From ecd1eefababcba78141cf35e53ce1986f3041da8 Mon Sep 17 00:00:00 2001 From: Theo de Raadt Date: Fri, 20 Nov 1998 15:57:26 +0000 Subject: careful off handling in mmap routines --- sys/arch/i386/i386/mem.c | 6 +++--- sys/arch/i386/isa/pccons.c | 4 ++-- sys/arch/i386/isa/pcvt/pcvt_drv.c | 4 ++-- sys/arch/sparc/dev/bwtwo.c | 4 +++- sys/arch/sparc/dev/cgeight.c | 6 ++++-- sys/arch/sparc/dev/cgfour.c | 6 ++++-- sys/arch/sparc/dev/cgfourteen.c | 5 ++++- sys/arch/sparc/dev/cgthree.c | 5 ++++- sys/arch/sparc/dev/cgtwo.c | 4 +++- sys/arch/sparc/dev/tcx.c | 5 ++++- 10 files changed, 33 insertions(+), 16 deletions(-) (limited to 'sys/arch') diff --git a/sys/arch/i386/i386/mem.c b/sys/arch/i386/i386/mem.c index 65395b92361..9704aa82728 100644 --- a/sys/arch/i386/i386/mem.c +++ b/sys/arch/i386/i386/mem.c @@ -1,5 +1,5 @@ /* $NetBSD: mem.c,v 1.31 1996/05/03 19:42:19 christos Exp $ */ -/* $OpenBSD: mem.c,v 1.9 1998/08/31 17:42:30 millert Exp $ */ +/* $OpenBSD: mem.c,v 1.10 1998/11/20 15:57:24 deraadt Exp $ */ /* * Copyright (c) 1988 University of Utah. * Copyright (c) 1982, 1986, 1990, 1993 @@ -231,10 +231,10 @@ mmmmap(dev, off, prot) switch (minor(dev)) { /* minor device 0 is physical memory */ case 0: - if (off > ctob(physmem) && + if ((u_int)off > ctob(physmem) && suser(p->p_ucred, &p->p_acflag) != 0) return -1; - return i386_btop(off); + return i386_btop((u_int)off); /* minor device 1 is kernel memory */ case 1: diff --git a/sys/arch/i386/isa/pccons.c b/sys/arch/i386/isa/pccons.c index f66652a2358..e55c868afa3 100644 --- a/sys/arch/i386/isa/pccons.c +++ b/sys/arch/i386/isa/pccons.c @@ -1,4 +1,4 @@ -/* $OpenBSD: pccons.c,v 1.41 1998/07/09 18:22:25 deraadt Exp $ */ +/* $OpenBSD: pccons.c,v 1.42 1998/11/20 15:57:25 deraadt Exp $ */ /* $NetBSD: pccons.c,v 1.99.4.1 1996/06/04 20:03:53 cgd Exp $ */ /*- @@ -1892,7 +1892,7 @@ pcmmap(dev, offset, nprot) int nprot; { - if (offset > 0x20000) + if ((u_int)offset > 0x20000) return -1; return i386_btop(0xa0000 + offset); } diff --git a/sys/arch/i386/isa/pcvt/pcvt_drv.c b/sys/arch/i386/isa/pcvt/pcvt_drv.c index 2c60c066b9b..33f2adde5e1 100644 --- a/sys/arch/i386/isa/pcvt/pcvt_drv.c +++ b/sys/arch/i386/isa/pcvt/pcvt_drv.c @@ -1,4 +1,4 @@ -/* $OpenBSD: pcvt_drv.c,v 1.21 1998/06/30 20:51:08 millert Exp $ */ +/* $OpenBSD: pcvt_drv.c,v 1.22 1998/11/20 15:57:25 deraadt Exp $ */ /* * Copyright (c) 1992, 1995 Hellmuth Michaelis and Joerg Wunsch. @@ -521,7 +521,7 @@ do_standard: int pcmmap(Dev_t dev, int offset, int nprot) { - if (offset > 0x20000) + if ((u_int)offset > 0x20000) return -1; return i386_btop((0xa0000 + offset)); } diff --git a/sys/arch/sparc/dev/bwtwo.c b/sys/arch/sparc/dev/bwtwo.c index e8f1177fea5..5bd695d5763 100644 --- a/sys/arch/sparc/dev/bwtwo.c +++ b/sys/arch/sparc/dev/bwtwo.c @@ -1,4 +1,4 @@ -/* $OpenBSD: bwtwo.c,v 1.14 1997/08/08 08:24:43 downsj Exp $ */ +/* $OpenBSD: bwtwo.c,v 1.15 1998/11/20 15:57:21 deraadt Exp $ */ /* $NetBSD: bwtwo.c,v 1.33 1997/05/24 20:16:02 pk Exp $ */ /* @@ -456,6 +456,8 @@ bwtwommap(dev, off, prot) if (off & PGOFSET) panic("bwtwommap"); + if (off < 0) + return (-1); if ((unsigned)off >= sc->sc_fb.fb_type.fb_size) return (-1); /* diff --git a/sys/arch/sparc/dev/cgeight.c b/sys/arch/sparc/dev/cgeight.c index 48a1675266e..20843f89697 100644 --- a/sys/arch/sparc/dev/cgeight.c +++ b/sys/arch/sparc/dev/cgeight.c @@ -1,4 +1,4 @@ -/* $OpenBSD: cgeight.c,v 1.8 1997/08/08 08:24:44 downsj Exp $ */ +/* $OpenBSD: cgeight.c,v 1.9 1998/11/20 15:57:21 deraadt Exp $ */ /* $NetBSD: cgeight.c,v 1.13 1997/05/24 20:16:04 pk Exp $ */ /* @@ -404,6 +404,8 @@ cgeightmmap(dev, off, prot) if (off & PGOFSET) panic("cgeightmap"); + if (off < 0) + return (-1); if ((u_int)off >= NOOVERLAY) { off -= NOOVERLAY; @@ -412,7 +414,7 @@ cgeightmmap(dev, off, prot) * there really is. We compensate by double-mapping the * first page for as many other pages as it wants */ - while (off >= COLOR_SIZE) + while ((u_int)off >= COLOR_SIZE) off -= COLOR_SIZE; /* XXX thorpej ??? */ poff = off + PFOUR_COLOR_OFF_COLOR; diff --git a/sys/arch/sparc/dev/cgfour.c b/sys/arch/sparc/dev/cgfour.c index 4284b1c5781..968a57fa69b 100644 --- a/sys/arch/sparc/dev/cgfour.c +++ b/sys/arch/sparc/dev/cgfour.c @@ -1,4 +1,4 @@ -/* $OpenBSD: cgfour.c,v 1.8 1997/08/08 08:24:46 downsj Exp $ */ +/* $OpenBSD: cgfour.c,v 1.9 1998/11/20 15:57:21 deraadt Exp $ */ /* $NetBSD: cgfour.c,v 1.13 1997/05/24 20:16:06 pk Exp $ */ /* @@ -402,6 +402,8 @@ cgfourmmap(dev, off, prot) if (off & PGOFSET) panic("cgfourmap"); + if (off < 0) + return (-1); if ((u_int)off >= NOOVERLAY) { off -= NOOVERLAY; @@ -410,7 +412,7 @@ cgfourmmap(dev, off, prot) * there really is. We compensate by double-mapping the * first page for as many other pages as it wants */ - while (off >= COLOR_SIZE) + while ((u_int)off >= COLOR_SIZE) off -= COLOR_SIZE; /* XXX thorpej ??? */ poff = off + PFOUR_COLOR_OFF_COLOR; diff --git a/sys/arch/sparc/dev/cgfourteen.c b/sys/arch/sparc/dev/cgfourteen.c index 2786bb6a9ff..052b245c11b 100644 --- a/sys/arch/sparc/dev/cgfourteen.c +++ b/sys/arch/sparc/dev/cgfourteen.c @@ -1,4 +1,4 @@ -/* $OpenBSD: cgfourteen.c,v 1.1 1997/08/08 08:24:48 downsj Exp $ */ +/* $OpenBSD: cgfourteen.c,v 1.2 1998/11/20 15:57:21 deraadt Exp $ */ /* $NetBSD: cgfourteen.c,v 1.7 1997/05/24 20:16:08 pk Exp $ */ /* @@ -577,6 +577,9 @@ cgfourteenmmap(dev, off, prot) if (off & PGOFSET) panic("cgfourteenmmap"); + if (off < 0) + return (-1); + #if defined(DEBUG) && defined(CG14_MAP_REGS) /* XXX: security hole */ /* * Map the control registers into user space. Should only be diff --git a/sys/arch/sparc/dev/cgthree.c b/sys/arch/sparc/dev/cgthree.c index c9964f1b766..888432bee1a 100644 --- a/sys/arch/sparc/dev/cgthree.c +++ b/sys/arch/sparc/dev/cgthree.c @@ -1,4 +1,4 @@ -/* $OpenBSD: cgthree.c,v 1.7 1997/09/01 03:56:45 todd Exp $ */ +/* $OpenBSD: cgthree.c,v 1.8 1998/11/20 15:57:22 deraadt Exp $ */ /* $NetBSD: cgthree.c,v 1.33 1997/05/24 20:16:11 pk Exp $ */ /* @@ -433,6 +433,9 @@ cgthreemmap(dev, off, prot) if (off & PGOFSET) panic("cgthreemmap"); + + if (off < 0) + return (-1); if ((u_int)off >= NOOVERLAY) off -= NOOVERLAY; else if ((u_int)off >= START) diff --git a/sys/arch/sparc/dev/cgtwo.c b/sys/arch/sparc/dev/cgtwo.c index e682f6b8a26..1c547175423 100644 --- a/sys/arch/sparc/dev/cgtwo.c +++ b/sys/arch/sparc/dev/cgtwo.c @@ -1,4 +1,4 @@ -/* $OpenBSD: cgtwo.c,v 1.11 1997/08/08 08:24:55 downsj Exp $ */ +/* $OpenBSD: cgtwo.c,v 1.12 1998/11/20 15:57:22 deraadt Exp $ */ /* $NetBSD: cgtwo.c,v 1.22 1997/05/24 20:16:12 pk Exp $ */ /* @@ -429,6 +429,8 @@ cgtwommap(dev, off, prot) if (off & PGOFSET) panic("cgtwommap"); + if (off < 0) + return (-1); if ((unsigned)off >= sc->sc_fb.fb_type.fb_size) return (-1); diff --git a/sys/arch/sparc/dev/tcx.c b/sys/arch/sparc/dev/tcx.c index 608fb4e64c0..a3c8fbfff8a 100644 --- a/sys/arch/sparc/dev/tcx.c +++ b/sys/arch/sparc/dev/tcx.c @@ -1,4 +1,4 @@ -/* $OpenBSD: tcx.c,v 1.1 1997/08/08 08:25:31 downsj Exp $ */ +/* $OpenBSD: tcx.c,v 1.2 1998/11/20 15:57:24 deraadt Exp $ */ /* $NetBSD: tcx.c,v 1.8 1997/07/29 09:58:14 fair Exp $ */ /* @@ -470,6 +470,9 @@ tcxmmap(dev, off, prot) if (off & PGOFSET) panic("tcxmmap"); + if (off < 0) + return (-1); + /* * Entries with size 0 map video RAM (i.e., the size in fb data). * -- cgit v1.2.3