Source-Changes-HG archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

[src/trunk]: src/sys/external/bsd/drm2/dist/drm Zero-pad truncated drm ioctl ...



details:   https://anonhg.NetBSD.org/src/rev/5d6e16f01d5b
branches:  trunk
changeset: 366308:5d6e16f01d5b
user:      riastradh <riastradh%NetBSD.org@localhost>
date:      Mon Aug 27 14:45:45 2018 +0000

description:
Zero-pad truncated drm ioctl commands on input.

This way we don't act on uninitialized stack garbage if user invokes
a drm ioctl with a short input, which, uhhh, we have been doing for a
long time.  #@^&*$!@&@#*@!

XXX pullup-7
XXX pullup-8

diffstat:

 sys/external/bsd/drm2/dist/drm/drm_ioctl.c |  25 +++++++++++++++++++++++--
 1 files changed, 23 insertions(+), 2 deletions(-)

diffs (60 lines):

diff -r a9c2eadeb06f -r 5d6e16f01d5b sys/external/bsd/drm2/dist/drm/drm_ioctl.c
--- a/sys/external/bsd/drm2/dist/drm/drm_ioctl.c        Mon Aug 27 14:45:31 2018 +0000
+++ b/sys/external/bsd/drm2/dist/drm/drm_ioctl.c        Mon Aug 27 14:45:45 2018 +0000
@@ -1,4 +1,4 @@
-/*     $NetBSD: drm_ioctl.c,v 1.7 2018/08/27 07:55:06 riastradh Exp $  */
+/*     $NetBSD: drm_ioctl.c,v 1.8 2018/08/27 14:45:45 riastradh Exp $  */
 
 /*
  * Created: Fri Jan  8 09:01:26 1999 by faith%valinux.com@localhost
@@ -31,7 +31,7 @@
  */
 
 #include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: drm_ioctl.c,v 1.7 2018/08/27 07:55:06 riastradh Exp $");
+__KERNEL_RCSID(0, "$NetBSD: drm_ioctl.c,v 1.8 2018/08/27 14:45:45 riastradh Exp $");
 
 #include <drm/drmP.h>
 #include <drm/drm_core.h>
@@ -721,6 +721,8 @@
 int
 drm_ioctl(struct file *fp, unsigned long cmd, void *data)
 {
+       char stackbuf[128];
+       char *buf = stackbuf;
        struct drm_file *const file = fp->f_data;
        const unsigned int nr = DRM_IOCTL_NR(cmd);
        int error;
@@ -767,6 +769,21 @@
        if (error)
                return error;
 
+       /* If userland passed in too few bytes, zero-pad them.  */
+       if (IOCPARM_LEN(cmd) < IOCPARM_LEN(ioctl->cmd)) {
+               /* 12-bit quantity, according to <sys/ioccom.h> */
+               KASSERT(IOCPARM_LEN(ioctl->cmd) <= 4096);
+               if (IOCPARM_LEN(ioctl->cmd) > sizeof stackbuf) {
+                       buf = kmem_alloc(IOCPARM_LEN(ioctl->cmd), KM_NOSLEEP);
+                       if (buf == NULL)
+                               return ENOMEM;
+               }
+               memcpy(buf, data, IOCPARM_LEN(cmd));
+               memset(buf + IOCPARM_LEN(cmd), 0,
+                   IOCPARM_LEN(ioctl->cmd) - IOCPARM_LEN(cmd));
+               data = buf;
+       }
+
        if ((drm_core_check_feature(dev, DRIVER_MODESET) && is_driver_ioctl) ||
            ISSET(ioctl->flags, DRM_UNLOCKED)) {
                /* XXX errno Linux->NetBSD */
@@ -778,6 +795,10 @@
                mutex_unlock(&drm_global_mutex);
        }
 
+       /* If we had to allocate a heap buffer, free it.  */
+       if (buf != stackbuf)
+               kmem_free(buf, IOCPARM_LEN(ioctl->cmd));
+
        return error;
 }
 #else



Home | Main Index | Thread Index | Old Index