[src/netbsd-6-0]: src/sys/compat/freebsd Pull up following revision(s) (reque...

[snj <snj%NetBSD.org@localhost>]

details:   https://anonhg.NetBSD.org/src/rev/5f84b1cd2054
branches:  netbsd-6-0
changeset: 774994:5f84b1cd2054
user:      snj <snj%NetBSD.org@localhost>
date:      Sun Oct 19 19:36:59 2014 +0000

description:
Pull up following revision(s) (requested by maxv in ticket #1168):
        sys/compat/freebsd/freebsd_sysctl.c: revision 1.17
I'm not sure reading from an unsanitized userland pointer is a good idea.
Some users might be tempted to give 0x01, in which case the kernel will
crash.

diffstat:

 sys/compat/freebsd/freebsd_sysctl.c |  17 +++++++++++------
 1 files changed, 11 insertions(+), 6 deletions(-)

diffs (57 lines):

diff -r ef436e4af05d -r 5f84b1cd2054 sys/compat/freebsd/freebsd_sysctl.c
--- a/sys/compat/freebsd/freebsd_sysctl.c       Mon Sep 29 18:48:10 2014 +0000
+++ b/sys/compat/freebsd/freebsd_sysctl.c       Sun Oct 19 19:36:59 2014 +0000
@@ -1,4 +1,4 @@
-/*     $NetBSD: freebsd_sysctl.c,v 1.15 2008/11/19 18:36:02 ad Exp $   */
+/*     $NetBSD: freebsd_sysctl.c,v 1.15.28.1 2014/10/19 19:36:59 snj Exp $     */
 
 /*-
  * Copyright (c) 2005 The NetBSD Foundation, Inc.
@@ -31,7 +31,7 @@
  */
 
 #include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: freebsd_sysctl.c,v 1.15 2008/11/19 18:36:02 ad Exp $");
+__KERNEL_RCSID(0, "$NetBSD: freebsd_sysctl.c,v 1.15.28.1 2014/10/19 19:36:59 snj Exp $");
 
 #include <sys/param.h>
 #include <sys/systm.h>
@@ -95,7 +95,7 @@
        } */
        int error;
        int name[CTL_MAXNAME];
-       size_t newlen, *oldlenp;
+       size_t newlen, *oldlenp, oldlen;
        u_int namelen;
        void *new, *old;
 
@@ -146,9 +146,14 @@
 
                old = SCARG(uap, old);
                oldlenp = SCARG(uap, oldlenp);
-               if (old == NULL || oldlenp == NULL || *oldlenp < sizeof(int))
+               if (old == NULL || oldlenp == NULL)
                        return(EINVAL);
 
+               if ((error = copyin(oldlenp, &oldlen, sizeof(oldlen))))
+                       return (error);
+               if (oldlen < sizeof(int))
+                       return (EINVAL);
+
                if ((locnew =
                     (char *) malloc(newlen + 1, M_TEMP, M_WAITOK)) == NULL)
                        return(ENOMEM);
@@ -168,11 +173,11 @@
 
                oidlen *= sizeof(int);
                error = copyout(oid, SCARG(uap, old),
-                               MIN(oidlen, *SCARG(uap, oldlenp)));
+                               MIN(oidlen, oldlen));
                if (error)
                        return(error);
                ktrmibio(-1, UIO_READ, SCARG(uap, old),
-                   MIN(oidlen, *SCARG(uap, oldlenp)),  0);
+                   MIN(oidlen, oldlen),  0);
 
                error = copyout(&oidlen, SCARG(uap, oldlenp), sizeof(u_int));