From 9bbc4e5c6b3df3d035ab2492ce83837dd20cae83 Mon Sep 17 00:00:00 2001 From: Matthew Dillon Date: Fri, 13 Aug 2004 02:50:58 +0000 Subject: [PATCH] Close a kernel mem disclosure bug in linprocfs. The uio_offset was not being properly bounded. Use uiomove_frombuf() instead of trying to calculate it manually. Submitted-by: =?ISO-8859-1?Q?Christer_=D6berg?= --- sys/emulation/linux/i386/linprocfs/Makefile | 4 +- .../linux/i386/linprocfs/linprocfs.h | 4 +- .../linux/i386/linprocfs/linprocfs_misc.c | 9 +-- .../linux/i386/linprocfs/linprocfs_subr.c | 4 +- .../linux/i386/linprocfs/linprocfs_vnops.c | 58 +++++++++---------- 5 files changed, 37 insertions(+), 42 deletions(-) diff --git a/sys/emulation/linux/i386/linprocfs/Makefile b/sys/emulation/linux/i386/linprocfs/Makefile index 981737b8fb..2cdf8d5105 100644 --- a/sys/emulation/linux/i386/linprocfs/Makefile +++ b/sys/emulation/linux/i386/linprocfs/Makefile @@ -1,9 +1,9 @@ # $FreeBSD: src/sys/modules/linprocfs/Makefile,v 1.1.2.3 2000/06/06 11:53:28 des Exp $ -# $DragonFly: src/sys/emulation/linux/i386/linprocfs/Makefile,v 1.3 2003/08/15 06:32:55 dillon Exp $ +# $DragonFly: src/sys/emulation/linux/i386/linprocfs/Makefile,v 1.4 2004/08/13 02:50:58 dillon Exp $ .PATH: ${.CURDIR}/../../../../emulation/linux/i386/linprocfs KMOD= linprocfs -SRCS= vnode_if.h linprocfs_misc.c linprocfs_subr.c \ +SRCS= linprocfs_misc.c linprocfs_subr.c \ linprocfs_vfsops.c linprocfs_vnops.c NOMAN= CFLAGS+= -DLINPROCFS diff --git a/sys/emulation/linux/i386/linprocfs/linprocfs.h b/sys/emulation/linux/i386/linprocfs/linprocfs.h index 27ff927e36..0ac063b577 100644 --- a/sys/emulation/linux/i386/linprocfs/linprocfs.h +++ b/sys/emulation/linux/i386/linprocfs/linprocfs.h @@ -39,7 +39,7 @@ * @(#)procfs.h 8.9 (Berkeley) 5/14/95 * * $FreeBSD: src/sys/i386/linux/linprocfs/linprocfs.h,v 1.2.2.4 2001/06/25 19:46:47 pirzyk Exp $ - * $DragonFly: src/sys/emulation/linux/i386/linprocfs/linprocfs.h,v 1.4 2003/08/27 06:30:04 rob Exp $ + * $DragonFly: src/sys/emulation/linux/i386/linprocfs/linprocfs.h,v 1.5 2004/08/13 02:50:58 dillon Exp $ */ /* @@ -142,7 +142,7 @@ int linprocfs_validfile (struct proc *); #define PROCFS_LOCKED 0x01 #define PROCFS_WANT 0x02 -extern vop_t **linprocfs_vnodeop_p; +extern struct vop_ops *linprocfs_vnode_vops; int linprocfs_root (struct mount *, struct vnode **); int linprocfs_rw (struct vop_read_args *); diff --git a/sys/emulation/linux/i386/linprocfs/linprocfs_misc.c b/sys/emulation/linux/i386/linprocfs/linprocfs_misc.c index 3c8ed27e35..4926d03800 100644 --- a/sys/emulation/linux/i386/linprocfs/linprocfs_misc.c +++ b/sys/emulation/linux/i386/linprocfs/linprocfs_misc.c @@ -39,7 +39,7 @@ * @(#)procfs_status.c 8.4 (Berkeley) 6/15/94 * * $FreeBSD: src/sys/i386/linux/linprocfs/linprocfs_misc.c,v 1.3.2.8 2001/06/25 19:46:47 pirzyk Exp $ - * $DragonFly: src/sys/emulation/linux/i386/linprocfs/linprocfs_misc.c,v 1.7 2003/10/12 00:52:48 dillon Exp $ + * $DragonFly: src/sys/emulation/linux/i386/linprocfs/linprocfs_misc.c,v 1.8 2004/08/13 02:50:58 dillon Exp $ */ #include @@ -486,7 +486,6 @@ linprocfs_doloadavg(struct proc *curp, struct proc *p, struct pfsnode *pfs, struct uio *uio) { char *ps, psbuf[512]; - int xlen; ps = psbuf; ps += sprintf(ps, "%d.%02d %d.%02d %d.%02d %d/%d %d\n", @@ -500,10 +499,6 @@ linprocfs_doloadavg(struct proc *curp, struct proc *p, -1, /* number of tasks */ nextpid /* The last pid */ ); - xlen = ps - psbuf; - xlen -= uio->uio_offset; - ps = psbuf + uio->uio_offset; - xlen = imin(xlen, uio->uio_resid); - return (xlen <= 0 ? 0 : uiomove(ps, xlen, uio)); + return(uiomove_frombuf(psbuf, ps - psbuf, uio)); } diff --git a/sys/emulation/linux/i386/linprocfs/linprocfs_subr.c b/sys/emulation/linux/i386/linprocfs/linprocfs_subr.c index dcddd956fd..76bb150440 100644 --- a/sys/emulation/linux/i386/linprocfs/linprocfs_subr.c +++ b/sys/emulation/linux/i386/linprocfs/linprocfs_subr.c @@ -39,7 +39,7 @@ * @(#)procfs_subr.c 8.6 (Berkeley) 5/14/95 * * $FreeBSD: src/sys/i386/linux/linprocfs/linprocfs_subr.c,v 1.3.2.4 2001/06/25 19:46:47 pirzyk Exp $ - * $DragonFly: src/sys/emulation/linux/i386/linprocfs/linprocfs_subr.c,v 1.7 2004/03/01 06:33:15 dillon Exp $ + * $DragonFly: src/sys/emulation/linux/i386/linprocfs/linprocfs_subr.c,v 1.8 2004/08/13 02:50:58 dillon Exp $ */ #include @@ -124,7 +124,7 @@ loop: */ MALLOC(pfs, struct pfsnode *, sizeof(struct pfsnode), M_TEMP, M_WAITOK); - if ((error = getnewvnode(VT_PROCFS, mp, linprocfs_vnodeop_p, vpp)) != 0) { + if ((error = getnewvnode(VT_PROCFS, mp, linprocfs_vnode_vops, vpp)) != 0) { FREE(pfs, M_TEMP); goto out; } diff --git a/sys/emulation/linux/i386/linprocfs/linprocfs_vnops.c b/sys/emulation/linux/i386/linprocfs/linprocfs_vnops.c index 75c60ffb4d..d1bf4c09e3 100644 --- a/sys/emulation/linux/i386/linprocfs/linprocfs_vnops.c +++ b/sys/emulation/linux/i386/linprocfs/linprocfs_vnops.c @@ -39,7 +39,7 @@ * @(#)procfs_vnops.c 8.18 (Berkeley) 5/21/95 * * $FreeBSD: src/sys/i386/linux/linprocfs/linprocfs_vnops.c,v 1.3.2.5 2001/08/12 14:29:19 rwatson Exp $ - * $DragonFly: src/sys/emulation/linux/i386/linprocfs/linprocfs_vnops.c,v 1.12 2004/06/03 18:09:33 hmp Exp $ + * $DragonFly: src/sys/emulation/linux/i386/linprocfs/linprocfs_vnops.c,v 1.13 2004/08/13 02:50:58 dillon Exp $ */ /* @@ -1017,37 +1017,37 @@ atopid(b, len) /* * procfs vnode operations. */ -vop_t **linprocfs_vnodeop_p; +struct vop_ops *linprocfs_vnode_vops; static struct vnodeopv_entry_desc linprocfs_vnodeop_entries[] = { - { &vop_default_desc, (vop_t *) vop_defaultop }, - { &vop_access_desc, (vop_t *) linprocfs_access }, - { &vop_advlock_desc, (vop_t *) linprocfs_badop }, - { &vop_bmap_desc, (vop_t *) linprocfs_bmap }, - { &vop_close_desc, (vop_t *) linprocfs_close }, - { &vop_create_desc, (vop_t *) linprocfs_badop }, - { &vop_getattr_desc, (vop_t *) linprocfs_getattr }, - { &vop_inactive_desc, (vop_t *) linprocfs_inactive }, - { &vop_link_desc, (vop_t *) linprocfs_badop }, - { &vop_lookup_desc, (vop_t *) linprocfs_lookup }, - { &vop_mkdir_desc, (vop_t *) linprocfs_badop }, - { &vop_mknod_desc, (vop_t *) linprocfs_badop }, - { &vop_open_desc, (vop_t *) linprocfs_open }, - { &vop_pathconf_desc, (vop_t *) vop_stdpathconf }, - { &vop_print_desc, (vop_t *) linprocfs_print }, - { &vop_read_desc, (vop_t *) linprocfs_rw }, - { &vop_readdir_desc, (vop_t *) linprocfs_readdir }, - { &vop_readlink_desc, (vop_t *) linprocfs_readlink }, - { &vop_reclaim_desc, (vop_t *) linprocfs_reclaim }, - { &vop_remove_desc, (vop_t *) linprocfs_badop }, - { &vop_rename_desc, (vop_t *) linprocfs_badop }, - { &vop_rmdir_desc, (vop_t *) linprocfs_badop }, - { &vop_setattr_desc, (vop_t *) linprocfs_setattr }, - { &vop_symlink_desc, (vop_t *) linprocfs_badop }, - { &vop_write_desc, (vop_t *) linprocfs_rw }, - { &vop_ioctl_desc, (vop_t *) linprocfs_ioctl }, + { &vop_default_desc, vop_defaultop }, + { &vop_access_desc, (void *) linprocfs_access }, + { &vop_advlock_desc, (void *) linprocfs_badop }, + { &vop_bmap_desc, (void *) linprocfs_bmap }, + { &vop_close_desc, (void *) linprocfs_close }, + { &vop_create_desc, (void *) linprocfs_badop }, + { &vop_getattr_desc, (void *) linprocfs_getattr }, + { &vop_inactive_desc, (void *) linprocfs_inactive }, + { &vop_link_desc, (void *) linprocfs_badop }, + { &vop_lookup_desc, (void *) linprocfs_lookup }, + { &vop_mkdir_desc, (void *) linprocfs_badop }, + { &vop_mknod_desc, (void *) linprocfs_badop }, + { &vop_open_desc, (void *) linprocfs_open }, + { &vop_pathconf_desc, (void *) vop_stdpathconf }, + { &vop_print_desc, (void *) linprocfs_print }, + { &vop_read_desc, (void *) linprocfs_rw }, + { &vop_readdir_desc, (void *) linprocfs_readdir }, + { &vop_readlink_desc, (void *) linprocfs_readlink }, + { &vop_reclaim_desc, (void *) linprocfs_reclaim }, + { &vop_remove_desc, (void *) linprocfs_badop }, + { &vop_rename_desc, (void *) linprocfs_badop }, + { &vop_rmdir_desc, (void *) linprocfs_badop }, + { &vop_setattr_desc, (void *) linprocfs_setattr }, + { &vop_symlink_desc, (void *) linprocfs_badop }, + { &vop_write_desc, (void *) linprocfs_rw }, + { &vop_ioctl_desc, (void *) linprocfs_ioctl }, { NULL, NULL } }; static struct vnodeopv_desc linprocfs_vnodeop_opv_desc = - { &linprocfs_vnodeop_p, linprocfs_vnodeop_entries }; + { &linprocfs_vnode_vops, linprocfs_vnodeop_entries }; VNODEOP_SET(linprocfs_vnodeop_opv_desc); -- 2.41.0