From 8b7358ca435297c386e8005a77868308bb124e1d Mon Sep 17 00:00:00 2001 From: Jacques Vidrine Date: Thu, 2 Oct 2003 15:00:55 +0000 Subject: Introduce a uiomove_frombuf helper routine that handles computing and validating the offset within a given memory buffer before handing the real work off to uiomove(9). Use uiomove_frombuf in procfs to correct several issues with integer arithmetic that could result in underflows/overflows. As a side-effect, the code is significantly simplified. Add additional sanity checks when computing a memory allocation size in pfs_read. Submitted by: rwatson (original uiomove_frombuf -- bugs are mine :-) Reported by: Joost Pol (integer underflows/overflows) --- sys/kern/kern_subr.c | 23 +++++++++++++++++++++++ 1 file changed, 23 insertions(+) (limited to 'sys/kern/kern_subr.c') diff --git a/sys/kern/kern_subr.c b/sys/kern/kern_subr.c index 769dd1dbccb2..2de9d776b84d 100644 --- a/sys/kern/kern_subr.c +++ b/sys/kern/kern_subr.c @@ -47,6 +47,7 @@ __FBSDID("$FreeBSD$"); #include #include #include +#include #include #include #include @@ -198,6 +199,28 @@ out: return (error); } +/* + * Wrapper for uiomove() that validates the arguments against a known-good + * kernel buffer. Currently, uiomove accepts a signed (n) argument, which + * is almost definitely a bad thing, so we catch that here as well. We + * return a runtime failure, but it might be desirable to generate a runtime + * assertion failure instead. + */ +int +uiomove_frombuf(void *buf, int buflen, struct uio *uio) +{ + unsigned int offset, n; + + if (uio->uio_offset < 0 || uio->uio_resid < 0 || + (offset = uio->uio_offset) != uio->uio_offset) + return (EINVAL); + if (buflen <= 0 || offset >= buflen) + return (0); + if ((n = buflen - offset) > INT_MAX) + return (EINVAL); + return (uiomove((char *)buf + offset, n, uio)); +} + #ifdef ZERO_COPY_SOCKETS /* * Experimental support for zero-copy I/O -- cgit v1.2.3