[src/netbsd-3-0]: src/sys/kern Pull up following revision(s) (requested by ch...

[tron <tron%NetBSD.org@localhost>]

details:   https://anonhg.NetBSD.org/src/rev/5d4267565645
branches:  netbsd-3-0
changeset: 579322:5d4267565645
user:      tron <tron%NetBSD.org@localhost>
date:      Wed Oct 25 19:14:00 2006 +0000

description:
Pull up following revision(s) (requested by christos in ticket #1556):
        sys/kern/sys_process.c: revision 1.111 via patch
Don't allow ptrace to copyout arbitrary sized data. Reported by the
Suresec vulnerability research team.

diffstat:

 sys/kern/sys_process.c |  17 +++++++----------
 1 files changed, 7 insertions(+), 10 deletions(-)

diffs (53 lines):

diff -r 078f482f0372 -r 5d4267565645 sys/kern/sys_process.c
--- a/sys/kern/sys_process.c    Tue Oct 24 17:05:20 2006 +0000
+++ b/sys/kern/sys_process.c    Wed Oct 25 19:14:00 2006 +0000
@@ -1,4 +1,4 @@
-/*     $NetBSD: sys_process.c,v 1.95 2005/02/26 21:34:55 perry Exp $   */
+/*     $NetBSD: sys_process.c,v 1.95.12.1 2006/10/25 19:14:00 tron Exp $       */
 
 /*-
  * Copyright (c) 1982, 1986, 1989, 1993
@@ -89,7 +89,7 @@
  */
 
 #include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: sys_process.c,v 1.95 2005/02/26 21:34:55 perry Exp $");
+__KERNEL_RCSID(0, "$NetBSD: sys_process.c,v 1.95.12.1 2006/10/25 19:14:00 tron Exp $");
 
 #include <sys/param.h>
 #include <sys/systm.h>
@@ -480,10 +480,9 @@
                goto sendsig;
 
        case PT_LWPINFO:
-               size = SCARG(uap, data);
-               if (size < sizeof(lwpid_t))
+               if (SCARG(uap, data) != sizeof(pl))
                        return (EINVAL);
-               error = copyin(SCARG(uap, addr), &pl, sizeof(lwpid_t));
+               error = copyin(SCARG(uap, addr), &pl, sizeof(pl));
                if (error)
                        return (error);
                tmp = pl.pl_lwpid;
@@ -491,8 +490,8 @@
                        lt = LIST_FIRST(&t->p_lwps);
                else {
                        LIST_FOREACH(lt, &t->p_lwps, l_sibling)
-                           if (lt->l_lid == tmp)
-                                   break;
+                               if (lt->l_lid == tmp)
+                                       break;
                        if (lt == NULL)
                                return (ESRCH);
                        lt = LIST_NEXT(lt, l_sibling);
@@ -505,9 +504,7 @@
                                pl.pl_event = PL_EVENT_SIGNAL;
                }
 
-               error = copyout(&pl, SCARG(uap, addr), SCARG(uap, data));
-
-               return (0);
+               return copyout(&pl, SCARG(uap, addr), sizeof(pl));
 
 #ifdef PT_SETREGS
        case  PT_SETREGS: