svn commit: r202765 - in stable/7/sys: kern sys

Thu, 21 Jan 2010 11:18:15 -0800 

Author: jhb
Date: Thu Jan 21 19:17:42 2010
New Revision: 202765
URL: http://svn.freebsd.org/changeset/base/202765

Log:
  MFC 198411:
  - Fix several off-by-one errors when using MAXCOMLEN.  The p_comm[] and
    td_name[] arrays are actually MAXCOMLEN + 1 in size and a few places that
    created shadow copies of these arrays were just using MAXCOMLEN.
  - Prefer using sizeof() of an array type to explicit constants for the
    array length in a few places.
  - Ensure that all of p_comm[] is always zero'd during execve() to guard
    against any possible information leaks.  Previously trailing garbage in
    p_comm[] could be leaked to userland in ktrace record headers.

Modified:
  stable/7/sys/kern/kern_exec.c
  stable/7/sys/kern/kern_ktrace.c
  stable/7/sys/kern/subr_bus.c
  stable/7/sys/kern/subr_taskqueue.c
  stable/7/sys/sys/interrupt.h
Directory Properties:
  stable/7/sys/   (props changed)
  stable/7/sys/cddl/contrib/opensolaris/   (props changed)
  stable/7/sys/contrib/dev/acpica/   (props changed)
  stable/7/sys/contrib/pf/   (props changed)

Modified: stable/7/sys/kern/kern_exec.c
==============================================================================
--- stable/7/sys/kern/kern_exec.c       Thu Jan 21 19:11:18 2010        
(r202764)
+++ stable/7/sys/kern/kern_exec.c       Thu Jan 21 19:17:42 2010        
(r202765)
@@ -559,9 +559,9 @@ interpret:
        execsigs(p);
 
        /* name this process - nameiexec(p, ndp) */
+       bzero(p->p_comm, sizeof(p->p_comm));
        len = min(ndp->ni_cnd.cn_namelen,MAXCOMLEN);
        bcopy(ndp->ni_cnd.cn_nameptr, p->p_comm, len);
-       p->p_comm[len] = 0;
 
        /*
         * mark as execed, wakeup the process that vforked (if any) and tell

Modified: stable/7/sys/kern/kern_ktrace.c
==============================================================================
--- stable/7/sys/kern/kern_ktrace.c     Thu Jan 21 19:11:18 2010        
(r202764)
+++ stable/7/sys/kern/kern_ktrace.c     Thu Jan 21 19:17:42 2010        
(r202765)
@@ -257,6 +257,10 @@ ktrace_resize_pool(u_int newsize)
        return (ktr_requestpool);
 }
 
+/* ktr_getrequest() assumes that ktr_comm[] is the same size as p_comm[]. */
+CTASSERT(sizeof(((struct ktr_header *)NULL)->ktr_comm) ==
+    (sizeof((struct proc *)NULL)->p_comm));
+
 static struct ktr_request *
 ktr_getrequest(int type)
 {
@@ -284,7 +288,8 @@ ktr_getrequest(int type)
                microtime(&req->ktr_header.ktr_time);
                req->ktr_header.ktr_pid = p->p_pid;
                req->ktr_header.ktr_tid = td->td_tid;
-               bcopy(p->p_comm, req->ktr_header.ktr_comm, MAXCOMLEN + 1);
+               bcopy(p->p_comm, req->ktr_header.ktr_comm,
+                   sizeof(req->ktr_header.ktr_comm));
                req->ktr_buffer = NULL;
                req->ktr_header.ktr_len = 0;
        } else {

Modified: stable/7/sys/kern/subr_bus.c
==============================================================================
--- stable/7/sys/kern/subr_bus.c        Thu Jan 21 19:11:18 2010        
(r202764)
+++ stable/7/sys/kern/subr_bus.c        Thu Jan 21 19:17:42 2010        
(r202765)
@@ -3597,8 +3597,8 @@ int
 bus_describe_intr(device_t dev, struct resource *irq, void *cookie,
     const char *fmt, ...)
 {
-       char descr[MAXCOMLEN];
        va_list ap;
+       char descr[MAXCOMLEN + 1];
 
        if (dev->parent == NULL)
                return (EINVAL);

Modified: stable/7/sys/kern/subr_taskqueue.c
==============================================================================
--- stable/7/sys/kern/subr_taskqueue.c  Thu Jan 21 19:11:18 2010        
(r202764)
+++ stable/7/sys/kern/subr_taskqueue.c  Thu Jan 21 19:17:42 2010        
(r202765)
@@ -343,7 +343,7 @@ taskqueue_start_threads(struct taskqueue
        va_list ap;
        struct taskqueue *tq;
        struct thread *td;
-       char ktname[MAXCOMLEN];
+       char ktname[MAXCOMLEN + 1];
        int i, error;
 
        if (count <= 0)
@@ -351,7 +351,7 @@ taskqueue_start_threads(struct taskqueue
        tq = *tqp;
 
        va_start(ap, name);
-       vsnprintf(ktname, MAXCOMLEN, name, ap);
+       vsnprintf(ktname, sizeof(ktname), name, ap);
        va_end(ap);
 
        tq->tq_pproc = malloc(sizeof(struct proc *) * count, M_TASKQUEUE,

Modified: stable/7/sys/sys/interrupt.h
==============================================================================
--- stable/7/sys/sys/interrupt.h        Thu Jan 21 19:11:18 2010        
(r202764)
+++ stable/7/sys/sys/interrupt.h        Thu Jan 21 19:17:42 2010        
(r202765)
@@ -47,7 +47,7 @@ struct intr_handler {
        driver_intr_t   *ih_handler;    /* Handler function. */
        void            *ih_argument;   /* Argument to pass to handler. */
        int              ih_flags;
-       char             ih_name[MAXCOMLEN]; /* Name of handler. */
+       char             ih_name[MAXCOMLEN + 1]; /* Name of handler. */
        struct intr_event *ih_event;    /* Event we are connected to. */
        int              ih_need;       /* Needs service. */
        TAILQ_ENTRY(intr_handler) ih_next; /* Next handler for this event. */
@@ -94,8 +94,8 @@ struct intr_handler {
 struct intr_event {
        TAILQ_ENTRY(intr_event) ie_list;
        TAILQ_HEAD(, intr_handler) ie_handlers; /* Interrupt handlers. */
-       char            ie_name[MAXCOMLEN]; /* Individual event name. */
-       char            ie_fullname[MAXCOMLEN];
+       char            ie_name[MAXCOMLEN + 1]; /* Individual event name. */
+       char            ie_fullname[MAXCOMLEN + 1];
        struct mtx      ie_lock;
        void            *ie_source;     /* Cookie used by MD code. */
        struct intr_thread *ie_thread;  /* Thread we are connected to. */
_______________________________________________
[email protected] mailing list
http://lists.freebsd.org/mailman/listinfo/svn-src-all
To unsubscribe, send any mail to "[email protected]"

Reply via email to