[src/netbsd-6-1]: src/sys Pull up following revision(s) (requested by maxv in...

[msaitoh <msaitoh%NetBSD.org@localhost>]

details:   https://anonhg.NetBSD.org/src/rev/402a3b262dbd
branches:  netbsd-6-1
changeset: 775984:402a3b262dbd
user:      msaitoh <msaitoh%NetBSD.org@localhost>
date:      Wed Aug 27 14:59:06 2014 +0000

description:
Pull up following revision(s) (requested by maxv in ticket #1115):
        sys/miscfs/umapfs/umap_vfsops.c: revision 1.94
        sys/fs/ptyfs/ptyfs_vfsops.c: revision 1.52
Overflow if *data_len == OSIZE and args->version >= PTYFS_ARGSVERSION.
Sent on tech-kern@, ok christos@
1) 'error' is returned while it does not even hold an error code. Which
   means that zero is returned, and the kernel keeps mounting (and it
   probably ends up in a deadlock/memory corruption somewhere).
2) 'nentries' and 'gnentries' are int and user-controlled, and there's no
   check to ensure they are greater than zero. Since they are used to
   compute the size of two copyin's, a user can control the copied size
   by giving a negative value (like 128-2^29), and thus overwrite kernel
   memory.
Both triggerable from root only.

diffstat:

 sys/fs/ptyfs/ptyfs_vfsops.c     |  10 ++++++----
 sys/miscfs/umapfs/umap_vfsops.c |   9 +++++----
 2 files changed, 11 insertions(+), 8 deletions(-)

diffs (62 lines):

diff -r f6a4fcfea825 -r 402a3b262dbd sys/fs/ptyfs/ptyfs_vfsops.c
--- a/sys/fs/ptyfs/ptyfs_vfsops.c       Wed Aug 27 14:45:11 2014 +0000
+++ b/sys/fs/ptyfs/ptyfs_vfsops.c       Wed Aug 27 14:59:06 2014 +0000
@@ -1,4 +1,4 @@
-/*     $NetBSD: ptyfs_vfsops.c,v 1.42.18.1.4.1 2014/04/21 10:17:48 bouyer Exp $        */
+/*     $NetBSD: ptyfs_vfsops.c,v 1.42.18.1.4.2 2014/08/27 14:59:06 msaitoh Exp $       */
 
 /*
  * Copyright (c) 1992, 1993, 1995
@@ -38,7 +38,7 @@
  */
 
 #include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: ptyfs_vfsops.c,v 1.42.18.1.4.1 2014/04/21 10:17:48 bouyer Exp $");
+__KERNEL_RCSID(0, "$NetBSD: ptyfs_vfsops.c,v 1.42.18.1.4.2 2014/08/27 14:59:06 msaitoh Exp $");
 
 #include <sys/param.h>
 #include <sys/systm.h>
@@ -220,8 +220,10 @@
 
        if (args == NULL)
                return EINVAL;
-       if (*data_len != sizeof *args && *data_len != OSIZE)
-               return EINVAL;
+       if (*data_len != sizeof *args) {
+               if (*data_len != OSIZE || args->version >= PTYFS_ARGSVERSION)
+                       return EINVAL;
+       }
 
        if (UIO_MX & (UIO_MX - 1)) {
                log(LOG_ERR, "ptyfs: invalid directory entry size");
diff -r f6a4fcfea825 -r 402a3b262dbd sys/miscfs/umapfs/umap_vfsops.c
--- a/sys/miscfs/umapfs/umap_vfsops.c   Wed Aug 27 14:45:11 2014 +0000
+++ b/sys/miscfs/umapfs/umap_vfsops.c   Wed Aug 27 14:59:06 2014 +0000
@@ -1,4 +1,4 @@
-/*     $NetBSD: umap_vfsops.c,v 1.86.20.1 2014/04/21 10:17:48 bouyer Exp $     */
+/*     $NetBSD: umap_vfsops.c,v 1.86.20.2 2014/08/27 14:59:06 msaitoh Exp $    */
 
 /*
  * Copyright (c) 1992, 1993
@@ -41,7 +41,7 @@
  */
 
 #include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: umap_vfsops.c,v 1.86.20.1 2014/04/21 10:17:48 bouyer Exp $");
+__KERNEL_RCSID(0, "$NetBSD: umap_vfsops.c,v 1.86.20.2 2014/08/27 14:59:06 msaitoh Exp $");
 
 #include <sys/param.h>
 #include <sys/systm.h>
@@ -155,9 +155,10 @@
        /*
         * Now copy in the number of entries and maps for umap mapping.
         */
-       if (args->nentries > MAPFILEENTRIES || args->gnentries > GMAPFILEENTRIES) {
+       if (args->nentries < 0 || args->nentries > MAPFILEENTRIES ||
+           args->gnentries < 0 || args->gnentries > GMAPFILEENTRIES) {
                vput(lowerrootvp);
-               return (error);
+               return (EINVAL);
        }
 
        amp->info_nentries = args->nentries;