Module Name: src
Committed By: martin
Date: Fri Aug 12 15:18:13 UTC 2022
Modified Files:
src/sys/dev/raidframe [netbsd-9]: rf_disks.c rf_driver.c
rf_netbsdkintf.c
Log Message:
Pull up following revision(s) (requested by mrg in ticket #1500):
sys/dev/raidframe/rf_driver.c: revision 1.140 (patch)
sys/dev/raidframe/rf_disks.c: revision 1.93 (patch)
sys/dev/raidframe/rf_netbsdkintf.c: revision 1.408 (patch)
raidframe: reject invalid values for numCol and numSpares
numCol and numSpares are "int" so they can be "-1" internally,
which means negative values need to be rejected, as well as
values higher than RF_MAXCOL/RF_MAXSPARES.
explicitly nul-terminate all strings coming from userland.
some minor CSE that avoids signed arith.
this fixes issues in the RAIDFRAME_ADD_HOT_SPARE,
RAIDFRAME_CONFIGURE, RAIDFRAME_DELETE_COMPONENT,
RAIDFRAME_INCORPORATE_HOT_SPARE, and RAIDFRAME_REBUILD_IN_PLACE
ioctl commands.
ok oster@ riastradh@
To generate a diff of this commit:
cvs rdiff -u -r1.91 -r1.91.4.1 src/sys/dev/raidframe/rf_disks.c
cvs rdiff -u -r1.135 -r1.135.4.1 src/sys/dev/raidframe/rf_driver.c
cvs rdiff -u -r1.376.4.2 -r1.376.4.3 src/sys/dev/raidframe/rf_netbsdkintf.c
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
Modified files:
Index: src/sys/dev/raidframe/rf_disks.c
diff -u src/sys/dev/raidframe/rf_disks.c:1.91 src/sys/dev/raidframe/rf_disks.c:1.91.4.1
--- src/sys/dev/raidframe/rf_disks.c:1.91 Sat Feb 9 03:34:00 2019
+++ src/sys/dev/raidframe/rf_disks.c Fri Aug 12 15:18:13 2022
@@ -1,4 +1,4 @@
-/* $NetBSD: rf_disks.c,v 1.91 2019/02/09 03:34:00 christos Exp $ */
+/* $NetBSD: rf_disks.c,v 1.91.4.1 2022/08/12 15:18:13 martin Exp $ */
/*-
* Copyright (c) 1999 The NetBSD Foundation, Inc.
* All rights reserved.
@@ -60,7 +60,7 @@
***************************************************************/
#include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: rf_disks.c,v 1.91 2019/02/09 03:34:00 christos Exp $");
+__KERNEL_RCSID(0, "$NetBSD: rf_disks.c,v 1.91.4.1 2022/08/12 15:18:13 martin Exp $");
#include <dev/raidframe/raidframevar.h>
@@ -318,11 +318,12 @@ static int
rf_AllocDiskStructures(RF_Raid_t *raidPtr, RF_Config_t *cfgPtr)
{
int ret;
+ size_t entries = raidPtr->numCol + RF_MAXSPARE;
/* We allocate RF_MAXSPARE on the first row so that we
have room to do hot-swapping of spares */
- raidPtr->Disks = RF_MallocAndAdd((raidPtr->numCol + RF_MAXSPARE) *
- sizeof(*raidPtr->Disks), raidPtr->cleanupList);
+ raidPtr->Disks = RF_MallocAndAdd(
+ entries * sizeof(*raidPtr->Disks), raidPtr->cleanupList);
if (raidPtr->Disks == NULL) {
ret = ENOMEM;
goto fail;
@@ -330,9 +331,7 @@ rf_AllocDiskStructures(RF_Raid_t *raidPt
/* get space for device specific stuff.. */
raidPtr->raid_cinfo = RF_MallocAndAdd(
- (raidPtr->numCol + RF_MAXSPARE) * sizeof(*raidPtr->raid_cinfo),
- raidPtr->cleanupList);
-
+ entries * sizeof(*raidPtr->raid_cinfo), raidPtr->cleanupList);
if (raidPtr->raid_cinfo == NULL) {
ret = ENOMEM;
goto fail;
@@ -607,7 +606,8 @@ rf_ConfigureDisk(RF_Raid_t *raidPtr, cha
error = dk_lookup(pb, curlwp, &vp);
pathbuf_destroy(pb);
if (error) {
- printf("dk_lookup on device: %s failed!\n", diskPtr->devname);
+ printf("dk_lookup on device: '%s' failed: %d\n",
+ diskPtr->devname, error);
if (error == ENXIO) {
/* the component isn't there... must be dead :-( */
diskPtr->status = rf_ds_failed;
Index: src/sys/dev/raidframe/rf_driver.c
diff -u src/sys/dev/raidframe/rf_driver.c:1.135 src/sys/dev/raidframe/rf_driver.c:1.135.4.1
--- src/sys/dev/raidframe/rf_driver.c:1.135 Sat Feb 9 03:34:00 2019
+++ src/sys/dev/raidframe/rf_driver.c Fri Aug 12 15:18:13 2022
@@ -1,4 +1,4 @@
-/* $NetBSD: rf_driver.c,v 1.135 2019/02/09 03:34:00 christos Exp $ */
+/* $NetBSD: rf_driver.c,v 1.135.4.1 2022/08/12 15:18:13 martin Exp $ */
/*-
* Copyright (c) 1999 The NetBSD Foundation, Inc.
* All rights reserved.
@@ -66,7 +66,7 @@
#include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: rf_driver.c,v 1.135 2019/02/09 03:34:00 christos Exp $");
+__KERNEL_RCSID(0, "$NetBSD: rf_driver.c,v 1.135.4.1 2022/08/12 15:18:13 martin Exp $");
#ifdef _KERNEL_OPT
#include "opt_raid_diagnostic.h"
@@ -350,6 +350,11 @@ rf_Configure(RF_Raid_t *raidPtr, RF_Conf
(void (*) (void *)) rf_FreeAllocList,
raidPtr->cleanupList);
+ KASSERT(cfgPtr->numCol < RF_MAXCOL);
+ KASSERT(cfgPtr->numCol >= 0);
+ KASSERT(cfgPtr->numSpare < RF_MAXSPARE);
+ KASSERT(cfgPtr->numSpare >= 0);
+
raidPtr->numCol = cfgPtr->numCol;
raidPtr->numSpare = cfgPtr->numSpare;
Index: src/sys/dev/raidframe/rf_netbsdkintf.c
diff -u src/sys/dev/raidframe/rf_netbsdkintf.c:1.376.4.2 src/sys/dev/raidframe/rf_netbsdkintf.c:1.376.4.3
--- src/sys/dev/raidframe/rf_netbsdkintf.c:1.376.4.2 Wed Aug 3 10:55:45 2022
+++ src/sys/dev/raidframe/rf_netbsdkintf.c Fri Aug 12 15:18:13 2022
@@ -1,4 +1,4 @@
-/* $NetBSD: rf_netbsdkintf.c,v 1.376.4.2 2022/08/03 10:55:45 martin Exp $ */
+/* $NetBSD: rf_netbsdkintf.c,v 1.376.4.3 2022/08/12 15:18:13 martin Exp $ */
/*-
* Copyright (c) 1996, 1997, 1998, 2008-2011 The NetBSD Foundation, Inc.
@@ -101,7 +101,7 @@
***********************************************************/
#include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: rf_netbsdkintf.c,v 1.376.4.2 2022/08/03 10:55:45 martin Exp $");
+__KERNEL_RCSID(0, "$NetBSD: rf_netbsdkintf.c,v 1.376.4.3 2022/08/12 15:18:13 martin Exp $");
#ifdef _KERNEL_OPT
#include "opt_raid_autoconfig.h"
@@ -1179,7 +1179,7 @@ rf_getConfiguration(struct raid_softc *r
int
rf_construct(struct raid_softc *rs, RF_Config_t *k_cfg)
{
- int retcode;
+ int retcode, i;
RF_Raid_t *raidPtr = &rs->sc_r;
rs->sc_flags &= ~RAIDF_SHUTDOWN;
@@ -1190,6 +1190,29 @@ rf_construct(struct raid_softc *rs, RF_C
/* should do some kind of sanity check on the configuration.
* Store the sum of all the bytes in the last byte? */
+ /* Force nul-termination on all strings. */
+#define ZERO_FINAL(s) do { s[sizeof(s) - 1] = '\0'; } while (0)
+ for (i = 0; i < RF_MAXCOL; i++) {
+ ZERO_FINAL(k_cfg->devnames[0][i]);
+ }
+ for (i = 0; i < RF_MAXSPARE; i++) {
+ ZERO_FINAL(k_cfg->spare_names[i]);
+ }
+ for (i = 0; i < RF_MAXDBGV; i++) {
+ ZERO_FINAL(k_cfg->debugVars[i]);
+ }
+#undef ZERO_FINAL
+
+ /* Check some basic limits. */
+ if (k_cfg->numCol >= RF_MAXCOL || k_cfg->numCol < 0) {
+ retcode = EINVAL;
+ goto out;
+ }
+ if (k_cfg->numSpare >= RF_MAXSPARE || k_cfg->numSpare < 0) {
+ retcode = EINVAL;
+ goto out;
+ }
+
/* configure the system */
/*
@@ -1390,6 +1413,18 @@ rf_check_recon_status(RF_Raid_t *raidPtr
return 0;
}
+/*
+ * Copy a RF_SingleComponent_t from 'data', ensuring nul-termination
+ * on the component_name[] array.
+ */
+static void
+rf_copy_single_component(RF_SingleComponent_t *component, void *data)
+{
+
+ memcpy(component, data, sizeof *component);
+ component->component_name[sizeof(component->component_name) - 1] = '\0';
+}
+
static int
raidioctl(dev_t dev, u_long cmd, void *data, int flag, struct lwp *l)
{
@@ -1405,7 +1440,6 @@ raidioctl(dev_t dev, u_long cmd, void *d
int retcode = 0;
int column;
RF_ComponentLabel_t *clabel;
- RF_SingleComponent_t *sparePtr,*componentPtr;
int d;
if ((rs = raidget(unit, false)) == NULL)
@@ -1494,21 +1528,18 @@ raidioctl(dev_t dev, u_long cmd, void *d
rf_RewriteParityThread, raidPtr,"raid_parity");
case RAIDFRAME_ADD_HOT_SPARE:
- sparePtr = (RF_SingleComponent_t *) data;
- memcpy(&component, sparePtr, sizeof(RF_SingleComponent_t));
+ rf_copy_single_component(&component, data);
return rf_add_hot_spare(raidPtr, &component);
case RAIDFRAME_REMOVE_HOT_SPARE:
return retcode;
case RAIDFRAME_DELETE_COMPONENT:
- componentPtr = (RF_SingleComponent_t *)data;
- memcpy(&component, componentPtr, sizeof(RF_SingleComponent_t));
+ rf_copy_single_component(&component, data);
return rf_delete_component(raidPtr, &component);
case RAIDFRAME_INCORPORATE_HOT_SPARE:
- componentPtr = (RF_SingleComponent_t *)data;
- memcpy(&component, componentPtr, sizeof(RF_SingleComponent_t));
+ rf_copy_single_component(&component, data);
return rf_incorporate_hot_spare(raidPtr, &component);
case RAIDFRAME_REBUILD_IN_PLACE:
