Module Name: src
Committed By: maxv
Date: Mon Jul 1 17:15:43 UTC 2019
Modified Files:
src/sys/kern: sys_lwp.c
Log Message:
Restrict the size given to copyoutstr. It is safer to do that; even if
there is no actual bug here, since the buffer is guaranteed to be NUL
terminated.
With KASAN we check the whole buffer to cover the "worst" case, and here
it triggered false positives because the buffer size was not filtered.
To generate a diff of this commit:
cvs rdiff -u -r1.67 -r1.68 src/sys/kern/sys_lwp.c
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
Modified files:
Index: src/sys/kern/sys_lwp.c
diff -u src/sys/kern/sys_lwp.c:1.67 src/sys/kern/sys_lwp.c:1.68
--- src/sys/kern/sys_lwp.c:1.67 Fri May 3 22:34:21 2019
+++ src/sys/kern/sys_lwp.c Mon Jul 1 17:15:43 2019
@@ -1,4 +1,4 @@
-/* $NetBSD: sys_lwp.c,v 1.67 2019/05/03 22:34:21 kamil Exp $ */
+/* $NetBSD: sys_lwp.c,v 1.68 2019/07/01 17:15:43 maxv Exp $ */
/*-
* Copyright (c) 2001, 2006, 2007, 2008 The NetBSD Foundation, Inc.
@@ -35,7 +35,7 @@
*/
#include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: sys_lwp.c,v 1.67 2019/05/03 22:34:21 kamil Exp $");
+__KERNEL_RCSID(0, "$NetBSD: sys_lwp.c,v 1.68 2019/07/01 17:15:43 maxv Exp $");
#include <sys/param.h>
#include <sys/systm.h>
@@ -839,6 +839,7 @@ sys__lwp_getname(struct lwp *l, const st
} */
char name[MAXCOMLEN];
lwpid_t target;
+ size_t len;
proc_t *p;
lwp_t *t;
@@ -859,7 +860,9 @@ sys__lwp_getname(struct lwp *l, const st
lwp_unlock(t);
mutex_exit(p->p_lock);
- return copyoutstr(name, SCARG(uap, name), SCARG(uap, len), NULL);
+ len = uimin(SCARG(uap, len), sizeof(name));
+
+ return copyoutstr(name, SCARG(uap, name), len, NULL);
}
int
