Date: Thu, 21 Jan 2010 19:17:43 +0000 (UTC) From: John Baldwin <jhb@FreeBSD.org> To: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-stable@freebsd.org, svn-src-stable-7@freebsd.org Subject: svn commit: r202765 - in stable/7/sys: kern sys Message-ID: <201001211917.o0LJHhZH020308@svn.freebsd.org>
next in thread | raw e-mail | index | archive | help
Author: jhb Date: Thu Jan 21 19:17:42 2010 New Revision: 202765 URL: http://svn.freebsd.org/changeset/base/202765 Log: MFC 198411: - Fix several off-by-one errors when using MAXCOMLEN. The p_comm[] and td_name[] arrays are actually MAXCOMLEN + 1 in size and a few places that created shadow copies of these arrays were just using MAXCOMLEN. - Prefer using sizeof() of an array type to explicit constants for the array length in a few places. - Ensure that all of p_comm[] is always zero'd during execve() to guard against any possible information leaks. Previously trailing garbage in p_comm[] could be leaked to userland in ktrace record headers. Modified: stable/7/sys/kern/kern_exec.c stable/7/sys/kern/kern_ktrace.c stable/7/sys/kern/subr_bus.c stable/7/sys/kern/subr_taskqueue.c stable/7/sys/sys/interrupt.h Directory Properties: stable/7/sys/ (props changed) stable/7/sys/cddl/contrib/opensolaris/ (props changed) stable/7/sys/contrib/dev/acpica/ (props changed) stable/7/sys/contrib/pf/ (props changed) Modified: stable/7/sys/kern/kern_exec.c ============================================================================== --- stable/7/sys/kern/kern_exec.c Thu Jan 21 19:11:18 2010 (r202764) +++ stable/7/sys/kern/kern_exec.c Thu Jan 21 19:17:42 2010 (r202765) @@ -559,9 +559,9 @@ interpret: execsigs(p); /* name this process - nameiexec(p, ndp) */ + bzero(p->p_comm, sizeof(p->p_comm)); len = min(ndp->ni_cnd.cn_namelen,MAXCOMLEN); bcopy(ndp->ni_cnd.cn_nameptr, p->p_comm, len); - p->p_comm[len] = 0; /* * mark as execed, wakeup the process that vforked (if any) and tell Modified: stable/7/sys/kern/kern_ktrace.c ============================================================================== --- stable/7/sys/kern/kern_ktrace.c Thu Jan 21 19:11:18 2010 (r202764) +++ stable/7/sys/kern/kern_ktrace.c Thu Jan 21 19:17:42 2010 (r202765) @@ -257,6 +257,10 @@ ktrace_resize_pool(u_int newsize) return (ktr_requestpool); } +/* ktr_getrequest() assumes that ktr_comm[] is the same size as p_comm[]. */ +CTASSERT(sizeof(((struct ktr_header *)NULL)->ktr_comm) == + (sizeof((struct proc *)NULL)->p_comm)); + static struct ktr_request * ktr_getrequest(int type) { @@ -284,7 +288,8 @@ ktr_getrequest(int type) microtime(&req->ktr_header.ktr_time); req->ktr_header.ktr_pid = p->p_pid; req->ktr_header.ktr_tid = td->td_tid; - bcopy(p->p_comm, req->ktr_header.ktr_comm, MAXCOMLEN + 1); + bcopy(p->p_comm, req->ktr_header.ktr_comm, + sizeof(req->ktr_header.ktr_comm)); req->ktr_buffer = NULL; req->ktr_header.ktr_len = 0; } else { Modified: stable/7/sys/kern/subr_bus.c ============================================================================== --- stable/7/sys/kern/subr_bus.c Thu Jan 21 19:11:18 2010 (r202764) +++ stable/7/sys/kern/subr_bus.c Thu Jan 21 19:17:42 2010 (r202765) @@ -3597,8 +3597,8 @@ int bus_describe_intr(device_t dev, struct resource *irq, void *cookie, const char *fmt, ...) { - char descr[MAXCOMLEN]; va_list ap; + char descr[MAXCOMLEN + 1]; if (dev->parent == NULL) return (EINVAL); Modified: stable/7/sys/kern/subr_taskqueue.c ============================================================================== --- stable/7/sys/kern/subr_taskqueue.c Thu Jan 21 19:11:18 2010 (r202764) +++ stable/7/sys/kern/subr_taskqueue.c Thu Jan 21 19:17:42 2010 (r202765) @@ -343,7 +343,7 @@ taskqueue_start_threads(struct taskqueue va_list ap; struct taskqueue *tq; struct thread *td; - char ktname[MAXCOMLEN]; + char ktname[MAXCOMLEN + 1]; int i, error; if (count <= 0) @@ -351,7 +351,7 @@ taskqueue_start_threads(struct taskqueue tq = *tqp; va_start(ap, name); - vsnprintf(ktname, MAXCOMLEN, name, ap); + vsnprintf(ktname, sizeof(ktname), name, ap); va_end(ap); tq->tq_pproc = malloc(sizeof(struct proc *) * count, M_TASKQUEUE, Modified: stable/7/sys/sys/interrupt.h ============================================================================== --- stable/7/sys/sys/interrupt.h Thu Jan 21 19:11:18 2010 (r202764) +++ stable/7/sys/sys/interrupt.h Thu Jan 21 19:17:42 2010 (r202765) @@ -47,7 +47,7 @@ struct intr_handler { driver_intr_t *ih_handler; /* Handler function. */ void *ih_argument; /* Argument to pass to handler. */ int ih_flags; - char ih_name[MAXCOMLEN]; /* Name of handler. */ + char ih_name[MAXCOMLEN + 1]; /* Name of handler. */ struct intr_event *ih_event; /* Event we are connected to. */ int ih_need; /* Needs service. */ TAILQ_ENTRY(intr_handler) ih_next; /* Next handler for this event. */ @@ -94,8 +94,8 @@ struct intr_handler { struct intr_event { TAILQ_ENTRY(intr_event) ie_list; TAILQ_HEAD(, intr_handler) ie_handlers; /* Interrupt handlers. */ - char ie_name[MAXCOMLEN]; /* Individual event name. */ - char ie_fullname[MAXCOMLEN]; + char ie_name[MAXCOMLEN + 1]; /* Individual event name. */ + char ie_fullname[MAXCOMLEN + 1]; struct mtx ie_lock; void *ie_source; /* Cookie used by MD code. */ struct intr_thread *ie_thread; /* Thread we are connected to. */
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201001211917.o0LJHhZH020308>