Source-Changes-HG archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
[src/netbsd-7-0]: src/sys/dev Pull up following revision(s) (requested by mrg...
details: https://anonhg.NetBSD.org/src/rev/796b80f73322
branches: netbsd-7-0
changeset: 801372:796b80f73322
user: snj <snj%NetBSD.org@localhost>
date: Sat Aug 19 05:19:28 2017 +0000
description:
Pull up following revision(s) (requested by mrg in ticket #1476):
sys/dev/vnd.c: revision 1.260, 1.262 via patch
Put in a litany of judicious bounds checks around vnd headers.
Thought I was done with this crap after I rewrote vndcompress(1)!
>From Ilja Van Sprundel.
--
Appease toxic bullshit warning from gcc.
If you have a better way to write a useful bounds check that happens
to always pass on LP64 but doesn't always on LP32, without making it
fail to compile on LP64 or making it an #ifdef conditional on LP32,
please put it in here instead.
diffstat:
sys/dev/vnd.c | 37 ++++++++++++++++++++++++++++++++-----
1 files changed, 32 insertions(+), 5 deletions(-)
diffs (76 lines):
diff -r 90563e9ebf31 -r 796b80f73322 sys/dev/vnd.c
--- a/sys/dev/vnd.c Sat Aug 12 19:12:04 2017 +0000
+++ b/sys/dev/vnd.c Sat Aug 19 05:19:28 2017 +0000
@@ -1,4 +1,4 @@
-/* $NetBSD: vnd.c,v 1.232.2.3.2.1 2016/01/02 14:38:45 riz Exp $ */
+/* $NetBSD: vnd.c,v 1.232.2.3.2.2 2017/08/19 05:19:28 snj Exp $ */
/*-
* Copyright (c) 1996, 1997, 1998, 2008 The NetBSD Foundation, Inc.
@@ -91,7 +91,7 @@
*/
#include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: vnd.c,v 1.232.2.3.2.1 2016/01/02 14:38:45 riz Exp $");
+__KERNEL_RCSID(0, "$NetBSD: vnd.c,v 1.232.2.3.2.2 2017/08/19 05:19:28 snj Exp $");
#if defined(_KERNEL_OPT)
#include "opt_vnd.h"
@@ -1238,6 +1238,13 @@
VOP_UNLOCK(nd.ni_vp);
goto close_and_exit;
}
+
+ if (ntohl(ch->block_size) == 0 ||
+ ntohl(ch->num_blocks) > UINT32_MAX - 1) {
+ free(ch, M_TEMP);
+ VOP_UNLOCK(nd.ni_vp);
+ goto close_and_exit;
+ }
/* save some header info */
vnd->sc_comp_blksz = ntohl(ch->block_size);
@@ -1249,20 +1256,40 @@
error = EINVAL;
goto close_and_exit;
}
- if (sizeof(struct vnd_comp_header) +
- sizeof(u_int64_t) * vnd->sc_comp_numoffs >
- vattr.va_size) {
+ KASSERT(0 < vnd->sc_comp_blksz);
+ KASSERT(0 < vnd->sc_comp_numoffs);
+ /*
+ * @#^@!$& gcc -Wtype-limits refuses to let me
+ * write SIZE_MAX/sizeof(uint64_t) < numoffs,
+ * because the range of the type on amd64 makes
+ * the comparisons always false.
+ */
+#if SIZE_MAX <= UINT32_MAX*(64/CHAR_BIT)
+ if (SIZE_MAX/sizeof(uint64_t) < vnd->sc_comp_numoffs) {
+ VOP_UNLOCK(nd.ni_vp);
+ error = EINVAL;
+ goto close_and_exit;
+ }
+#endif
+ if ((vattr.va_size < sizeof(struct vnd_comp_header)) ||
+ (vattr.va_size - sizeof(struct vnd_comp_header) <
+ sizeof(uint64_t)*vnd->sc_comp_numoffs) ||
+ (UQUAD_MAX/vnd->sc_comp_blksz <
+ vnd->sc_comp_numoffs - 1)) {
VOP_UNLOCK(nd.ni_vp);
error = EINVAL;
goto close_and_exit;
}
/* set decompressed file size */
+ KASSERT(vnd->sc_comp_numoffs - 1 <=
+ UQUAD_MAX/vnd->sc_comp_blksz);
vattr.va_size =
((u_quad_t)vnd->sc_comp_numoffs - 1) *
(u_quad_t)vnd->sc_comp_blksz;
/* allocate space for all the compressed offsets */
+ __CTASSERT(UINT32_MAX <= UQUAD_MAX/sizeof(uint64_t));
vnd->sc_comp_offsets =
malloc(sizeof(u_int64_t) * vnd->sc_comp_numoffs,
M_DEVBUF, M_WAITOK);
Home |
Main Index |
Thread Index |
Old Index