Source-Changes-HG archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
[src/trunk]: src/sys Fix integer overflows noted by Silvio Cesare of InfoSect.
details: https://anonhg.NetBSD.org/src/rev/d5df99143eda
branches: trunk
changeset: 829263:d5df99143eda
user: riastradh <riastradh%NetBSD.org@localhost>
date: Wed Jan 24 05:35:58 2018 +0000
description:
Fix integer overflows noted by Silvio Cesare of InfoSect.
Someone^TM should name these idioms so we can eliminate this class of
copypasta bug.
diffstat:
sys/arch/arm/allwinner/awin_debe.c | 6 +++---
sys/arch/arm/iomd/vidcvideo.c | 6 +++---
sys/arch/luna68k/dev/lunafb.c | 6 +++---
sys/arch/pmax/ibus/pm.c | 6 +++---
sys/dev/ic/bt463.c | 6 +++---
sys/dev/ic/bt485.c | 6 +++---
sys/dev/ic/igsfb.c | 9 +++++----
sys/dev/pci/radeonfb.c | 13 ++++++-------
sys/dev/sbus/tcx.c | 8 ++++++--
sys/dev/tc/cfb.c | 6 +++---
sys/dev/tc/mfb.c | 6 +++---
sys/dev/tc/sfb.c | 6 +++---
sys/dev/tc/sfbplus.c | 6 +++---
sys/dev/tc/stic.c | 6 +++---
sys/dev/tc/tfb.c | 6 +++---
sys/dev/tc/xcfb.c | 6 +++---
16 files changed, 56 insertions(+), 52 deletions(-)
diffs (truncated from 466 to 300 lines):
diff -r 6fcbd34374e0 -r d5df99143eda sys/arch/arm/allwinner/awin_debe.c
--- a/sys/arch/arm/allwinner/awin_debe.c Wed Jan 24 03:44:10 2018 +0000
+++ b/sys/arch/arm/allwinner/awin_debe.c Wed Jan 24 05:35:58 2018 +0000
@@ -1,4 +1,4 @@
-/* $NetBSD: awin_debe.c,v 1.20 2015/11/22 17:50:48 aymeric Exp $ */
+/* $NetBSD: awin_debe.c,v 1.21 2018/01/24 05:35:58 riastradh Exp $ */
/*-
* Copyright (c) 2014 Jared D. McNeill <jmcneill%invisible.ca@localhost>
@@ -38,7 +38,7 @@
#define AWIN_DEBE_CURMAX 64
#include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: awin_debe.c,v 1.20 2015/11/22 17:50:48 aymeric Exp $");
+__KERNEL_RCSID(0, "$NetBSD: awin_debe.c,v 1.21 2018/01/24 05:35:58 riastradh Exp $");
#include <sys/param.h>
#include <sys/bus.h>
@@ -393,7 +393,7 @@
if (cur->which & WSDISPLAY_CURSOR_DOCMAP) {
index = cur->cmap.index;
count = cur->cmap.count;
- if (index >= 2 || (index + count) > 2)
+ if (index >= 2 || count > 2 - index)
return EINVAL;
error = copyin(cur->cmap.red, &r[index], count);
if (error)
diff -r 6fcbd34374e0 -r d5df99143eda sys/arch/arm/iomd/vidcvideo.c
--- a/sys/arch/arm/iomd/vidcvideo.c Wed Jan 24 03:44:10 2018 +0000
+++ b/sys/arch/arm/iomd/vidcvideo.c Wed Jan 24 05:35:58 2018 +0000
@@ -1,4 +1,4 @@
-/* $NetBSD: vidcvideo.c,v 1.44 2014/01/21 19:31:57 christos Exp $ */
+/* $NetBSD: vidcvideo.c,v 1.45 2018/01/24 05:35:58 riastradh Exp $ */
/*
* Copyright (c) 2001 Reinoud Zandijk
@@ -30,7 +30,7 @@
#include <sys/cdefs.h> /* RCS ID & Copyright macro defns */
-__KERNEL_RCSID(0, "$NetBSD: vidcvideo.c,v 1.44 2014/01/21 19:31:57 christos Exp $");
+__KERNEL_RCSID(0, "$NetBSD: vidcvideo.c,v 1.45 2018/01/24 05:35:58 riastradh Exp $");
#include <sys/param.h>
#include <sys/systm.h>
@@ -667,7 +667,7 @@
u_int index = p->index, count = p->count;
int error;
- if (index >= CMAP_SIZE || (index + count) > CMAP_SIZE)
+ if (index >= CMAP_SIZE || count > CMAP_SIZE - index)
return EINVAL;
error = copyin(p->red, &cmap.r[index], count);
diff -r 6fcbd34374e0 -r d5df99143eda sys/arch/luna68k/dev/lunafb.c
--- a/sys/arch/luna68k/dev/lunafb.c Wed Jan 24 03:44:10 2018 +0000
+++ b/sys/arch/luna68k/dev/lunafb.c Wed Jan 24 05:35:58 2018 +0000
@@ -1,4 +1,4 @@
-/* $NetBSD: lunafb.c,v 1.36 2014/10/04 16:58:17 tsutsui Exp $ */
+/* $NetBSD: lunafb.c,v 1.37 2018/01/24 05:35:58 riastradh Exp $ */
/*-
* Copyright (c) 2000 The NetBSD Foundation, Inc.
@@ -31,7 +31,7 @@
#include <sys/cdefs.h> /* RCS ID & Copyright macro defns */
-__KERNEL_RCSID(0, "$NetBSD: lunafb.c,v 1.36 2014/10/04 16:58:17 tsutsui Exp $");
+__KERNEL_RCSID(0, "$NetBSD: lunafb.c,v 1.37 2018/01/24 05:35:58 riastradh Exp $");
#include <sys/param.h>
#include <sys/systm.h>
@@ -345,7 +345,7 @@
int cmsize, i, error;
cmsize = sc->sc_dc->dc_cmsize;
- if (index >= cmsize || (index + count) > cmsize)
+ if (index >= cmsize || count > cmsize - index)
return (EINVAL);
error = copyin(p->red, &cmap.r[index], count);
diff -r 6fcbd34374e0 -r d5df99143eda sys/arch/pmax/ibus/pm.c
--- a/sys/arch/pmax/ibus/pm.c Wed Jan 24 03:44:10 2018 +0000
+++ b/sys/arch/pmax/ibus/pm.c Wed Jan 24 05:35:58 2018 +0000
@@ -1,4 +1,4 @@
-/* $NetBSD: pm.c,v 1.14 2018/01/05 13:11:32 flxd Exp $ */
+/* $NetBSD: pm.c,v 1.15 2018/01/24 05:35:58 riastradh Exp $ */
/*-
* Copyright (c) 2002, 2003 The NetBSD Foundation, Inc.
@@ -30,7 +30,7 @@
*/
#include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: pm.c,v 1.14 2018/01/05 13:11:32 flxd Exp $");
+__KERNEL_RCSID(0, "$NetBSD: pm.c,v 1.15 2018/01/24 05:35:58 riastradh Exp $");
#include <sys/param.h>
#include <sys/buf.h>
@@ -742,7 +742,7 @@
if ((v & WSDISPLAY_CURSOR_DOCMAP) != 0) {
index = p->cmap.index;
count = p->cmap.count;
- if (index >= 2 || (index + count) > 2)
+ if (index >= 2 || count > 2 - index)
return (EINVAL);
rv = copyin(p->cmap.red, &cc->cc_color[index], count);
diff -r 6fcbd34374e0 -r d5df99143eda sys/dev/ic/bt463.c
--- a/sys/dev/ic/bt463.c Wed Jan 24 03:44:10 2018 +0000
+++ b/sys/dev/ic/bt463.c Wed Jan 24 05:35:58 2018 +0000
@@ -1,4 +1,4 @@
-/* $NetBSD: bt463.c,v 1.17 2013/06/24 03:57:36 riastradh Exp $ */
+/* $NetBSD: bt463.c,v 1.18 2018/01/24 05:35:58 riastradh Exp $ */
/*-
* Copyright (c) 1998 The NetBSD Foundation, Inc.
@@ -62,7 +62,7 @@
*/
#include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: bt463.c,v 1.17 2013/06/24 03:57:36 riastradh Exp $");
+__KERNEL_RCSID(0, "$NetBSD: bt463.c,v 1.18 2018/01/24 05:35:58 riastradh Exp $");
#include <sys/param.h>
#include <sys/systm.h>
@@ -416,7 +416,7 @@
int count, index, error;
if (cursorp->cmap.index > 2 ||
- (cursorp->cmap.index + cursorp->cmap.count) > 2)
+ cursorp->cmap.count > 2 - cursorp->cmap.index)
return (EINVAL);
count = cursorp->cmap.count;
index = cursorp->cmap.index;
diff -r 6fcbd34374e0 -r d5df99143eda sys/dev/ic/bt485.c
--- a/sys/dev/ic/bt485.c Wed Jan 24 03:44:10 2018 +0000
+++ b/sys/dev/ic/bt485.c Wed Jan 24 05:35:58 2018 +0000
@@ -1,4 +1,4 @@
-/* $NetBSD: bt485.c,v 1.17 2013/06/24 03:57:36 riastradh Exp $ */
+/* $NetBSD: bt485.c,v 1.18 2018/01/24 05:35:58 riastradh Exp $ */
/*
* Copyright (c) 1995, 1996 Carnegie-Mellon University.
@@ -32,7 +32,7 @@
*/
#include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: bt485.c,v 1.17 2013/06/24 03:57:36 riastradh Exp $");
+__KERNEL_RCSID(0, "$NetBSD: bt485.c,v 1.18 2018/01/24 05:35:58 riastradh Exp $");
#include <sys/param.h>
#include <sys/systm.h>
@@ -330,7 +330,7 @@
*/
if (v & WSDISPLAY_CURSOR_DOCMAP) {
if (cursorp->cmap.index > 2 ||
- (cursorp->cmap.index + cursorp->cmap.count) > 2)
+ cursorp->cmap.count > 2 - cursorp->cmap.index)
return (EINVAL);
count = cursorp->cmap.count;
index = cursorp->cmap.index;
diff -r 6fcbd34374e0 -r d5df99143eda sys/dev/ic/igsfb.c
--- a/sys/dev/ic/igsfb.c Wed Jan 24 03:44:10 2018 +0000
+++ b/sys/dev/ic/igsfb.c Wed Jan 24 05:35:58 2018 +0000
@@ -1,4 +1,4 @@
-/* $NetBSD: igsfb.c,v 1.56 2017/01/25 17:31:55 jakllsch Exp $ */
+/* $NetBSD: igsfb.c,v 1.57 2018/01/24 05:35:58 riastradh Exp $ */
/*
* Copyright (c) 2002, 2003 Valeriy E. Ushakov
@@ -31,7 +31,7 @@
* Integraphics Systems IGA 168x and CyberPro series.
*/
#include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: igsfb.c,v 1.56 2017/01/25 17:31:55 jakllsch Exp $");
+__KERNEL_RCSID(0, "$NetBSD: igsfb.c,v 1.57 2018/01/24 05:35:58 riastradh Exp $");
#include <sys/param.h>
#include <sys/systm.h>
@@ -812,9 +812,10 @@
if (index >= IGS_CMAP_SIZE)
return;
- last = index + count;
- if (last > IGS_CMAP_SIZE)
+ if (count > IGS_CMAP_SIZE - index)
last = IGS_CMAP_SIZE;
+ else
+ last = index + count;
t = dc->dc_iot;
h = dc->dc_ioh;
diff -r 6fcbd34374e0 -r d5df99143eda sys/dev/pci/radeonfb.c
--- a/sys/dev/pci/radeonfb.c Wed Jan 24 03:44:10 2018 +0000
+++ b/sys/dev/pci/radeonfb.c Wed Jan 24 05:35:58 2018 +0000
@@ -1,4 +1,4 @@
-/* $NetBSD: radeonfb.c,v 1.93 2017/10/11 17:08:32 macallan Exp $ */
+/* $NetBSD: radeonfb.c,v 1.94 2018/01/24 05:35:58 riastradh Exp $ */
/*-
* Copyright (c) 2006 Itronix Inc.
@@ -70,7 +70,7 @@
*/
#include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: radeonfb.c,v 1.93 2017/10/11 17:08:32 macallan Exp $");
+__KERNEL_RCSID(0, "$NetBSD: radeonfb.c,v 1.94 2018/01/24 05:35:58 riastradh Exp $");
#include <sys/param.h>
#include <sys/systm.h>
@@ -2756,8 +2756,7 @@
#ifdef GENFB_DEBUG
aprint_debug("putcmap: %d %d\n",index, count);
#endif
- if (cm->index >= 256 || cm->count > 256 ||
- (cm->index + cm->count) > 256)
+ if (index >= 256 || count > 256 - index)
return EINVAL;
error = copyin(cm->red, &rbuf[index], count);
if (error)
@@ -2792,7 +2791,7 @@
u_int count = cm->count;
int error;
- if (index >= 255 || count > 256 || index + count > 256)
+ if (index >= 256 || count > 256 - index)
return EINVAL;
error = copyout(&dp->rd_cmap_red[index], cm->red, count);
@@ -3605,8 +3604,8 @@
if (flags & WSDISPLAY_CURSOR_DOCMAP) {
index = wc->cmap.index;
count = wc->cmap.count;
-
- if (index >= 2 || (index + count) > 2)
+
+ if (index >= 2 || count > 2 - index)
return EINVAL;
err = copyin(wc->cmap.red, &r[index], count);
diff -r 6fcbd34374e0 -r d5df99143eda sys/dev/sbus/tcx.c
--- a/sys/dev/sbus/tcx.c Wed Jan 24 03:44:10 2018 +0000
+++ b/sys/dev/sbus/tcx.c Wed Jan 24 05:35:58 2018 +0000
@@ -1,4 +1,4 @@
-/* $NetBSD: tcx.c,v 1.57 2016/09/23 17:45:25 macallan Exp $ */
+/* $NetBSD: tcx.c,v 1.58 2018/01/24 05:35:58 riastradh Exp $ */
/*
* Copyright (c) 1996, 1998, 2009 The NetBSD Foundation, Inc.
@@ -38,7 +38,7 @@
*/
#include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: tcx.c,v 1.57 2016/09/23 17:45:25 macallan Exp $");
+__KERNEL_RCSID(0, "$NetBSD: tcx.c,v 1.58 2018/01/24 05:35:58 riastradh Exp $");
#include <sys/param.h>
#include <sys/systm.h>
@@ -474,6 +474,8 @@
case FBIOGETCMAP:
#define p ((struct fbcmap *)data)
+ if (p->index > 256 || p->count > 256 - p->index)
+ return EINVAL;
if (copyout(&sc->sc_cmap_red[p->index], p->red, p->count) != 0)
return EINVAL;
if (copyout(&sc->sc_cmap_green[p->index], p->green, p->count)
@@ -486,6 +488,8 @@
case FBIOPUTCMAP:
/* copy to software map */
+ if (p->index > 256 || p->count > 256 - p->index)
+ return EINVAL;
if (copyin(p->red, &sc->sc_cmap_red[p->index], p->count) != 0)
return EINVAL;
if (copyin(p->green, &sc->sc_cmap_green[p->index], p->count)
diff -r 6fcbd34374e0 -r d5df99143eda sys/dev/tc/cfb.c
--- a/sys/dev/tc/cfb.c Wed Jan 24 03:44:10 2018 +0000
+++ b/sys/dev/tc/cfb.c Wed Jan 24 05:35:58 2018 +0000
@@ -1,4 +1,4 @@
-/* $NetBSD: cfb.c,v 1.61 2012/01/11 21:12:36 macallan Exp $ */
+/* $NetBSD: cfb.c,v 1.62 2018/01/24 05:35:58 riastradh Exp $ */
/*-
* Copyright (c) 1998, 1999 The NetBSD Foundation, Inc.
@@ -30,7 +30,7 @@
*/
#include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: cfb.c,v 1.61 2012/01/11 21:12:36 macallan Exp $");
+__KERNEL_RCSID(0, "$NetBSD: cfb.c,v 1.62 2018/01/24 05:35:58 riastradh Exp $");
#include <sys/param.h>
#include <sys/systm.h>
@@ -719,7 +719,7 @@
if (v & WSDISPLAY_CURSOR_DOCMAP) {
index = p->cmap.index;
count = p->cmap.count;
- if (index >= 2 || (index + count) > 2)
Home |
Main Index |
Thread Index |
Old Index