Module Name:	src
Committed By:	joerg
Date:		Thu Aug 16 21:44:08 UTC 2007

Modified Files:
	src/common/lib/libprop: Makefile.inc prop_array.c prop_bool.c
	    prop_data.c prop_dictionary.c prop_kern.c prop_number.c
	    prop_object.c prop_object_impl.h prop_string.c
Added Files:
	src/common/lib/libprop: prop_stack.c prop_stack.h

Log Message:
libprop is currently using a recursive parser. While this is fine for
userland, deeply nested arrays and dictionaries can easily overflow
the kernel stack and thereby force a panic.

Fix the internalizer and prop_object_release to use a separate call
stack and alter the dictionary and array handling to not recurse on
the C stack. The default stack has an inline depth of 16 elements,
which should keep the overhead reasonable.

This issue was found by Pavel Cahyna and Jachym Holecek.

Additionally add a limit for prop_object_copyin_ioctl to prevent user
programs from temporary allocating unbound amount of kernel memory.
Allow malloc to fail so that tight loops of userland processes can't
force panics by exhausting the kernel map.

Tested with the sample exploit of Jachym, his test suite and reviewed
by himself (initial patch), Christos Zoulas and Jason Thorpe.


To generate a diff of this commit:
cvs rdiff -r1.5 -r1.6 src/common/lib/libprop/Makefile.inc
cvs rdiff -r1.9 -r1.10 src/common/lib/libprop/prop_array.c
cvs rdiff -r1.10 -r1.11 src/common/lib/libprop/prop_bool.c
cvs rdiff -r1.7 -r1.8 src/common/lib/libprop/prop_data.c \
    src/common/lib/libprop/prop_kern.c src/common/lib/libprop/prop_string.c
cvs rdiff -r1.18 -r1.19 src/common/lib/libprop/prop_dictionary.c
cvs rdiff -r1.12 -r1.13 src/common/lib/libprop/prop_number.c
cvs rdiff -r1.14 -r1.15 src/common/lib/libprop/prop_object.c
cvs rdiff -r1.16 -r1.17 src/common/lib/libprop/prop_object_impl.h
cvs rdiff -r0 -r1.1 src/common/lib/libprop/prop_stack.c \
    src/common/lib/libprop/prop_stack.h

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.