[src/netbsd-2-0]: src/sys Pull up following revision(s) (requested by adrianp...

To: source-changes-hg%NetBSD.org@localhost
Subject: [src/netbsd-2-0]: src/sys Pull up following revision(s) (requested by adrianp...
From: bouyer <bouyer%NetBSD.org@localhost>
Date: Fri, 24 Jan 2020 15:08:46 +0000

details:   https://anonhg.NetBSD.org/src/rev/5c6f25131a3a
branches:  netbsd-2-0
changeset: 565017:5c6f25131a3a
user:      bouyer <bouyer%NetBSD.org@localhost>
date:      Sun Nov 19 17:38:22 2006 +0000

description:
Pull up following revision(s) (requested by adrianp in ticket #10760):
        sys/sys/systrace.h: revision 1.21
        sys/kern/kern_systrace.c: revision 1.59
Fix an exploitable integer overflow found by Chris Evans of Google Security.

diffstat:

 sys/kern/kern_systrace.c |  19 +++++++++++++++----
 sys/sys/systrace.h       |   3 ++-
 2 files changed, 17 insertions(+), 5 deletions(-)

diffs (73 lines):

diff -r 337ef487a084 -r 5c6f25131a3a sys/kern/kern_systrace.c
--- a/sys/kern/kern_systrace.c  Sun Nov 19 17:29:30 2006 +0000
+++ b/sys/kern/kern_systrace.c  Sun Nov 19 17:38:22 2006 +0000
@@ -1,4 +1,4 @@
-/*     $NetBSD: kern_systrace.c,v 1.37.2.1 2004/04/16 22:29:57 jmc Exp $       */
+/*     $NetBSD: kern_systrace.c,v 1.37.2.2 2006/11/19 17:38:22 bouyer Exp $    */
 
 /*
  * Copyright 2002, 2003 Niels Provos <provos%citi.umich.edu@localhost>
@@ -31,7 +31,7 @@
  */
 
 #include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: kern_systrace.c,v 1.37.2.1 2004/04/16 22:29:57 jmc Exp $");
+__KERNEL_RCSID(0, "$NetBSD: kern_systrace.c,v 1.37.2.2 2006/11/19 17:38:22 bouyer Exp $");
 
 #include "opt_systrace.h"
 
@@ -1295,9 +1295,16 @@
                return (EINVAL);
 
        for (i = 0, len = 0; i < repl->strr_nrepl; i++) {
-               len += repl->strr_offlen[i];
+               if (repl->strr_argind[i] < 0 ||
+                   repl->strr_argind[i] >= SYSTR_MAXARGS)
+                       return (EINVAL);
                if (repl->strr_offlen[i] == 0)
                        continue;
+               len += repl->strr_offlen[i];
+               if (repl->strr_offlen[i] > SYSTR_MAXREPLEN ||
+                   repl->strr_off[i] > SYSTR_MAXREPLEN ||
+                   len > SYSTR_MAXREPLEN)
+                       return (EINVAL);
                if (repl->strr_offlen[i] + repl->strr_off[i] > len)
                        return (EINVAL);
        }
@@ -1307,7 +1314,7 @@
                return (EINVAL);
 
        /* Check against a maximum length */
-       if (repl->strr_len > 2048)
+       if (repl->strr_len > SYSTR_MAXREPLEN)
                return (EINVAL);
 
        strp->replace = (struct systrace_replace *)
@@ -1348,6 +1355,10 @@
        sg = stackgap_init(p->p_emul);
        ubase = stackgap_alloc(&sg, repl->strr_len);
 #endif
+       if (ubase == NULL) {
+               ret = EINVAL;
+               goto out;
+       }
 
        kbase = repl->strr_base;
        for (i = 0; i < maxarg && i < repl->strr_nrepl; i++) {
diff -r 337ef487a084 -r 5c6f25131a3a sys/sys/systrace.h
--- a/sys/sys/systrace.h        Sun Nov 19 17:29:30 2006 +0000
+++ b/sys/sys/systrace.h        Sun Nov 19 17:38:22 2006 +0000
@@ -1,4 +1,4 @@
-/*     $NetBSD: systrace.h,v 1.12 2003/10/31 03:28:14 simonb Exp $     */
+/*     $NetBSD: systrace.h,v 1.12.2.1 2006/11/19 17:38:22 bouyer Exp $ */
 
 /*
  * Copyright 2002 Niels Provos <provos%citi.umich.edu@localhost>
@@ -51,6 +51,7 @@
 #define SYSTR_MAX_POLICIES     64
 #define SYSTR_MAXARGS          64
 #define SYSTR_MAXFNAME         8
+#define SYSTR_MAXREPLEN                2048
 
 struct str_msg_ask {
        int32_t code;

Prev by Date: [src/netbsd-2-0]: src/doc tickets 10759 and 10760
Next by Date: [src/trunk]: src/x11/lib/expat Add -I${X11SRCDIR.xc}/extras/expat/lib to CPPF...
Previous by Thread: [src/netbsd-2-0]: src/doc tickets 10759 and 10760
Next by Thread: [src/trunk]: src/x11/lib/expat Add -I${X11SRCDIR.xc}/extras/expat/lib to CPPF...
Indexes:

Home | Main Index | Thread Index | Old Index