Module Name: src
Committed By: snj
Date: Sat Aug 19 05:19:30 UTC 2017
Modified Files:
src/sys/dev [netbsd-7-1]: vnd.c
Log Message:
Pull up following revision(s) (requested by mrg in ticket #1476):
sys/dev/vnd.c: revision 1.260, 1.262 via patch
Put in a litany of judicious bounds checks around vnd headers.
Thought I was done with this crap after I rewrote vndcompress(1)!
>From Ilja Van Sprundel.
--
Appease toxic bullshit warning from gcc.
If you have a better way to write a useful bounds check that happens
to always pass on LP64 but doesn't always on LP32, without making it
fail to compile on LP64 or making it an #ifdef conditional on LP32,
please put it in here instead.
To generate a diff of this commit:
cvs rdiff -u -r1.232.2.4 -r1.232.2.4.4.1 src/sys/dev/vnd.c
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
Modified files:
Index: src/sys/dev/vnd.c
diff -u src/sys/dev/vnd.c:1.232.2.4 src/sys/dev/vnd.c:1.232.2.4.4.1
--- src/sys/dev/vnd.c:1.232.2.4 Wed Nov 18 08:48:46 2015
+++ src/sys/dev/vnd.c Sat Aug 19 05:19:30 2017
@@ -1,4 +1,4 @@
-/* $NetBSD: vnd.c,v 1.232.2.4 2015/11/18 08:48:46 msaitoh Exp $ */
+/* $NetBSD: vnd.c,v 1.232.2.4.4.1 2017/08/19 05:19:30 snj Exp $ */
/*-
* Copyright (c) 1996, 1997, 1998, 2008 The NetBSD Foundation, Inc.
@@ -91,7 +91,7 @@
*/
#include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: vnd.c,v 1.232.2.4 2015/11/18 08:48:46 msaitoh Exp $");
+__KERNEL_RCSID(0, "$NetBSD: vnd.c,v 1.232.2.4.4.1 2017/08/19 05:19:30 snj Exp $");
#if defined(_KERNEL_OPT)
#include "opt_vnd.h"
@@ -1238,6 +1238,13 @@ vndioctl(dev_t dev, u_long cmd, void *da
VOP_UNLOCK(nd.ni_vp);
goto close_and_exit;
}
+
+ if (ntohl(ch->block_size) == 0 ||
+ ntohl(ch->num_blocks) > UINT32_MAX - 1) {
+ free(ch, M_TEMP);
+ VOP_UNLOCK(nd.ni_vp);
+ goto close_and_exit;
+ }
/* save some header info */
vnd->sc_comp_blksz = ntohl(ch->block_size);
@@ -1249,20 +1256,40 @@ vndioctl(dev_t dev, u_long cmd, void *da
error = EINVAL;
goto close_and_exit;
}
- if (sizeof(struct vnd_comp_header) +
- sizeof(u_int64_t) * vnd->sc_comp_numoffs >
- vattr.va_size) {
+ KASSERT(0 < vnd->sc_comp_blksz);
+ KASSERT(0 < vnd->sc_comp_numoffs);
+ /*
+ * @#^@!$& gcc -Wtype-limits refuses to let me
+ * write SIZE_MAX/sizeof(uint64_t) < numoffs,
+ * because the range of the type on amd64 makes
+ * the comparisons always false.
+ */
+#if SIZE_MAX <= UINT32_MAX*(64/CHAR_BIT)
+ if (SIZE_MAX/sizeof(uint64_t) < vnd->sc_comp_numoffs) {
+ VOP_UNLOCK(nd.ni_vp);
+ error = EINVAL;
+ goto close_and_exit;
+ }
+#endif
+ if ((vattr.va_size < sizeof(struct vnd_comp_header)) ||
+ (vattr.va_size - sizeof(struct vnd_comp_header) <
+ sizeof(uint64_t)*vnd->sc_comp_numoffs) ||
+ (UQUAD_MAX/vnd->sc_comp_blksz <
+ vnd->sc_comp_numoffs - 1)) {
VOP_UNLOCK(nd.ni_vp);
error = EINVAL;
goto close_and_exit;
}
/* set decompressed file size */
+ KASSERT(vnd->sc_comp_numoffs - 1 <=
+ UQUAD_MAX/vnd->sc_comp_blksz);
vattr.va_size =
((u_quad_t)vnd->sc_comp_numoffs - 1) *
(u_quad_t)vnd->sc_comp_blksz;
/* allocate space for all the compressed offsets */
+ __CTASSERT(UINT32_MAX <= UQUAD_MAX/sizeof(uint64_t));
vnd->sc_comp_offsets =
malloc(sizeof(u_int64_t) * vnd->sc_comp_numoffs,
M_DEVBUF, M_WAITOK);
