Introduce a kqfilter wrapper for the controlling tty device entry

which allows a correct registration of kqueue(2) notifications on
the /dev/tty instead of calling a function via a null pointer in
the ttkqfilter leading to a local DoS.

Surprisingly the same code is present in NetBSD since the kqueue
merge, but didn't make it to the OpenBSD for 10 years.

Thanks to Anton Yabchinskiy <arn-at-bestmx-dot-ru> for a GHCi crash
report and his willingness to test multiple diffs for over a week.

With input from nicm, ok miod, derraadt.

1 files changed, 12 insertions, 1 deletions

diff --git a/sys/kern/tty_tty.c b/sys/kern/tty_tty.c
index 2a410b10456..75e3db2b807 100644
--- a/sys/kern/tty_tty.c
+++ b/sys/kern/tty_tty.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: tty_tty.c,v 1.11 2010/07/26 01:56:27 guenther Exp $	*/
+/*	$OpenBSD: tty_tty.c,v 1.12 2011/10/06 09:14:35 mikeb Exp $	*/
 /*	$NetBSD: tty_tty.c,v 1.13 1996/03/30 22:24:46 christos Exp $	*/
 
 /*-
@@ -139,3 +139,14 @@ cttypoll(dev_t dev, int events, struct proc *p)
 		return (seltrue(dev, events, p));
 	return (VOP_POLL(ttyvp, events, p));
 }
+
+/*ARGSUSED*/
+int
+cttykqfilter(dev_t dev, struct knote *kn)
+{
+	struct vnode *ttyvp = cttyvp(curproc);
+
+	if (ttyvp == NULL)
+		return (ENXIO);
+	return (VOP_KQFILTER(ttyvp, kn));
+}