Module Name: src Committed By: martin Date: Fri Aug 12 15:18:13 UTC 2022
Modified Files: src/sys/dev/raidframe [netbsd-9]: rf_disks.c rf_driver.c rf_netbsdkintf.c Log Message: Pull up following revision(s) (requested by mrg in ticket #1500): sys/dev/raidframe/rf_driver.c: revision 1.140 (patch) sys/dev/raidframe/rf_disks.c: revision 1.93 (patch) sys/dev/raidframe/rf_netbsdkintf.c: revision 1.408 (patch) raidframe: reject invalid values for numCol and numSpares numCol and numSpares are "int" so they can be "-1" internally, which means negative values need to be rejected, as well as values higher than RF_MAXCOL/RF_MAXSPARES. explicitly nul-terminate all strings coming from userland. some minor CSE that avoids signed arith. this fixes issues in the RAIDFRAME_ADD_HOT_SPARE, RAIDFRAME_CONFIGURE, RAIDFRAME_DELETE_COMPONENT, RAIDFRAME_INCORPORATE_HOT_SPARE, and RAIDFRAME_REBUILD_IN_PLACE ioctl commands. ok oster@ riastradh@ To generate a diff of this commit: cvs rdiff -u -r1.91 -r1.91.4.1 src/sys/dev/raidframe/rf_disks.c cvs rdiff -u -r1.135 -r1.135.4.1 src/sys/dev/raidframe/rf_driver.c cvs rdiff -u -r1.376.4.2 -r1.376.4.3 src/sys/dev/raidframe/rf_netbsdkintf.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files.
Modified files: Index: src/sys/dev/raidframe/rf_disks.c diff -u src/sys/dev/raidframe/rf_disks.c:1.91 src/sys/dev/raidframe/rf_disks.c:1.91.4.1 --- src/sys/dev/raidframe/rf_disks.c:1.91 Sat Feb 9 03:34:00 2019 +++ src/sys/dev/raidframe/rf_disks.c Fri Aug 12 15:18:13 2022 @@ -1,4 +1,4 @@ -/* $NetBSD: rf_disks.c,v 1.91 2019/02/09 03:34:00 christos Exp $ */ +/* $NetBSD: rf_disks.c,v 1.91.4.1 2022/08/12 15:18:13 martin Exp $ */ /*- * Copyright (c) 1999 The NetBSD Foundation, Inc. * All rights reserved. @@ -60,7 +60,7 @@ ***************************************************************/ #include <sys/cdefs.h> -__KERNEL_RCSID(0, "$NetBSD: rf_disks.c,v 1.91 2019/02/09 03:34:00 christos Exp $"); +__KERNEL_RCSID(0, "$NetBSD: rf_disks.c,v 1.91.4.1 2022/08/12 15:18:13 martin Exp $"); #include <dev/raidframe/raidframevar.h> @@ -318,11 +318,12 @@ static int rf_AllocDiskStructures(RF_Raid_t *raidPtr, RF_Config_t *cfgPtr) { int ret; + size_t entries = raidPtr->numCol + RF_MAXSPARE; /* We allocate RF_MAXSPARE on the first row so that we have room to do hot-swapping of spares */ - raidPtr->Disks = RF_MallocAndAdd((raidPtr->numCol + RF_MAXSPARE) * - sizeof(*raidPtr->Disks), raidPtr->cleanupList); + raidPtr->Disks = RF_MallocAndAdd( + entries * sizeof(*raidPtr->Disks), raidPtr->cleanupList); if (raidPtr->Disks == NULL) { ret = ENOMEM; goto fail; @@ -330,9 +331,7 @@ rf_AllocDiskStructures(RF_Raid_t *raidPt /* get space for device specific stuff.. */ raidPtr->raid_cinfo = RF_MallocAndAdd( - (raidPtr->numCol + RF_MAXSPARE) * sizeof(*raidPtr->raid_cinfo), - raidPtr->cleanupList); - + entries * sizeof(*raidPtr->raid_cinfo), raidPtr->cleanupList); if (raidPtr->raid_cinfo == NULL) { ret = ENOMEM; goto fail; @@ -607,7 +606,8 @@ rf_ConfigureDisk(RF_Raid_t *raidPtr, cha error = dk_lookup(pb, curlwp, &vp); pathbuf_destroy(pb); if (error) { - printf("dk_lookup on device: %s failed!\n", diskPtr->devname); + printf("dk_lookup on device: '%s' failed: %d\n", + diskPtr->devname, error); if (error == ENXIO) { /* the component isn't there... must be dead :-( */ diskPtr->status = rf_ds_failed; Index: src/sys/dev/raidframe/rf_driver.c diff -u src/sys/dev/raidframe/rf_driver.c:1.135 src/sys/dev/raidframe/rf_driver.c:1.135.4.1 --- src/sys/dev/raidframe/rf_driver.c:1.135 Sat Feb 9 03:34:00 2019 +++ src/sys/dev/raidframe/rf_driver.c Fri Aug 12 15:18:13 2022 @@ -1,4 +1,4 @@ -/* $NetBSD: rf_driver.c,v 1.135 2019/02/09 03:34:00 christos Exp $ */ +/* $NetBSD: rf_driver.c,v 1.135.4.1 2022/08/12 15:18:13 martin Exp $ */ /*- * Copyright (c) 1999 The NetBSD Foundation, Inc. * All rights reserved. @@ -66,7 +66,7 @@ #include <sys/cdefs.h> -__KERNEL_RCSID(0, "$NetBSD: rf_driver.c,v 1.135 2019/02/09 03:34:00 christos Exp $"); +__KERNEL_RCSID(0, "$NetBSD: rf_driver.c,v 1.135.4.1 2022/08/12 15:18:13 martin Exp $"); #ifdef _KERNEL_OPT #include "opt_raid_diagnostic.h" @@ -350,6 +350,11 @@ rf_Configure(RF_Raid_t *raidPtr, RF_Conf (void (*) (void *)) rf_FreeAllocList, raidPtr->cleanupList); + KASSERT(cfgPtr->numCol < RF_MAXCOL); + KASSERT(cfgPtr->numCol >= 0); + KASSERT(cfgPtr->numSpare < RF_MAXSPARE); + KASSERT(cfgPtr->numSpare >= 0); + raidPtr->numCol = cfgPtr->numCol; raidPtr->numSpare = cfgPtr->numSpare; Index: src/sys/dev/raidframe/rf_netbsdkintf.c diff -u src/sys/dev/raidframe/rf_netbsdkintf.c:1.376.4.2 src/sys/dev/raidframe/rf_netbsdkintf.c:1.376.4.3 --- src/sys/dev/raidframe/rf_netbsdkintf.c:1.376.4.2 Wed Aug 3 10:55:45 2022 +++ src/sys/dev/raidframe/rf_netbsdkintf.c Fri Aug 12 15:18:13 2022 @@ -1,4 +1,4 @@ -/* $NetBSD: rf_netbsdkintf.c,v 1.376.4.2 2022/08/03 10:55:45 martin Exp $ */ +/* $NetBSD: rf_netbsdkintf.c,v 1.376.4.3 2022/08/12 15:18:13 martin Exp $ */ /*- * Copyright (c) 1996, 1997, 1998, 2008-2011 The NetBSD Foundation, Inc. @@ -101,7 +101,7 @@ ***********************************************************/ #include <sys/cdefs.h> -__KERNEL_RCSID(0, "$NetBSD: rf_netbsdkintf.c,v 1.376.4.2 2022/08/03 10:55:45 martin Exp $"); +__KERNEL_RCSID(0, "$NetBSD: rf_netbsdkintf.c,v 1.376.4.3 2022/08/12 15:18:13 martin Exp $"); #ifdef _KERNEL_OPT #include "opt_raid_autoconfig.h" @@ -1179,7 +1179,7 @@ rf_getConfiguration(struct raid_softc *r int rf_construct(struct raid_softc *rs, RF_Config_t *k_cfg) { - int retcode; + int retcode, i; RF_Raid_t *raidPtr = &rs->sc_r; rs->sc_flags &= ~RAIDF_SHUTDOWN; @@ -1190,6 +1190,29 @@ rf_construct(struct raid_softc *rs, RF_C /* should do some kind of sanity check on the configuration. * Store the sum of all the bytes in the last byte? */ + /* Force nul-termination on all strings. */ +#define ZERO_FINAL(s) do { s[sizeof(s) - 1] = '\0'; } while (0) + for (i = 0; i < RF_MAXCOL; i++) { + ZERO_FINAL(k_cfg->devnames[0][i]); + } + for (i = 0; i < RF_MAXSPARE; i++) { + ZERO_FINAL(k_cfg->spare_names[i]); + } + for (i = 0; i < RF_MAXDBGV; i++) { + ZERO_FINAL(k_cfg->debugVars[i]); + } +#undef ZERO_FINAL + + /* Check some basic limits. */ + if (k_cfg->numCol >= RF_MAXCOL || k_cfg->numCol < 0) { + retcode = EINVAL; + goto out; + } + if (k_cfg->numSpare >= RF_MAXSPARE || k_cfg->numSpare < 0) { + retcode = EINVAL; + goto out; + } + /* configure the system */ /* @@ -1390,6 +1413,18 @@ rf_check_recon_status(RF_Raid_t *raidPtr return 0; } +/* + * Copy a RF_SingleComponent_t from 'data', ensuring nul-termination + * on the component_name[] array. + */ +static void +rf_copy_single_component(RF_SingleComponent_t *component, void *data) +{ + + memcpy(component, data, sizeof *component); + component->component_name[sizeof(component->component_name) - 1] = '\0'; +} + static int raidioctl(dev_t dev, u_long cmd, void *data, int flag, struct lwp *l) { @@ -1405,7 +1440,6 @@ raidioctl(dev_t dev, u_long cmd, void *d int retcode = 0; int column; RF_ComponentLabel_t *clabel; - RF_SingleComponent_t *sparePtr,*componentPtr; int d; if ((rs = raidget(unit, false)) == NULL) @@ -1494,21 +1528,18 @@ raidioctl(dev_t dev, u_long cmd, void *d rf_RewriteParityThread, raidPtr,"raid_parity"); case RAIDFRAME_ADD_HOT_SPARE: - sparePtr = (RF_SingleComponent_t *) data; - memcpy(&component, sparePtr, sizeof(RF_SingleComponent_t)); + rf_copy_single_component(&component, data); return rf_add_hot_spare(raidPtr, &component); case RAIDFRAME_REMOVE_HOT_SPARE: return retcode; case RAIDFRAME_DELETE_COMPONENT: - componentPtr = (RF_SingleComponent_t *)data; - memcpy(&component, componentPtr, sizeof(RF_SingleComponent_t)); + rf_copy_single_component(&component, data); return rf_delete_component(raidPtr, &component); case RAIDFRAME_INCORPORATE_HOT_SPARE: - componentPtr = (RF_SingleComponent_t *)data; - memcpy(&component, componentPtr, sizeof(RF_SingleComponent_t)); + rf_copy_single_component(&component, data); return rf_incorporate_hot_spare(raidPtr, &component); case RAIDFRAME_REBUILD_IN_PLACE: