From owner-svn-src-all@FreeBSD.ORG Thu May 28 04:08:07 2009 Return-Path: Delivered-To: svn-src-all@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id C50FB106566C; Thu, 28 May 2009 04:08:07 +0000 (UTC) (envelope-from dchagin@FreeBSD.org) Received: from svn.freebsd.org (svn.freebsd.org [IPv6:2001:4f8:fff6::2c]) by mx1.freebsd.org (Postfix) with ESMTP id 974598FC13; Thu, 28 May 2009 04:08:07 +0000 (UTC) (envelope-from dchagin@FreeBSD.org) Received: from svn.freebsd.org (localhost [127.0.0.1]) by svn.freebsd.org (8.14.3/8.14.3) with ESMTP id n4S4873n022045; Thu, 28 May 2009 04:08:07 GMT (envelope-from dchagin@svn.freebsd.org) Received: (from dchagin@localhost) by svn.freebsd.org (8.14.3/8.14.3/Submit) id n4S487g6022044; Thu, 28 May 2009 04:08:07 GMT (envelope-from dchagin@svn.freebsd.org) Message-Id: <200905280408.n4S487g6022044@svn.freebsd.org> From: Dmitry Chagin Date: Thu, 28 May 2009 04:08:07 +0000 (UTC) To: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-stable@freebsd.org, svn-src-stable-7@freebsd.org X-SVN-Group: stable-7 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Cc: Subject: svn commit: r192952 - in stable/7/sys: . compat/linux contrib/pf dev/ath/ath_hal dev/cxgb X-BeenThere: svn-src-all@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "SVN commit messages for the entire src tree \(except for " user" and " projects" \)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 28 May 2009 04:08:08 -0000 Author: dchagin Date: Thu May 28 04:08:07 2009 New Revision: 192952 URL: http://svn.freebsd.org/changeset/base/192952 Log: Merge r192373 from HEAD to stable/7: Validate user-supplied arguments values. Args argument is a pointer to the structure located in user space in which the socketcall arguments are packed. The structure must be copied to the kernel instead of direct dereferencing. Approved by: kib (mentor) Modified: stable/7/sys/ (props changed) stable/7/sys/compat/linux/linux_socket.c stable/7/sys/contrib/pf/ (props changed) stable/7/sys/dev/ath/ath_hal/ (props changed) stable/7/sys/dev/cxgb/ (props changed) Modified: stable/7/sys/compat/linux/linux_socket.c ============================================================================== --- stable/7/sys/compat/linux/linux_socket.c Thu May 28 04:03:16 2009 (r192951) +++ stable/7/sys/compat/linux/linux_socket.c Thu May 28 04:08:07 2009 (r192952) @@ -1203,11 +1203,38 @@ linux_getsockopt(struct thread *td, stru return (error); } +/* Argument list sizes for linux_socketcall */ + +#define LINUX_AL(x) ((x) * sizeof(l_ulong)) + +static const unsigned char lxs_args[] = { + LINUX_AL(0) /* unused*/, LINUX_AL(3) /* socket */, + LINUX_AL(3) /* bind */, LINUX_AL(3) /* connect */, + LINUX_AL(2) /* listen */, LINUX_AL(3) /* accept */, + LINUX_AL(3) /* getsockname */, LINUX_AL(3) /* getpeername */, + LINUX_AL(4) /* socketpair */, LINUX_AL(4) /* send */, + LINUX_AL(4) /* recv */, LINUX_AL(6) /* sendto */, + LINUX_AL(6) /* recvfrom */, LINUX_AL(2) /* shutdown */, + LINUX_AL(5) /* setsockopt */, LINUX_AL(5) /* getsockopt */, + LINUX_AL(3) /* sendmsg */, LINUX_AL(3) /* recvmsg */ +}; + +#define LINUX_AL_SIZE sizeof(lxs_args) / sizeof(lxs_args[0]) - 1 + int linux_socketcall(struct thread *td, struct linux_socketcall_args *args) { - void *arg = (void *)(intptr_t)args->args; + l_ulong a[6]; + void *arg; + int error; + + if (args->what < LINUX_SOCKET || args->what > LINUX_AL_SIZE) + return (EINVAL); + error = copyin(PTRIN(args->args), a, lxs_args[args->what]); + if (error) + return (error); + arg = a; switch (args->what) { case LINUX_SOCKET: return (linux_socket(td, arg));