From owner-dev-commits-src-branches@freebsd.org  Sat Aug 21 17:59:08 2021
Return-Path: <owner-dev-commits-src-branches@freebsd.org>
Delivered-To: dev-commits-src-branches@mailman.nyi.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
 by mailman.nyi.freebsd.org (Postfix) with ESMTP id C94D86762CD;
 Sat, 21 Aug 2021 17:59:08 +0000 (UTC) (envelope-from git@FreeBSD.org)
Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org
 [IPv6:2610:1c1:1:606c::19:3])
 (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256
 client-signature RSA-PSS (4096 bits) client-digest SHA256)
 (Client CN "mxrelay.nyi.freebsd.org", Issuer "R3" (verified OK))
 by mx1.freebsd.org (Postfix) with ESMTPS id 4GsR8X4zCFz4Vjw;
 Sat, 21 Aug 2021 17:59:08 +0000 (UTC) (envelope-from git@FreeBSD.org)
Received: from gitrepo.freebsd.org (gitrepo.freebsd.org
 [IPv6:2610:1c1:1:6068::e6a:5])
 (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256)
 (Client did not present a certificate)
 by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 91F6E11A3E;
 Sat, 21 Aug 2021 17:59:08 +0000 (UTC) (envelope-from git@FreeBSD.org)
Received: from gitrepo.freebsd.org ([127.0.1.44])
 by gitrepo.freebsd.org (8.16.1/8.16.1) with ESMTP id 17LHx8Ms008004;
 Sat, 21 Aug 2021 17:59:08 GMT (envelope-from git@gitrepo.freebsd.org)
Received: (from git@localhost)
 by gitrepo.freebsd.org (8.16.1/8.16.1/Submit) id 17LHx8Lg008003;
 Sat, 21 Aug 2021 17:59:08 GMT (envelope-from git)
Date: Sat, 21 Aug 2021 17:59:08 GMT
Message-Id: <202108211759.17LHx8Lg008003@gitrepo.freebsd.org>
To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org,
 dev-commits-src-branches@FreeBSD.org
From: Mark Johnston <markj@FreeBSD.org>
Subject: git: acabc20906ed - stable/13 - kevent: Prohibit negative change and
 event list lengths
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: 8bit
X-Git-Committer: markj
X-Git-Repository: src
X-Git-Refname: refs/heads/stable/13
X-Git-Reftype: branch
X-Git-Commit: acabc20906ed93a9e556b0d452a45e103f2e6eb6
Auto-Submitted: auto-generated
X-BeenThere: dev-commits-src-branches@freebsd.org
X-Mailman-Version: 2.1.34
Precedence: list
List-Id: Commits to the stable branches of the FreeBSD src repository
 <dev-commits-src-branches.freebsd.org>
List-Unsubscribe: <https://lists.freebsd.org/mailman/options/dev-commits-src-branches>, 
 <mailto:dev-commits-src-branches-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/dev-commits-src-branches/>
List-Post: <mailto:dev-commits-src-branches@freebsd.org>
List-Help: <mailto:dev-commits-src-branches-request@freebsd.org?subject=help>
List-Subscribe: <https://lists.freebsd.org/mailman/listinfo/dev-commits-src-branches>, 
 <mailto:dev-commits-src-branches-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Sat, 21 Aug 2021 17:59:08 -0000

The branch stable/13 has been updated by markj:

URL: https://cgit.FreeBSD.org/src/commit/?id=acabc20906ed93a9e556b0d452a45e103f2e6eb6

commit acabc20906ed93a9e556b0d452a45e103f2e6eb6
Author:     Mark Johnston <markj@FreeBSD.org>
AuthorDate: 2021-05-27 19:49:32 +0000
Commit:     Mark Johnston <markj@FreeBSD.org>
CommitDate: 2021-08-21 16:08:58 +0000

    kevent: Prohibit negative change and event list lengths
    
    Previously, a negative change list length would be treated the same as
    an empty change list.  A negative event list length would result in
    bogus copyouts.  Make kevent(2) return EINVAL for both cases so that
    application bugs are more easily found, and to be more robust against
    future changes to kevent internals.
    
    Reviewed by:    imp, kib
    Sponsored by:   The FreeBSD Foundation
    
    (cherry picked from commit e00bae5c181ac8282caf41cd33a076da03cf8ac9)
---
 lib/libc/sys/kqueue.2 | 4 +++-
 sys/kern/kern_event.c | 7 +++++++
 2 files changed, 10 insertions(+), 1 deletion(-)

diff --git a/lib/libc/sys/kqueue.2 b/lib/libc/sys/kqueue.2
index b83d85d90d42..9be380bb5d99 100644
--- a/lib/libc/sys/kqueue.2
+++ b/lib/libc/sys/kqueue.2
@@ -24,7 +24,7 @@
 .\"
 .\" $FreeBSD$
 .\"
-.Dd October 8, 2020
+.Dd May 26, 2021
 .Dt KQUEUE 2
 .Os
 .Sh NAME
@@ -762,6 +762,8 @@ events were placed on the kqueue for return.
 A cancellation request was delivered to the thread, but not yet handled.
 .It Bq Er EINVAL
 The specified time limit or filter is invalid.
+.It Bq Er EINVAL
+The specified length of the event or change lists is negative.
 .It Bq Er ENOENT
 The event could not be found to be modified or deleted.
 .It Bq Er ENOMEM
diff --git a/sys/kern/kern_event.c b/sys/kern/kern_event.c
index c277ac085d62..bf04dae2ee5c 100644
--- a/sys/kern/kern_event.c
+++ b/sys/kern/kern_event.c
@@ -1301,6 +1301,9 @@ kqueue_kevent(struct kqueue *kq, struct thread *td, int nchanges, int nevents,
 	struct kevent *kevp, *changes;
 	int i, n, nerrors, error;
 
+	if (nchanges < 0)
+		return (EINVAL);
+
 	nerrors = 0;
 	while (nchanges > 0) {
 		n = nchanges > KQ_NEVENTS ? KQ_NEVENTS : nchanges;
@@ -1885,6 +1888,10 @@ kqueue_scan(struct kqueue *kq, int maxevents, struct kevent_copyops *k_ops,
 
 	if (maxevents == 0)
 		goto done_nl;
+	if (maxevents < 0) {
+		error = EINVAL;
+		goto done_nl;
+	}
 
 	rsbt = 0;
 	if (tsp != NULL) {