From c7bd171a110dc759928d58a928869b7e355969c2 Mon Sep 17 00:00:00 2001 From: Ted Unangst Date: Wed, 5 May 2004 23:52:11 +0000 Subject: make sure uio_offset is a safe value, with suggestions from millert@ ok deraadt@ millert@ problem noticed by deprotect.com --- sys/miscfs/procfs/procfs_cmdline.c | 7 +++---- sys/miscfs/procfs/procfs_fpregs.c | 6 +++--- sys/miscfs/procfs/procfs_linux.c | 11 ++++------- sys/miscfs/procfs/procfs_mem.c | 3 +-- sys/miscfs/procfs/procfs_regs.c | 6 +++--- sys/miscfs/procfs/procfs_status.c | 14 +++++++------- sys/miscfs/procfs/procfs_subr.c | 4 +++- 7 files changed, 24 insertions(+), 27 deletions(-) (limited to 'sys') diff --git a/sys/miscfs/procfs/procfs_cmdline.c b/sys/miscfs/procfs/procfs_cmdline.c index b4f3de9858c..c23a733045e 100644 --- a/sys/miscfs/procfs/procfs_cmdline.c +++ b/sys/miscfs/procfs/procfs_cmdline.c @@ -1,4 +1,4 @@ -/* $OpenBSD: procfs_cmdline.c,v 1.3 2001/11/06 19:53:20 miod Exp $ */ +/* $OpenBSD: procfs_cmdline.c,v 1.4 2004/05/05 23:52:09 tedu Exp $ */ /* $NetBSD: procfs_cmdline.c,v 1.3 1999/03/13 22:26:48 thorpej Exp $ */ /* @@ -83,11 +83,10 @@ procfs_docmdline(curp, p, pfs, uio) */ if (P_ZOMBIE(p) || (p->p_flag & P_SYSTEM) != 0) { len = snprintf(arg, PAGE_SIZE, "(%s)", p->p_comm); - xlen = len - uio->uio_offset; - if (xlen <= 0) + if (uio->uio_offset >= (off_t)len) error = 0; else - error = uiomove(arg, xlen, uio); + error = uiomove(arg, len - uio->uio_offset, uio); free(arg, M_TEMP); return (error); diff --git a/sys/miscfs/procfs/procfs_fpregs.c b/sys/miscfs/procfs/procfs_fpregs.c index 7be66cef4f4..a4f91348007 100644 --- a/sys/miscfs/procfs/procfs_fpregs.c +++ b/sys/miscfs/procfs/procfs_fpregs.c @@ -1,4 +1,4 @@ -/* $OpenBSD: procfs_fpregs.c,v 1.6 2003/06/02 23:28:11 millert Exp $ */ +/* $OpenBSD: procfs_fpregs.c,v 1.7 2004/05/05 23:52:10 tedu Exp $ */ /* $NetBSD: procfs_fpregs.c,v 1.4 1995/08/13 09:06:05 mycroft Exp $ */ /* @@ -63,7 +63,7 @@ procfs_dofpregs(curp, p, pfs, uio) return (error); kl = sizeof(r); - kv = (char *) &r; + kv = (char *)&r; kv += uio->uio_offset; kl -= uio->uio_offset; @@ -72,7 +72,7 @@ procfs_dofpregs(curp, p, pfs, uio) PHOLD(p); - if (kl < 0) + if (uio->uio_offset > (off_t)sizeof(r)) error = EINVAL; else error = process_read_fpregs(p, &r); diff --git a/sys/miscfs/procfs/procfs_linux.c b/sys/miscfs/procfs/procfs_linux.c index fe3072d3ac4..356a173d8aa 100644 --- a/sys/miscfs/procfs/procfs_linux.c +++ b/sys/miscfs/procfs/procfs_linux.c @@ -1,4 +1,4 @@ -/* $OpenBSD: procfs_linux.c,v 1.4 2001/11/06 19:53:20 miod Exp $ */ +/* $OpenBSD: procfs_linux.c,v 1.5 2004/05/05 23:52:10 tedu Exp $ */ /* $NetBSD: procfs_linux.c,v 1.2.4.1 2001/03/30 21:48:11 he Exp $ */ /* @@ -89,16 +89,13 @@ procfs_domeminfo(struct proc *curp, struct proc *p, struct pfsnode *pfs, PGTOKB(uvmexp.swpages), PGTOKB(uvmexp.swpages - uvmexp.swpginuse)); - if (len == 0) + if (len == 0 || len <= uio->uio_offset || uio->uio_resid == 0) return 0; len -= uio->uio_offset; cp = buf + uio->uio_offset; len = imin(len, uio->uio_resid); - if (len <= 0) - error = 0; - else - error = uiomove(cp, len, uio); + error = uiomove(cp, len, uio); return error; } @@ -113,7 +110,7 @@ procfs_docpuinfo(struct proc *curp, struct proc *p, struct pfsnode *pfs, if (procfs_getcpuinfstr(buf, &len) < 0) return EIO; - if (len == 0) + if (len == 0 || uio->uio_offset > sizeof(buf)) return 0; len -= uio->uio_offset; diff --git a/sys/miscfs/procfs/procfs_mem.c b/sys/miscfs/procfs/procfs_mem.c index b4a1f798fbb..0e6cd9bede8 100644 --- a/sys/miscfs/procfs/procfs_mem.c +++ b/sys/miscfs/procfs/procfs_mem.c @@ -1,4 +1,4 @@ -/* $OpenBSD: procfs_mem.c,v 1.20 2003/08/15 20:32:19 tedu Exp $ */ +/* $OpenBSD: procfs_mem.c,v 1.21 2004/05/05 23:52:10 tedu Exp $ */ /* $NetBSD: procfs_mem.c,v 1.8 1996/02/09 22:40:50 christos Exp $ */ /* @@ -121,4 +121,3 @@ procfs_checkioperm(p, t) return (0); } - diff --git a/sys/miscfs/procfs/procfs_regs.c b/sys/miscfs/procfs/procfs_regs.c index d2495a2a248..5fe351ca511 100644 --- a/sys/miscfs/procfs/procfs_regs.c +++ b/sys/miscfs/procfs/procfs_regs.c @@ -1,4 +1,4 @@ -/* $OpenBSD: procfs_regs.c,v 1.7 2003/06/02 23:28:11 millert Exp $ */ +/* $OpenBSD: procfs_regs.c,v 1.8 2004/05/05 23:52:10 tedu Exp $ */ /* $NetBSD: procfs_regs.c,v 1.9 1995/08/13 09:06:07 mycroft Exp $ */ /* @@ -62,7 +62,7 @@ procfs_doregs(curp, p, pfs, uio) return (error); kl = sizeof(r); - kv = (char *) &r; + kv = (char *)&r; kv += uio->uio_offset; kl -= uio->uio_offset; @@ -71,7 +71,7 @@ procfs_doregs(curp, p, pfs, uio) PHOLD(p); - if (kl < 0) + if (uio->uio_offset > (off_t)sizeof(r)) error = EINVAL; else error = process_read_regs(p, &r); diff --git a/sys/miscfs/procfs/procfs_status.c b/sys/miscfs/procfs/procfs_status.c index 5fb379cd861..0d1a117ffc0 100644 --- a/sys/miscfs/procfs/procfs_status.c +++ b/sys/miscfs/procfs/procfs_status.c @@ -1,4 +1,4 @@ -/* $OpenBSD: procfs_status.c,v 1.7 2004/03/03 06:28:12 tedu Exp $ */ +/* $OpenBSD: procfs_status.c,v 1.8 2004/05/05 23:52:10 tedu Exp $ */ /* $NetBSD: procfs_status.c,v 1.11 1996/03/16 23:52:50 christos Exp $ */ /* @@ -165,16 +165,16 @@ procfs_dostatus(curp, p, pfs, uio) len = procfs_stat_gen(p, NULL, 0); ps = malloc(len, M_TEMP, M_WAITOK); - (void) procfs_stat_gen(p, ps, len); + len = procfs_stat_gen(p, ps, len); - len -= uio->uio_offset; - len = imin(len, uio->uio_resid); - if (len <= 0) + if (len <= uio->uio_offset) error = 0; - else + else { + len -= uio->uio_offset; + len = imin(len, uio->uio_resid); error = uiomove(ps + uio->uio_offset, len, uio); + } free(ps, M_TEMP); return (error); } - diff --git a/sys/miscfs/procfs/procfs_subr.c b/sys/miscfs/procfs/procfs_subr.c index 38723b253b4..a7f9ff5f06f 100644 --- a/sys/miscfs/procfs/procfs_subr.c +++ b/sys/miscfs/procfs/procfs_subr.c @@ -1,4 +1,4 @@ -/* $OpenBSD: procfs_subr.c,v 1.20 2003/08/11 10:08:04 mickey Exp $ */ +/* $OpenBSD: procfs_subr.c,v 1.21 2004/05/05 23:52:10 tedu Exp $ */ /* $NetBSD: procfs_subr.c,v 1.15 1996/02/12 15:01:42 christos Exp $ */ /* @@ -214,6 +214,8 @@ procfs_rw(v) /* Do not permit games to be played with init(8) */ if (p->p_pid == 1 && securelevel > 0 && uio->uio_rw == UIO_WRITE) return (EPERM); + if (uio->uio_offset < 0) + return (EINVAL); switch (pfs->pfs_type) { case Pnote: -- cgit v1.2.3