diff options
| author | John-Mark Gurney <jmg@FreeBSD.org> | 1997-03-01 23:53:46 +0000 |
|---|---|---|
| committer | John-Mark Gurney <jmg@FreeBSD.org> | 1997-03-01 23:53:46 +0000 |
| commit | 5ec8909366335d7e45ca65efecc18d9a2e39c613 (patch) | |
| tree | e35e8f8d0c31aea027179d6a24704e9bef4f43ef | |
| parent | 43470e3be89b3f6572d3e1cdf25198afe18901f7 (diff) | |
| download | src-5ec8909366335d7e45ca65efecc18d9a2e39c613.tar.gz src-5ec8909366335d7e45ca65efecc18d9a2e39c613.zip | |
make sure that the user supplied signals in struct vt_mode are actually
valid signals, else return EINVAL for ioctl VT_SETMODE.
this fixes a problem that anybody with vty access can panic the system.
2.2-Candidate (and 2.1.0 I believe)
Reviewed-by: sos
Notes
Notes:
svn path=/head/; revision=23248
| -rw-r--r-- | sys/dev/syscons/syscons.c | 26 | ||||
| -rw-r--r-- | sys/i386/isa/syscons.c | 26 | ||||
| -rw-r--r-- | sys/isa/syscons.c | 26 |
3 files changed, 54 insertions, 24 deletions
diff --git a/sys/dev/syscons/syscons.c b/sys/dev/syscons/syscons.c index 94b650d06d13..4db4f9aa5c0f 100644 --- a/sys/dev/syscons/syscons.c +++ b/sys/dev/syscons/syscons.c @@ -25,7 +25,7 @@ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. * - * $Id: syscons.c,v 1.203 1997/02/28 08:42:35 yokota Exp $ + * $Id: syscons.c,v 1.204 1997/02/28 14:26:34 bde Exp $ */ #include "sc.h" @@ -168,6 +168,7 @@ static const int nsccons = MAXCONS+2; #define WRAPHIST(scp, pointer, offset)\ ((scp->history) + ((((pointer) - (scp->history)) + (scp->history_size)\ + (offset)) % (scp->history_size))) +#define ISSIGVALID(sig) ((sig) > 0 && (sig) < NSIG) /* prototypes */ static int scattach(struct isa_device *dev); @@ -794,7 +795,7 @@ scioctl(dev_t dev, int cmd, caddr_t data, int flag, struct proc *p) switch (mouse->operation) { case MOUSE_MODE: - if (mouse->u.mode.signal > 0 && mouse->u.mode.signal < NSIG) { + if (ISSIGVALID(mouse->u.mode.signal)) { scp->mouse_signal = mouse->u.mode.signal; scp->mouse_proc = p; scp->mouse_pid = p->p_pid; @@ -1026,12 +1027,21 @@ scioctl(dev_t dev, int cmd, caddr_t data, int flag, struct proc *p) return 0; case VT_SETMODE: /* set screen switcher mode */ - bcopy(data, &scp->smode, sizeof(struct vt_mode)); - if (scp->smode.mode == VT_PROCESS) { - scp->proc = p; - scp->pid = scp->proc->p_pid; - } - return 0; + { + struct vt_mode *mode; + + mode = (struct vt_mode *)data; + if (ISSIGVALID(mode->relsig) && ISSIGVALID(mode->acqsig) && + ISSIGVALID(mode->frsig)) { + bcopy(data, &scp->smode, sizeof(struct vt_mode)); + if (scp->smode.mode == VT_PROCESS) { + scp->proc = p; + scp->pid = scp->proc->p_pid; + } + return 0; + } else + return EINVAL; + } case VT_GETMODE: /* get screen switcher mode */ bcopy(&scp->smode, data, sizeof(struct vt_mode)); diff --git a/sys/i386/isa/syscons.c b/sys/i386/isa/syscons.c index 94b650d06d13..4db4f9aa5c0f 100644 --- a/sys/i386/isa/syscons.c +++ b/sys/i386/isa/syscons.c @@ -25,7 +25,7 @@ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. * - * $Id: syscons.c,v 1.203 1997/02/28 08:42:35 yokota Exp $ + * $Id: syscons.c,v 1.204 1997/02/28 14:26:34 bde Exp $ */ #include "sc.h" @@ -168,6 +168,7 @@ static const int nsccons = MAXCONS+2; #define WRAPHIST(scp, pointer, offset)\ ((scp->history) + ((((pointer) - (scp->history)) + (scp->history_size)\ + (offset)) % (scp->history_size))) +#define ISSIGVALID(sig) ((sig) > 0 && (sig) < NSIG) /* prototypes */ static int scattach(struct isa_device *dev); @@ -794,7 +795,7 @@ scioctl(dev_t dev, int cmd, caddr_t data, int flag, struct proc *p) switch (mouse->operation) { case MOUSE_MODE: - if (mouse->u.mode.signal > 0 && mouse->u.mode.signal < NSIG) { + if (ISSIGVALID(mouse->u.mode.signal)) { scp->mouse_signal = mouse->u.mode.signal; scp->mouse_proc = p; scp->mouse_pid = p->p_pid; @@ -1026,12 +1027,21 @@ scioctl(dev_t dev, int cmd, caddr_t data, int flag, struct proc *p) return 0; case VT_SETMODE: /* set screen switcher mode */ - bcopy(data, &scp->smode, sizeof(struct vt_mode)); - if (scp->smode.mode == VT_PROCESS) { - scp->proc = p; - scp->pid = scp->proc->p_pid; - } - return 0; + { + struct vt_mode *mode; + + mode = (struct vt_mode *)data; + if (ISSIGVALID(mode->relsig) && ISSIGVALID(mode->acqsig) && + ISSIGVALID(mode->frsig)) { + bcopy(data, &scp->smode, sizeof(struct vt_mode)); + if (scp->smode.mode == VT_PROCESS) { + scp->proc = p; + scp->pid = scp->proc->p_pid; + } + return 0; + } else + return EINVAL; + } case VT_GETMODE: /* get screen switcher mode */ bcopy(&scp->smode, data, sizeof(struct vt_mode)); diff --git a/sys/isa/syscons.c b/sys/isa/syscons.c index 94b650d06d13..4db4f9aa5c0f 100644 --- a/sys/isa/syscons.c +++ b/sys/isa/syscons.c @@ -25,7 +25,7 @@ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. * - * $Id: syscons.c,v 1.203 1997/02/28 08:42:35 yokota Exp $ + * $Id: syscons.c,v 1.204 1997/02/28 14:26:34 bde Exp $ */ #include "sc.h" @@ -168,6 +168,7 @@ static const int nsccons = MAXCONS+2; #define WRAPHIST(scp, pointer, offset)\ ((scp->history) + ((((pointer) - (scp->history)) + (scp->history_size)\ + (offset)) % (scp->history_size))) +#define ISSIGVALID(sig) ((sig) > 0 && (sig) < NSIG) /* prototypes */ static int scattach(struct isa_device *dev); @@ -794,7 +795,7 @@ scioctl(dev_t dev, int cmd, caddr_t data, int flag, struct proc *p) switch (mouse->operation) { case MOUSE_MODE: - if (mouse->u.mode.signal > 0 && mouse->u.mode.signal < NSIG) { + if (ISSIGVALID(mouse->u.mode.signal)) { scp->mouse_signal = mouse->u.mode.signal; scp->mouse_proc = p; scp->mouse_pid = p->p_pid; @@ -1026,12 +1027,21 @@ scioctl(dev_t dev, int cmd, caddr_t data, int flag, struct proc *p) return 0; case VT_SETMODE: /* set screen switcher mode */ - bcopy(data, &scp->smode, sizeof(struct vt_mode)); - if (scp->smode.mode == VT_PROCESS) { - scp->proc = p; - scp->pid = scp->proc->p_pid; - } - return 0; + { + struct vt_mode *mode; + + mode = (struct vt_mode *)data; + if (ISSIGVALID(mode->relsig) && ISSIGVALID(mode->acqsig) && + ISSIGVALID(mode->frsig)) { + bcopy(data, &scp->smode, sizeof(struct vt_mode)); + if (scp->smode.mode == VT_PROCESS) { + scp->proc = p; + scp->pid = scp->proc->p_pid; + } + return 0; + } else + return EINVAL; + } case VT_GETMODE: /* get screen switcher mode */ bcopy(&scp->smode, data, sizeof(struct vt_mode)); |