CVS commit: src/sys/external/bsd/drm2/dist/drm

Mon, 27 Aug 2018 08:21:31 -0700 

Module Name:    src
Committed By:   riastradh
Date:           Mon Aug 27 14:45:46 UTC 2018

Modified Files:
        src/sys/external/bsd/drm2/dist/drm: drm_ioctl.c

Log Message:
Zero-pad truncated drm ioctl commands on input.

This way we don't act on uninitialized stack garbage if user invokes
a drm ioctl with a short input, which, uhhh, we have been doing for a
long time.  #@^&*$!@&@#*@!

XXX pullup-7
XXX pullup-8


To generate a diff of this commit:
cvs rdiff -u -r1.7 -r1.8 src/sys/external/bsd/drm2/dist/drm/drm_ioctl.c

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.


Modified files:

Index: src/sys/external/bsd/drm2/dist/drm/drm_ioctl.c
diff -u src/sys/external/bsd/drm2/dist/drm/drm_ioctl.c:1.7 src/sys/external/bsd/drm2/dist/drm/drm_ioctl.c:1.8
--- src/sys/external/bsd/drm2/dist/drm/drm_ioctl.c:1.7	Mon Aug 27 07:55:06 2018
+++ src/sys/external/bsd/drm2/dist/drm/drm_ioctl.c	Mon Aug 27 14:45:45 2018
@@ -1,4 +1,4 @@
-/*	$NetBSD: drm_ioctl.c,v 1.7 2018/08/27 07:55:06 riastradh Exp $	*/
+/*	$NetBSD: drm_ioctl.c,v 1.8 2018/08/27 14:45:45 riastradh Exp $	*/
 
 /*
  * Created: Fri Jan  8 09:01:26 1999 by fa...@valinux.com
@@ -31,7 +31,7 @@
  */
 
 #include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: drm_ioctl.c,v 1.7 2018/08/27 07:55:06 riastradh Exp $");
+__KERNEL_RCSID(0, "$NetBSD: drm_ioctl.c,v 1.8 2018/08/27 14:45:45 riastradh Exp $");
 
 #include <drm/drmP.h>
 #include <drm/drm_core.h>
@@ -721,6 +721,8 @@ static const struct drm_ioctl_desc drm_i
 int
 drm_ioctl(struct file *fp, unsigned long cmd, void *data)
 {
+	char stackbuf[128];
+	char *buf = stackbuf;
 	struct drm_file *const file = fp->f_data;
 	const unsigned int nr = DRM_IOCTL_NR(cmd);
 	int error;
@@ -767,6 +769,21 @@ drm_ioctl(struct file *fp, unsigned long
 	if (error)
 		return error;
 
+	/* If userland passed in too few bytes, zero-pad them.  */
+	if (IOCPARM_LEN(cmd) < IOCPARM_LEN(ioctl->cmd)) {
+		/* 12-bit quantity, according to <sys/ioccom.h> */
+		KASSERT(IOCPARM_LEN(ioctl->cmd) <= 4096);
+		if (IOCPARM_LEN(ioctl->cmd) > sizeof stackbuf) {
+			buf = kmem_alloc(IOCPARM_LEN(ioctl->cmd), KM_NOSLEEP);
+			if (buf == NULL)
+				return ENOMEM;
+		}
+		memcpy(buf, data, IOCPARM_LEN(cmd));
+		memset(buf + IOCPARM_LEN(cmd), 0,
+		    IOCPARM_LEN(ioctl->cmd) - IOCPARM_LEN(cmd));
+		data = buf;
+	}
+
 	if ((drm_core_check_feature(dev, DRIVER_MODESET) && is_driver_ioctl) ||
 	    ISSET(ioctl->flags, DRM_UNLOCKED)) {
 		/* XXX errno Linux->NetBSD */
@@ -778,6 +795,10 @@ drm_ioctl(struct file *fp, unsigned long
 		mutex_unlock(&drm_global_mutex);
 	}
 
+	/* If we had to allocate a heap buffer, free it.  */
+	if (buf != stackbuf)
+		kmem_free(buf, IOCPARM_LEN(ioctl->cmd));
+
 	return error;
 }
 #else

Reply via email to