From owner-svn-src-all@FreeBSD.ORG  Fri Oct 23 15:14:54 2009
Return-Path: <owner-svn-src-all@FreeBSD.ORG>
Delivered-To: svn-src-all@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id BE247106568D;
	Fri, 23 Oct 2009 15:14:54 +0000 (UTC) (envelope-from jhb@FreeBSD.org)
Received: from svn.freebsd.org (svn.freebsd.org [IPv6:2001:4f8:fff6::2c])
	by mx1.freebsd.org (Postfix) with ESMTP id AC18A8FC13;
	Fri, 23 Oct 2009 15:14:54 +0000 (UTC)
Received: from svn.freebsd.org (localhost [127.0.0.1])
	by svn.freebsd.org (8.14.3/8.14.3) with ESMTP id n9NFEsNU064879;
	Fri, 23 Oct 2009 15:14:54 GMT (envelope-from jhb@svn.freebsd.org)
Received: (from jhb@localhost)
	by svn.freebsd.org (8.14.3/8.14.3/Submit) id n9NFEsfW064873;
	Fri, 23 Oct 2009 15:14:54 GMT (envelope-from jhb@svn.freebsd.org)
Message-Id: <200910231514.n9NFEsfW064873@svn.freebsd.org>
From: John Baldwin <jhb@FreeBSD.org>
Date: Fri, 23 Oct 2009 15:14:54 +0000 (UTC)
To: src-committers@freebsd.org, svn-src-all@freebsd.org,
	svn-src-head@freebsd.org
X-SVN-Group: head
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Cc: 
Subject: svn commit: r198411 - in head/sys: kern sys
X-BeenThere: svn-src-all@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: "SVN commit messages for the entire src tree \(except for &quot;
	user&quot; and &quot; projects&quot; \)" <svn-src-all.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/svn-src-all>,
	<mailto:svn-src-all-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/svn-src-all>
List-Post: <mailto:svn-src-all@freebsd.org>
List-Help: <mailto:svn-src-all-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/svn-src-all>,
	<mailto:svn-src-all-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Fri, 23 Oct 2009 15:14:54 -0000

Author: jhb
Date: Fri Oct 23 15:14:54 2009
New Revision: 198411
URL: http://svn.freebsd.org/changeset/base/198411

Log:
  - Fix several off-by-one errors when using MAXCOMLEN.  The p_comm[] and
    td_name[] arrays are actually MAXCOMLEN + 1 in size and a few places that
    created shadow copies of these arrays were just using MAXCOMLEN.
  - Prefer using sizeof() of an array type to explicit constants for the
    array length in a few places.
  - Ensure that all of p_comm[] and td_name[] is always zero'd during
    execve() to guard against any possible information leaks.  Previously
    trailing garbage in p_comm[] could be leaked to userland in ktrace
    record headers via td_name[].
  
  Reviewed by:	bde

Modified:
  head/sys/kern/kern_exec.c
  head/sys/kern/kern_ktrace.c
  head/sys/kern/subr_bus.c
  head/sys/kern/subr_taskqueue.c
  head/sys/sys/interrupt.h

Modified: head/sys/kern/kern_exec.c
==============================================================================
--- head/sys/kern/kern_exec.c	Fri Oct 23 15:12:05 2009	(r198410)
+++ head/sys/kern/kern_exec.c	Fri Oct 23 15:14:54 2009	(r198411)
@@ -326,7 +326,7 @@ do_execve(td, args, mac_p)
 	struct ucred *newcred = NULL, *oldcred;
 	struct uidinfo *euip;
 	register_t *stack_base;
-	int error, len = 0, i;
+	int error, i;
 	struct image_params image_params, *imgp;
 	struct vattr attr;
 	int (*img_first)(struct image_params *);
@@ -602,18 +602,12 @@ interpret:
 	execsigs(p);
 
 	/* name this process - nameiexec(p, ndp) */
-	if (args->fname) {
-		len = min(nd.ni_cnd.cn_namelen,MAXCOMLEN);
-		bcopy(nd.ni_cnd.cn_nameptr, p->p_comm, len);
-	} else {
-		if (vn_commname(binvp, p->p_comm, MAXCOMLEN + 1) == 0)
-			len = MAXCOMLEN;
-		else {
-			len = sizeof(fexecv_proc_title);
-			bcopy(fexecv_proc_title, p->p_comm, len);
-		}
-	}
-	p->p_comm[len] = 0;
+	bzero(p->p_comm, sizeof(p->p_comm));
+	if (args->fname)
+		bcopy(nd.ni_cnd.cn_nameptr, p->p_comm,
+		    min(nd.ni_cnd.cn_namelen, MAXCOMLEN));
+	else if (vn_commname(binvp, p->p_comm, sizeof(p->p_comm)) != 0)
+		bcopy(fexecv_proc_title, p->p_comm, sizeof(fexecv_proc_title));
 	bcopy(p->p_comm, td->td_name, sizeof(td->td_name));
 
 	/*

Modified: head/sys/kern/kern_ktrace.c
==============================================================================
--- head/sys/kern/kern_ktrace.c	Fri Oct 23 15:12:05 2009	(r198410)
+++ head/sys/kern/kern_ktrace.c	Fri Oct 23 15:14:54 2009	(r198411)
@@ -256,6 +256,10 @@ ktrace_resize_pool(u_int newsize)
 	return (ktr_requestpool);
 }
 
+/* ktr_getrequest() assumes that ktr_comm[] is the same size as td_name[]. */
+CTASSERT(sizeof(((struct ktr_header *)NULL)->ktr_comm) ==
+    (sizeof((struct thread *)NULL)->td_name));
+
 static struct ktr_request *
 ktr_getrequest(int type)
 {
@@ -283,7 +287,8 @@ ktr_getrequest(int type)
 		microtime(&req->ktr_header.ktr_time);
 		req->ktr_header.ktr_pid = p->p_pid;
 		req->ktr_header.ktr_tid = td->td_tid;
-		bcopy(td->td_name, req->ktr_header.ktr_comm, MAXCOMLEN + 1);
+		bcopy(td->td_name, req->ktr_header.ktr_comm,
+		    sizeof(req->ktr_header.ktr_comm));
 		req->ktr_buffer = NULL;
 		req->ktr_header.ktr_len = 0;
 	} else {

Modified: head/sys/kern/subr_bus.c
==============================================================================
--- head/sys/kern/subr_bus.c	Fri Oct 23 15:12:05 2009	(r198410)
+++ head/sys/kern/subr_bus.c	Fri Oct 23 15:14:54 2009	(r198411)
@@ -3861,8 +3861,8 @@ int
 bus_describe_intr(device_t dev, struct resource *irq, void *cookie,
     const char *fmt, ...)
 {
-	char descr[MAXCOMLEN];
 	va_list ap;
+	char descr[MAXCOMLEN + 1];
 
 	if (dev->parent == NULL)
 		return (EINVAL);

Modified: head/sys/kern/subr_taskqueue.c
==============================================================================
--- head/sys/kern/subr_taskqueue.c	Fri Oct 23 15:12:05 2009	(r198410)
+++ head/sys/kern/subr_taskqueue.c	Fri Oct 23 15:14:54 2009	(r198411)
@@ -301,7 +301,7 @@ taskqueue_start_threads(struct taskqueue
 	struct thread *td;
 	struct taskqueue *tq;
 	int i, error;
-	char ktname[MAXCOMLEN];
+	char ktname[MAXCOMLEN + 1];
 
 	if (count <= 0)
 		return (EINVAL);
@@ -309,7 +309,7 @@ taskqueue_start_threads(struct taskqueue
 	tq = *tqp;
 
 	va_start(ap, name);
-	vsnprintf(ktname, MAXCOMLEN, name, ap);
+	vsnprintf(ktname, sizeof(ktname), name, ap);
 	va_end(ap);
 
 	tq->tq_threads = malloc(sizeof(struct thread *) * count, M_TASKQUEUE,

Modified: head/sys/sys/interrupt.h
==============================================================================
--- head/sys/sys/interrupt.h	Fri Oct 23 15:12:05 2009	(r198410)
+++ head/sys/sys/interrupt.h	Fri Oct 23 15:14:54 2009	(r198411)
@@ -47,7 +47,7 @@ struct intr_handler {
 	driver_intr_t	*ih_handler;	/* Threaded handler function. */
 	void		*ih_argument;	/* Argument to pass to handlers. */
 	int		 ih_flags;
-	char		 ih_name[MAXCOMLEN]; /* Name of handler. */
+	char		 ih_name[MAXCOMLEN + 1]; /* Name of handler. */
 	struct intr_event *ih_event;	/* Event we are connected to. */
 	int		 ih_need;	/* Needs service. */
 	TAILQ_ENTRY(intr_handler) ih_next; /* Next handler for this event. */
@@ -104,8 +104,8 @@ struct intr_handler {
 struct intr_event {
 	TAILQ_ENTRY(intr_event) ie_list;
 	TAILQ_HEAD(, intr_handler) ie_handlers; /* Interrupt handlers. */
-	char		ie_name[MAXCOMLEN]; /* Individual event name. */
-	char		ie_fullname[MAXCOMLEN];
+	char		ie_name[MAXCOMLEN + 1]; /* Individual event name. */
+	char		ie_fullname[MAXCOMLEN + 1];
 	struct mtx	ie_lock;
 	void		*ie_source;	/* Cookie used by MD code. */
 	struct intr_thread *ie_thread;	/* Thread we are connected to. */