if (index >= sc->sc_cmap_size || (index + count) > sc->sc_cmap_size)
+ if (index >= sc->sc_cmap_size || count > sc->sc_cmap_size - index)
return (EINVAL);
if ((rv = copyin(p->red, &sc->sc_cmap.r[index], count)) != 0)
Index: src/sys/dev/hpc/bivideo.c
diff -u src/sys/dev/hpc/bivideo.c:1.33 src/sys/dev/hpc/bivideo.c:1.33.12.1
--- src/sys/dev/hpc/bivideo.c:1.33 Sat Oct 27 17:18:17 2012
+++ src/sys/dev/hpc/bivideo.c Thu Jun 15 05:53:00 2017
@@ -1,4 +1,4 @@
-/* $NetBSD: bivideo.c,v 1.33 2012/10/27 17:18:17 chs Exp $ */
+/* $NetBSD: bivideo.c,v 1.33.12.1 2017/06/15 05:53:00 snj Exp $ */
/*-
* Copyright (c) 1999-2001
@@ -35,7 +35,7 @@
*/
#include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: bivideo.c,v 1.33 2012/10/27 17:18:17 chs Exp $");
+__KERNEL_RCSID(0, "$NetBSD: bivideo.c,v 1.33.12.1 2017/06/15 05:53:00 snj Exp $");
#ifdef _KERNEL_OPT
#include "opt_hpcfb.h"
@@ -402,8 +402,8 @@ bivideo_ioctl(void *v, u_long cmd, void
if (sc->sc_fbconf.hf_class != HPCFB_CLASS_INDEXCOLOR ||
sc->sc_fbconf.hf_pack_width != 8 ||
- 256 <= cmap->index ||
- 256 < (cmap->index + cmap->count))
+ cmap->index >= 256 ||
+ cmap->count > 256 - cmap->index)
return (EINVAL);
error = copyout(&bivideo_cmap_r[cmap->index], cmap->red,
Index: src/sys/dev/ic/sti.c
diff -u src/sys/dev/ic/sti.c:1.18 src/sys/dev/ic/sti.c:1.18.2.1
--- src/sys/dev/ic/sti.c:1.18 Sun Jun 29 04:08:43 2014
+++ src/sys/dev/ic/sti.c Thu Jun 15 05:53:00 2017
@@ -1,4 +1,4 @@
-/* $NetBSD: sti.c,v 1.18 2014/06/29 04:08:43 tsutsui Exp $ */
+/* $NetBSD: sti.c,v 1.18.2.1 2017/06/15 05:53:00 snj Exp $ */
/* $OpenBSD: sti.c,v 1.61 2009/09/05 14:09:35 miod Exp $ */
@@ -35,7 +35,7 @@
*/
#include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: sti.c,v 1.18 2014/06/29 04:08:43 tsutsui Exp $");
+__KERNEL_RCSID(0, "$NetBSD: sti.c,v 1.18.2.1 2017/06/15 05:53:00 snj Exp $");
#include "wsdisplay.h"
@@ -1017,7 +1017,7 @@ sti_ioctl(void *v, void *vs, u_long cmd,
cmapp = (struct wsdisplay_cmap *)data;
idx = cmapp->index;
count = cmapp->count;
- if (idx >= STI_NCMAP || idx + count > STI_NCMAP)
+ if (idx >= STI_NCMAP || count > STI_NCMAP - idx)
return EINVAL;
if ((ret = copyout(&scr->scr_rcmap[idx], cmapp->red, count)))
break;
@@ -1033,7 +1033,7 @@ sti_ioctl(void *v, void *vs, u_long cmd,
cmapp = (struct wsdisplay_cmap *)data;
idx = cmapp->index;
count = cmapp->count;
- if (idx >= STI_NCMAP || idx + count > STI_NCMAP)
+ if (idx >= STI_NCMAP || count > STI_NCMAP - idx)
return EINVAL;
if ((ret = copyin(cmapp->red, &scr->scr_rcmap[idx], count)))
break;
