clockctl clock_settime bug

[matthew green <mrg%eterna.com.au@localhost>]

can someone explain how this ever worked?

my sparc64 box was crashing in clockctl clock_settime until i
applied the following patch.

i plan to commit this and request pullup for all active branches
it applies to unless someone can give me a good reason otherwise.


summary:  ioctl struct contains a userland pointer that is
accessed in kernel space directly, not via copyin.


.mrg.


Index: clockctl.c
===================================================================
RCS file: /cvsroot/src/sys/dev/clockctl.c,v
retrieving revision 1.24
diff -p -r1.24 clockctl.c
*** clockctl.c  11 Jan 2009 02:45:50 -0000      1.24
--- clockctl.c  18 Feb 2009 04:57:43 -0000
*************** clockctlioctl(
*** 107,115 ****
        }
        case CLOCKCTL_CLOCK_SETTIME: {
                struct clockctl_clock_settime *args = data;
  
!               error = clock_settime1(l->l_proc, args->clock_id,
!                   args->tp, false);
                break;
        }
  #ifdef NTP
--- 107,121 ----
        }
        case CLOCKCTL_CLOCK_SETTIME: {
                struct clockctl_clock_settime *args = data;
+               struct timespec ts;
  
!               if (args->tp) {
!                       error = copyin(args->tp, &ts, sizeof ts);
!                       if (error)
!                               return (error);
!                       error = clock_settime1(l->l_proc, args->clock_id,
!                                   &ts, false);
!               }
                break;
        }
  #ifdef NTP