Module Name: src Committed By: msaitoh Date: Fri Apr 24 05:46:33 UTC 2015
Modified Files: src/sys/kern [netbsd-5-1]: sys_select.c Log Message: Pull up following revision(s) (requested by prlw1 in ticket #1957): sys/kern/sys_select.c patch Limit nfds arg to poll() to a large enough value that user programs cannot allocate indefinite sized blocks of kvm. If the limit is exceeded, then return EINVAL instead of silently truncating the list. Addresses PR/17507. [prlw1, ticket #1957] To generate a diff of this commit: cvs rdiff -u -r1.10 -r1.10.10.1 src/sys/kern/sys_select.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files.
Modified files: Index: src/sys/kern/sys_select.c diff -u src/sys/kern/sys_select.c:1.10 src/sys/kern/sys_select.c:1.10.10.1 --- src/sys/kern/sys_select.c:1.10 Wed Oct 15 08:13:17 2008 +++ src/sys/kern/sys_select.c Fri Apr 24 05:46:33 2015 @@ -1,4 +1,4 @@ -/* $NetBSD: sys_select.c,v 1.10 2008/10/15 08:13:17 ad Exp $ */ +/* $NetBSD: sys_select.c,v 1.10.10.1 2015/04/24 05:46:33 msaitoh Exp $ */ /*- * Copyright (c) 2007, 2008 The NetBSD Foundation, Inc. @@ -70,7 +70,7 @@ */ #include <sys/cdefs.h> -__KERNEL_RCSID(0, "$NetBSD: sys_select.c,v 1.10 2008/10/15 08:13:17 ad Exp $"); +__KERNEL_RCSID(0, "$NetBSD: sys_select.c,v 1.10.10.1 2015/04/24 05:46:33 msaitoh Exp $"); #include <sys/param.h> #include <sys/systm.h> @@ -432,9 +432,17 @@ pollcommon(lwp_t *l, register_t *retval, struct timeval sleeptv; selcpu_t *sc; - if (nfds > p->p_fd->fd_nfiles) { - /* forgiving; slightly wrong */ - nfds = p->p_fd->fd_nfiles; + if (nfds > 1000 + p->p_fd->fd_nfiles) { + /* + * Either the user passed in a very sparse 'fds' or junk! + * The kmem_alloc() call below would be bad news. + * We could process the 'fds' array in chunks, but that + * is a lot of code that isn't normally useful. + * (Or just move the copyin/out into pollscan().) + * Historically the code silently truncated 'fds' to + * dt_nfiles entries - but that does cause issues. + */ + return EINVAL; } ni = nfds * sizeof(struct pollfd); if (ni > sizeof(smallbits)) {