Date: Tue, 28 Oct 2014 15:28:21 +0000 (UTC) From: Konstantin Belousov <kib@FreeBSD.org> To: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-head@freebsd.org Subject: svn commit: r273784 - in head/sys: amd64/ia32 compat/freebsd32 i386/i386 kern net Message-ID: <201410281528.s9SFSLs2013764@svn.freebsd.org>
next in thread | raw e-mail | index | archive | help
Author: kib Date: Tue Oct 28 15:28:20 2014 New Revision: 273784 URL: https://svnweb.freebsd.org/changeset/base/273784 Log: Replace some calls to fuword() by fueword() with proper error checking. Sponsored by: The FreeBSD Foundation Tested by: pho MFC after: 3 weeks Modified: head/sys/amd64/ia32/ia32_syscall.c head/sys/compat/freebsd32/freebsd32_misc.c head/sys/i386/i386/trap.c head/sys/kern/kern_exec.c head/sys/kern/vfs_acl.c head/sys/net/if_spppsubr.c Modified: head/sys/amd64/ia32/ia32_syscall.c ============================================================================== --- head/sys/amd64/ia32/ia32_syscall.c Tue Oct 28 15:22:13 2014 (r273783) +++ head/sys/amd64/ia32/ia32_syscall.c Tue Oct 28 15:28:20 2014 (r273784) @@ -110,7 +110,7 @@ ia32_fetch_syscall_args(struct thread *t struct proc *p; struct trapframe *frame; caddr_t params; - u_int32_t args[8]; + u_int32_t args[8], tmp; int error, i; p = td->td_proc; @@ -126,7 +126,10 @@ ia32_fetch_syscall_args(struct thread *t /* * Code is first argument, followed by actual args. */ - sa->code = fuword32(params); + error = fueword32(params, &tmp); + if (error == -1) + return (EFAULT); + sa->code = tmp; params += sizeof(int); } else if (sa->code == SYS___syscall) { /* @@ -135,7 +138,10 @@ ia32_fetch_syscall_args(struct thread *t * We use a 32-bit fetch in case params is not * aligned. */ - sa->code = fuword32(params); + error = fueword32(params, &tmp); + if (error == -1) + return (EFAULT); + sa->code = tmp; params += sizeof(quad_t); } if (p->p_sysent->sv_mask) Modified: head/sys/compat/freebsd32/freebsd32_misc.c ============================================================================== --- head/sys/compat/freebsd32/freebsd32_misc.c Tue Oct 28 15:22:13 2014 (r273783) +++ head/sys/compat/freebsd32/freebsd32_misc.c Tue Oct 28 15:28:20 2014 (r273784) @@ -1832,16 +1832,21 @@ freebsd32_sysctl(struct thread *td, stru { int error, name[CTL_MAXNAME]; size_t j, oldlen; + uint32_t tmp; if (uap->namelen > CTL_MAXNAME || uap->namelen < 2) return (EINVAL); error = copyin(uap->name, name, uap->namelen * sizeof(int)); if (error) return (error); - if (uap->oldlenp) - oldlen = fuword32(uap->oldlenp); - else + if (uap->oldlenp) { + error = fueword32(uap->oldlenp, &tmp); + oldlen = tmp; + } else { oldlen = 0; + } + if (error != 0) + return (EFAULT); error = userland_sysctl(td, name, uap->namelen, uap->old, &oldlen, 1, uap->new, uap->newlen, &j, SCTL_MASK32); Modified: head/sys/i386/i386/trap.c ============================================================================== --- head/sys/i386/i386/trap.c Tue Oct 28 15:22:13 2014 (r273783) +++ head/sys/i386/i386/trap.c Tue Oct 28 15:28:20 2014 (r273784) @@ -1059,6 +1059,7 @@ cpu_fetch_syscall_args(struct thread *td struct proc *p; struct trapframe *frame; caddr_t params; + long tmp; int error; p = td->td_proc; @@ -1074,14 +1075,20 @@ cpu_fetch_syscall_args(struct thread *td /* * Code is first argument, followed by actual args. */ - sa->code = fuword(params); + error = fueword(params, &tmp); + if (error == -1) + return (EFAULT); + sa->code = tmp; params += sizeof(int); } else if (sa->code == SYS___syscall) { /* * Like syscall, but code is a quad, so as to maintain * quad alignment for the rest of the arguments. */ - sa->code = fuword(params); + error = fueword(params, &tmp); + if (error == -1) + return (EFAULT); + sa->code = tmp; params += sizeof(quad_t); } Modified: head/sys/kern/kern_exec.c ============================================================================== --- head/sys/kern/kern_exec.c Tue Oct 28 15:22:13 2014 (r273783) +++ head/sys/kern/kern_exec.c Tue Oct 28 15:28:20 2014 (r273784) @@ -1091,7 +1091,7 @@ int exec_copyin_args(struct image_args *args, char *fname, enum uio_seg segflg, char **argv, char **envv) { - char *argp, *envp; + u_long argp, envp; int error; size_t length; @@ -1127,13 +1127,17 @@ exec_copyin_args(struct image_args *args /* * extract arguments first */ - while ((argp = (caddr_t) (intptr_t) fuword(argv++))) { - if (argp == (caddr_t) -1) { + for (;;) { + error = fueword(argv++, &argp); + if (error == -1) { error = EFAULT; goto err_exit; } - if ((error = copyinstr(argp, args->endp, - args->stringspace, &length))) { + if (argp == 0) + break; + error = copyinstr((void *)(uintptr_t)argp, args->endp, + args->stringspace, &length); + if (error != 0) { if (error == ENAMETOOLONG) error = E2BIG; goto err_exit; @@ -1149,13 +1153,17 @@ exec_copyin_args(struct image_args *args * extract environment strings */ if (envv) { - while ((envp = (caddr_t)(intptr_t)fuword(envv++))) { - if (envp == (caddr_t)-1) { + for (;;) { + error = fueword(envv++, &envp); + if (error == -1) { error = EFAULT; goto err_exit; } - if ((error = copyinstr(envp, args->endp, - args->stringspace, &length))) { + if (envp == 0) + break; + error = copyinstr((void *)(uintptr_t)envp, + args->endp, args->stringspace, &length); + if (error != 0) { if (error == ENAMETOOLONG) error = E2BIG; goto err_exit; Modified: head/sys/kern/vfs_acl.c ============================================================================== --- head/sys/kern/vfs_acl.c Tue Oct 28 15:22:13 2014 (r273783) +++ head/sys/kern/vfs_acl.c Tue Oct 28 15:28:20 2014 (r273784) @@ -148,6 +148,7 @@ acl_copyin(void *user_acl, struct acl *k static int acl_copyout(struct acl *kernel_acl, void *user_acl, acl_type_t type) { + uint32_t am; int error; struct oldacl old; @@ -162,8 +163,11 @@ acl_copyout(struct acl *kernel_acl, void break; default: - if (fuword32((char *)user_acl + - offsetof(struct acl, acl_maxcnt)) != ACL_MAX_ENTRIES) + error = fueword32((char *)user_acl + + offsetof(struct acl, acl_maxcnt), &am); + if (error == -1) + return (EFAULT); + if (am != ACL_MAX_ENTRIES) return (EINVAL); error = copyout(kernel_acl, user_acl, sizeof(*kernel_acl)); Modified: head/sys/net/if_spppsubr.c ============================================================================== --- head/sys/net/if_spppsubr.c Tue Oct 28 15:22:13 2014 (r273783) +++ head/sys/net/if_spppsubr.c Tue Oct 28 15:28:20 2014 (r273784) @@ -5060,7 +5060,8 @@ sppp_params(struct sppp *sp, u_long cmd, * Check the cmd word first before attempting to fetch all the * data. */ - if ((subcmd = fuword(ifr->ifr_data)) == -1) { + rv = fueword(ifr->ifr_data, &subcmd); + if (rv == -1) { rv = EFAULT; goto quit; }
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201410281528.s9SFSLs2013764>