Re: kern/39559: veriexec(4): too easy to cause a NULL dereference through it in kernel

To: kern-bug-people%netbsd.org@localhost,gnats-admin%netbsd.org@localhost,netbsd-bugs%netbsd.org@localhost,xtraeme%gmail.com@localhost
Subject: Re: kern/39559: veriexec(4): too easy to cause a NULL dereference through it in kernel
From: Juan RP <xtraeme%gmail.com@localhost>
Date: Tue, 16 Sep 2008 13:35:01 +0000 (UTC)

The following reply was made to PR kern/39559; it has been noted by GNATS.

From: Juan RP <xtraeme%gmail.com@localhost>
To: gnats-bugs%NetBSD.org@localhost
Cc: 
Subject: Re: kern/39559: veriexec(4): too easy to cause a NULL dereference
 through it in kernel
Date: Tue, 16 Sep 2008 15:33:06 +0200

 The following patch fixes all the problems reported here:
 
 Index: kern/kern_verifiedexec.c
 ===================================================================
 RCS file: /cvsroot/src/sys/kern/kern_verifiedexec.c,v
 retrieving revision 1.110
 diff -b -u -p -r1.110 kern_verifiedexec.c
 --- kern/kern_verifiedexec.c   10 Sep 2008 16:36:54 -0000      1.110
 +++ kern/kern_verifiedexec.c   16 Sep 2008 13:30:37 -0000
 @@ -1185,7 +1185,8 @@ veriexec_file_add(struct lwp *l, prop_di
        const char *file, *fp_type;
        int error;
  
 -      file = prop_string_cstring_nocopy(prop_dictionary_get(dict, "file"));
 +      if (!prop_dictionary_get_cstring_nocopy(dict, "file", &file))
 +              return EINVAL;
  
        NDINIT(&nid, LOOKUP, FOLLOW, UIO_SYSSPACE, file);
        error = namei(&nid);
 Index: dev/verified_exec.c
 ===================================================================
 RCS file: /cvsroot/src/sys/dev/verified_exec.c,v
 retrieving revision 1.63
 diff -b -u -p -r1.63 verified_exec.c
 --- dev/verified_exec.c        11 Dec 2007 12:16:14 -0000      1.63
 +++ dev/verified_exec.c        16 Sep 2008 13:30:37 -0000
 @@ -128,10 +128,13 @@ static int
  veriexec_delete(prop_dictionary_t dict, struct lwp *l)
  {
        struct nameidata nid;
 +      const char *str;
        int error;
  
 -      NDINIT(&nid, LOOKUP, FOLLOW, UIO_SYSSPACE,
 -          prop_string_cstring_nocopy(prop_dictionary_get(dict, "file")));
 +      if (!prop_dictionary_get_cstring_nocopy(dict, "file", &str))
 +              return EINVAL;
 +
 +      NDINIT(&nid, LOOKUP, FOLLOW, UIO_SYSSPACE, str);
        error = namei(&nid);
        if (error)
                return (error);
 @@ -151,10 +154,13 @@ static int
  veriexec_query(prop_dictionary_t dict, prop_dictionary_t rdict, struct lwp *l)
  {
        struct nameidata nid;
 +      const char *str;
        int error;
  
 -      NDINIT(&nid, LOOKUP, FOLLOW, UIO_SYSSPACE,
 -          prop_string_cstring_nocopy(prop_dictionary_get(dict, "file")));
 +      if (!prop_dictionary_get_cstring_nocopy(dict, "file", &str))
 +              return EINVAL;
 +
 +      NDINIT(&nid, LOOKUP, FOLLOW, UIO_SYSSPACE, str);
        error = namei(&nid);
        if (error)
                return (error);
 @@ -180,6 +186,9 @@ veriexecioctl(dev_t dev, u_long cmd, voi
        case VERIEXEC_LOAD:
        case VERIEXEC_DELETE:
        case VERIEXEC_FLUSH:
 +              if ((flags & FWRITE) == 0)
 +                      return EPERM;
 +
                if (veriexec_strict > VERIEXEC_LEARNING) {
                        log(LOG_WARNING, "Veriexec: Strict mode, modifying "
                            "tables not permitted.\n");
 @@ -191,6 +200,8 @@ veriexecioctl(dev_t dev, u_long cmd, voi
  
        case VERIEXEC_QUERY:
        case VERIEXEC_DUMP:
 +              if ((flags & FWRITE) == 0)
 +                      return EPERM;
                break;
  
        default:

Prev by Date: PR/26555 CVS commit: src/libexec/ftpd
Next by Date: Re: port-i386/37305 (APIC timing problems on MacBook)
Previous by Thread: Re: kern/39559: veriexec(4): too easy to cause a NULL dereference through it in kernel
Next by Thread: Re: kern/39552 (ataraid(4): Intel MatrixRAID multiple volumes support)
Indexes:

Home | Main Index | Thread Index | Old Index