Date: Sat, 11 Oct 2003 21:25:26 -0700 (PDT) From: "Tim J. Robbins" <tjr@FreeBSD.org> To: src-committers@FreeBSD.org, cvs-src@FreeBSD.org, cvs-all@FreeBSD.org Subject: cvs commit: src/sys/i386/ibcs2 ibcs2_misc.c ibcs2_signal.c ibcs2_socksys.c ibcs2_util.c ibcs2_util.h imgact_coff.c Message-ID: <200310120425.h9C4PQAK076176@repoman.freebsd.org>
next in thread | raw e-mail | index | archive | help
tjr 2003/10/11 21:25:26 PDT
FreeBSD src repository
Modified files:
sys/i386/ibcs2 ibcs2_misc.c ibcs2_signal.c
ibcs2_socksys.c ibcs2_util.c ibcs2_util.h
imgact_coff.c
Log:
Fix a multitude of security bugs in the iBCS2 emulator:
- Return NULL instead of returning memory outside of the stackgap
in stackgap_alloc() (FreeBSD-SA-00:42.linux)
- Check for stackgap_alloc() returning NULL in ibcs2_emul_find();
other calls to stackgap_alloc() have not been changed since they
are small fixed-size allocations.
- Replace use of strcpy() with strlcpy() in exec_coff_imgact()
to avoid buffer overflow
- Use strlcat() instead of strcat() to avoid a one byte buffer
overflow in ibcs2_setipdomainname()
- Use copyinstr() instead of copyin() in ibcs2_setipdomainname()
to ensure that the string is null-terminated
- Avoid integer overflow in ibcs2_setgroups() and ibcs2_setgroups()
by checking that gidsetsize argument is non-negative and
no larger than NGROUPS_MAX.
- Range-check signal numbers in ibcs2_wait(), ibcs2_sigaction(),
ibcs2_sigsys() and ibcs2_kill() to avoid accessing array past
the end (or before the start)
Revision Changes Path
1.52 +21 -3 src/sys/i386/ibcs2/ibcs2_misc.c
1.32 +7 -2 src/sys/i386/ibcs2/ibcs2_signal.c
1.19 +5 -3 src/sys/i386/ibcs2/ibcs2_socksys.c
1.17 +4 -2 src/sys/i386/ibcs2/ibcs2_util.c
1.17 +4 -1 src/sys/i386/ibcs2/ibcs2_util.h
1.61 +1 -1 src/sys/i386/ibcs2/imgact_coff.c
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200310120425.h9C4PQAK076176>