From owner-svn-src-head@FreeBSD.ORG Wed Nov 16 10:11:56 2011 Return-Path: Delivered-To: svn-src-head@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 4EA33106564A; Wed, 16 Nov 2011 10:11:56 +0000 (UTC) (envelope-from pho@FreeBSD.org) Received: from svn.freebsd.org (svn.freebsd.org [IPv6:2001:4f8:fff6::2c]) by mx1.freebsd.org (Postfix) with ESMTP id 3E9E48FC12; Wed, 16 Nov 2011 10:11:56 +0000 (UTC) Received: from svn.freebsd.org (localhost [127.0.0.1]) by svn.freebsd.org (8.14.4/8.14.4) with ESMTP id pAGABuSJ041700; Wed, 16 Nov 2011 10:11:56 GMT (envelope-from pho@svn.freebsd.org) Received: (from pho@localhost) by svn.freebsd.org (8.14.4/8.14.4/Submit) id pAGABt9u041698; Wed, 16 Nov 2011 10:11:56 GMT (envelope-from pho@svn.freebsd.org) Message-Id: <201111161011.pAGABt9u041698@svn.freebsd.org> From: Peter Holm Date: Wed, 16 Nov 2011 10:11:55 +0000 (UTC) To: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-head@freebsd.org X-SVN-Group: head MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Cc: Subject: svn commit: r227550 - head/sys/fs/pseudofs X-BeenThere: svn-src-head@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: SVN commit messages for the src tree for head/-current List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 16 Nov 2011 10:11:56 -0000 Author: pho Date: Wed Nov 16 10:11:55 2011 New Revision: 227550 URL: http://svn.freebsd.org/changeset/base/227550 Log: Handle invalid large values for getdirentries(2) data buffer size. In collaboration with: kib Reviewed by: des Reported by: The iknowthis syscall fuzzer. MFC after: 1 week Modified: head/sys/fs/pseudofs/pseudofs_vnops.c Modified: head/sys/fs/pseudofs/pseudofs_vnops.c ============================================================================== --- head/sys/fs/pseudofs/pseudofs_vnops.c Wed Nov 16 05:05:13 2011 (r227549) +++ head/sys/fs/pseudofs/pseudofs_vnops.c Wed Nov 16 10:11:55 2011 (r227550) @@ -711,6 +711,13 @@ pfs_iterate(struct thread *td, struct pr return (0); } +/* Directory entry list */ +struct pfsentry { + STAILQ_ENTRY(pfsentry) link; + struct dirent entry; +}; +STAILQ_HEAD(pfsdirentlist, pfsentry); + /* * Return directory entries. */ @@ -723,12 +730,14 @@ pfs_readdir(struct vop_readdir_args *va) pid_t pid = pvd->pvd_pid; struct proc *p, *proc; struct pfs_node *pn; - struct dirent *entry; struct uio *uio; + struct pfsentry *pfsent, *pfsent2; + struct pfsdirentlist lst; off_t offset; int error, i, resid; - char *buf, *ent; + STAILQ_INIT(&lst); + error = 0; KASSERT(pd->pn_info == vn->v_mount->mnt_data, ("%s(): pn_info does not match mountpoint", __func__)); PFS_TRACE(("%s pid %lu", pd->pn_name, (unsigned long)pid)); @@ -748,8 +757,6 @@ pfs_readdir(struct vop_readdir_args *va) if (resid == 0) PFS_RETURN (0); - /* can't do this while holding the proc lock... */ - buf = malloc(resid, M_IOV, M_WAITOK | M_ZERO); sx_slock(&allproc_lock); pfs_lock(pd); @@ -757,7 +764,6 @@ pfs_readdir(struct vop_readdir_args *va) if (!pfs_visible(curthread, pd, pid, &proc)) { sx_sunlock(&allproc_lock); pfs_unlock(pd); - free(buf, M_IOV); PFS_RETURN (ENOENT); } KASSERT(pid == NO_PID || proc != NULL, @@ -771,57 +777,64 @@ pfs_readdir(struct vop_readdir_args *va) PROC_UNLOCK(proc); pfs_unlock(pd); sx_sunlock(&allproc_lock); - free(buf, M_IOV); PFS_RETURN (0); } } /* fill in entries */ - ent = buf; while (pfs_iterate(curthread, proc, pd, &pn, &p) != -1 && resid >= PFS_DELEN) { - entry = (struct dirent *)ent; - entry->d_reclen = PFS_DELEN; - entry->d_fileno = pn_fileno(pn, pid); + if ((pfsent = malloc(sizeof(struct pfsentry), M_IOV, + M_NOWAIT | M_ZERO)) == NULL) { + error = ENOMEM; + break; + } + pfsent->entry.d_reclen = PFS_DELEN; + pfsent->entry.d_fileno = pn_fileno(pn, pid); /* PFS_DELEN was picked to fit PFS_NAMLEN */ for (i = 0; i < PFS_NAMELEN - 1 && pn->pn_name[i] != '\0'; ++i) - entry->d_name[i] = pn->pn_name[i]; - entry->d_name[i] = 0; - entry->d_namlen = i; + pfsent->entry.d_name[i] = pn->pn_name[i]; + pfsent->entry.d_name[i] = 0; + pfsent->entry.d_namlen = i; switch (pn->pn_type) { case pfstype_procdir: KASSERT(p != NULL, ("reached procdir node with p == NULL")); - entry->d_namlen = snprintf(entry->d_name, + pfsent->entry.d_namlen = snprintf(pfsent->entry.d_name, PFS_NAMELEN, "%d", p->p_pid); /* fall through */ case pfstype_root: case pfstype_dir: case pfstype_this: case pfstype_parent: - entry->d_type = DT_DIR; + pfsent->entry.d_type = DT_DIR; break; case pfstype_file: - entry->d_type = DT_REG; + pfsent->entry.d_type = DT_REG; break; case pfstype_symlink: - entry->d_type = DT_LNK; + pfsent->entry.d_type = DT_LNK; break; default: panic("%s has unexpected node type: %d", pn->pn_name, pn->pn_type); } - PFS_TRACE(("%s", entry->d_name)); + PFS_TRACE(("%s", pfsent->entry.d_name)); + STAILQ_INSERT_TAIL(&lst, pfsent, link); offset += PFS_DELEN; resid -= PFS_DELEN; - ent += PFS_DELEN; } if (proc != NULL) PROC_UNLOCK(proc); pfs_unlock(pd); sx_sunlock(&allproc_lock); - PFS_TRACE(("%zd bytes", ent - buf)); - error = uiomove(buf, ent - buf, uio); - free(buf, M_IOV); + i = 0; + STAILQ_FOREACH_SAFE(pfsent, &lst, link, pfsent2) { + if (error == 0) + error = uiomove(&pfsent->entry, PFS_DELEN, uio); + free(pfsent, M_IOV); + i++; + } + PFS_TRACE(("%zd bytes", i * PFS_DELEN)); PFS_RETURN (error); }