CVS commit: [netbsd-5] src/sys/kern

Thu, 23 Apr 2015 22:46:14 -0700 

Module Name:    src
Committed By:   msaitoh
Date:           Fri Apr 24 05:45:48 UTC 2015

Modified Files:
        src/sys/kern [netbsd-5]: sys_select.c

Log Message:
Pull up following revision(s) (requested by prlw1 in ticket #1957):

sys/kern/sys_select.c                           patch

        Limit nfds arg to poll() to a large enough value that user programs
        cannot allocate indefinite sized blocks of kvm. If the limit is
        exceeded, then return EINVAL instead of silently truncating the list.
        Addresses PR/17507.


To generate a diff of this commit:
cvs rdiff -u -r1.10 -r1.10.4.1 src/sys/kern/sys_select.c

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.


Modified files:

Index: src/sys/kern/sys_select.c
diff -u src/sys/kern/sys_select.c:1.10 src/sys/kern/sys_select.c:1.10.4.1
--- src/sys/kern/sys_select.c:1.10	Wed Oct 15 08:13:17 2008
+++ src/sys/kern/sys_select.c	Fri Apr 24 05:45:48 2015
@@ -1,4 +1,4 @@
-/*	$NetBSD: sys_select.c,v 1.10 2008/10/15 08:13:17 ad Exp $	*/
+/*	$NetBSD: sys_select.c,v 1.10.4.1 2015/04/24 05:45:48 msaitoh Exp $	*/
 
 /*-
  * Copyright (c) 2007, 2008 The NetBSD Foundation, Inc.
@@ -70,7 +70,7 @@
  */
 
 #include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: sys_select.c,v 1.10 2008/10/15 08:13:17 ad Exp $");
+__KERNEL_RCSID(0, "$NetBSD: sys_select.c,v 1.10.4.1 2015/04/24 05:45:48 msaitoh Exp $");
 
 #include <sys/param.h>
 #include <sys/systm.h>
@@ -432,9 +432,17 @@ pollcommon(lwp_t *l, register_t *retval,
 	struct timeval	sleeptv;
 	selcpu_t	*sc;
 
-	if (nfds > p->p_fd->fd_nfiles) {
-		/* forgiving; slightly wrong */
-		nfds = p->p_fd->fd_nfiles;
+	if (nfds > 1000 + p->p_fd->fd_nfiles) {
+		/*      
+		 * Either the user passed in a very sparse 'fds' or junk!
+		 * The kmem_alloc() call below would be bad news.
+		 * We could process the 'fds' array in chunks, but that
+		 * is a lot of code that isn't normally useful.
+		 * (Or just move the copyin/out into pollscan().)
+		 * Historically the code silently truncated 'fds' to
+		 * dt_nfiles entries - but that does cause issues.
+		 */
+		return EINVAL;
 	}
 	ni = nfds * sizeof(struct pollfd);
 	if (ni > sizeof(smallbits)) {

Reply via email to