Module Name: src Committed By: snj Date: Thu Jun 15 06:02:58 UTC 2017
Modified Files: src/sys/arch/ews4800mips/sbd [netbsd-6-1]: fb_sbdio.c src/sys/arch/pmax/ibus [netbsd-6-1]: pm.c src/sys/dev/hpc [netbsd-6-1]: bivideo.c src/sys/dev/ic [netbsd-6-1]: sti.c Log Message: Pull up following revision(s) (requested by spz in ticket #1456): sys/arch/ews4800mips/sbd/fb_sbdio.c: revision 1.16 sys/arch/pmax/ibus/pm.c: revision 1.13 sys/dev/hpc/bivideo.c: revision 1.34 sys/dev/ic/sti.c: revision 1.19 correct size checks so they cannot be circumvented by integer overflows reported by CTurt, thanks for the notification To generate a diff of this commit: cvs rdiff -u -r1.12 -r1.12.16.1 src/sys/arch/ews4800mips/sbd/fb_sbdio.c cvs rdiff -u -r1.11 -r1.11.16.1 src/sys/arch/pmax/ibus/pm.c cvs rdiff -u -r1.32 -r1.32.22.1 src/sys/dev/hpc/bivideo.c cvs rdiff -u -r1.16 -r1.16.22.1 src/sys/dev/ic/sti.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files.
Modified files: Index: src/sys/arch/ews4800mips/sbd/fb_sbdio.c diff -u src/sys/arch/ews4800mips/sbd/fb_sbdio.c:1.12 src/sys/arch/ews4800mips/sbd/fb_sbdio.c:1.12.16.1 --- src/sys/arch/ews4800mips/sbd/fb_sbdio.c:1.12 Wed Jan 11 21:17:33 2012 +++ src/sys/arch/ews4800mips/sbd/fb_sbdio.c Thu Jun 15 06:02:57 2017 @@ -1,4 +1,4 @@ -/* $NetBSD: fb_sbdio.c,v 1.12 2012/01/11 21:17:33 macallan Exp $ */ +/* $NetBSD: fb_sbdio.c,v 1.12.16.1 2017/06/15 06:02:57 snj Exp $ */ /*- * Copyright (c) 2004, 2005 The NetBSD Foundation, Inc. @@ -32,7 +32,7 @@ #define WIRED_FB_TLB #include <sys/cdefs.h> -__KERNEL_RCSID(0, "$NetBSD: fb_sbdio.c,v 1.12 2012/01/11 21:17:33 macallan Exp $"); +__KERNEL_RCSID(0, "$NetBSD: fb_sbdio.c,v 1.12.16.1 2017/06/15 06:02:57 snj Exp $"); #include <sys/param.h> #include <sys/systm.h> @@ -304,6 +304,8 @@ _fb_ioctl(void *v, void *vs, u_long cmd, if (ri->ri_flg == RI_FORCEMONO) break; ga_clut_get(ga); + if (cmap->index >= 256 || cmap->count > 256 - cmap->index) + return (EINVAL); for (i = 0; i < cmap->count; i++) { cmap->red[i] = ga->clut[cmap->index + i][0]; cmap->green[i] = ga->clut[cmap->index + i][1]; @@ -314,6 +316,8 @@ _fb_ioctl(void *v, void *vs, u_long cmd, case WSDISPLAYIO_PUTCMAP: if (ri->ri_flg == RI_FORCEMONO) break; + if (cmap->index >= 256 || cmap->count > 256 - cmap->index) + return (EINVAL); for (i = 0; i < cmap->count; i++) { ga->clut[cmap->index + i][0] = cmap->red[i]; ga->clut[cmap->index + i][1] = cmap->green[i]; Index: src/sys/arch/pmax/ibus/pm.c diff -u src/sys/arch/pmax/ibus/pm.c:1.11 src/sys/arch/pmax/ibus/pm.c:1.11.16.1 --- src/sys/arch/pmax/ibus/pm.c:1.11 Wed Jan 11 21:17:33 2012 +++ src/sys/arch/pmax/ibus/pm.c Thu Jun 15 06:02:57 2017 @@ -1,4 +1,4 @@ -/* $NetBSD: pm.c,v 1.11 2012/01/11 21:17:33 macallan Exp $ */ +/* $NetBSD: pm.c,v 1.11.16.1 2017/06/15 06:02:57 snj Exp $ */ /*- * Copyright (c) 2002, 2003 The NetBSD Foundation, Inc. @@ -30,7 +30,7 @@ */ #include <sys/cdefs.h> -__KERNEL_RCSID(0, "$NetBSD: pm.c,v 1.11 2012/01/11 21:17:33 macallan Exp $"); +__KERNEL_RCSID(0, "$NetBSD: pm.c,v 1.11.16.1 2017/06/15 06:02:57 snj Exp $"); #include <sys/param.h> #include <sys/buf.h> @@ -668,7 +668,7 @@ pm_get_cmap(struct pm_softc *sc, struct index = p->index; count = p->count; - if (index >= sc->sc_cmap_size || (index + count) > sc->sc_cmap_size) + if (index >= sc->sc_cmap_size || count > sc->sc_cmap_size - index) return (EINVAL); if ((rv = copyout(&sc->sc_cmap.r[index], p->red, count)) != 0) @@ -687,7 +687,7 @@ pm_set_cmap(struct pm_softc *sc, struct index = p->index; count = p->count; - if (index >= sc->sc_cmap_size || (index + count) > sc->sc_cmap_size) + if (index >= sc->sc_cmap_size || count > sc->sc_cmap_size - index) return (EINVAL); if ((rv = copyin(p->red, &sc->sc_cmap.r[index], count)) != 0) Index: src/sys/dev/hpc/bivideo.c diff -u src/sys/dev/hpc/bivideo.c:1.32 src/sys/dev/hpc/bivideo.c:1.32.22.1 --- src/sys/dev/hpc/bivideo.c:1.32 Sat Nov 13 13:51:58 2010 +++ src/sys/dev/hpc/bivideo.c Thu Jun 15 06:02:57 2017 @@ -1,4 +1,4 @@ -/* $NetBSD: bivideo.c,v 1.32 2010/11/13 13:51:58 uebayasi Exp $ */ +/* $NetBSD: bivideo.c,v 1.32.22.1 2017/06/15 06:02:57 snj Exp $ */ /*- * Copyright (c) 1999-2001 @@ -35,7 +35,7 @@ */ #include <sys/cdefs.h> -__KERNEL_RCSID(0, "$NetBSD: bivideo.c,v 1.32 2010/11/13 13:51:58 uebayasi Exp $"); +__KERNEL_RCSID(0, "$NetBSD: bivideo.c,v 1.32.22.1 2017/06/15 06:02:57 snj Exp $"); #ifdef _KERNEL_OPT #include "opt_hpcfb.h" @@ -403,8 +403,8 @@ bivideo_ioctl(void *v, u_long cmd, void if (sc->sc_fbconf.hf_class != HPCFB_CLASS_INDEXCOLOR || sc->sc_fbconf.hf_pack_width != 8 || - 256 <= cmap->index || - 256 < (cmap->index + cmap->count)) + cmap->index >= 256 || + cmap->count > 256 - cmap->index) return (EINVAL); error = copyout(&bivideo_cmap_r[cmap->index], cmap->red, Index: src/sys/dev/ic/sti.c diff -u src/sys/dev/ic/sti.c:1.16 src/sys/dev/ic/sti.c:1.16.22.1 --- src/sys/dev/ic/sti.c:1.16 Mon Jul 11 02:30:49 2011 +++ src/sys/dev/ic/sti.c Thu Jun 15 06:02:58 2017 @@ -1,4 +1,4 @@ -/* $NetBSD: sti.c,v 1.16 2011/07/11 02:30:49 matt Exp $ */ +/* $NetBSD: sti.c,v 1.16.22.1 2017/06/15 06:02:58 snj Exp $ */ /* $OpenBSD: sti.c,v 1.61 2009/09/05 14:09:35 miod Exp $ */ @@ -35,7 +35,7 @@ */ #include <sys/cdefs.h> -__KERNEL_RCSID(0, "$NetBSD: sti.c,v 1.16 2011/07/11 02:30:49 matt Exp $"); +__KERNEL_RCSID(0, "$NetBSD: sti.c,v 1.16.22.1 2017/06/15 06:02:58 snj Exp $"); #include "wsdisplay.h" @@ -1025,7 +1025,7 @@ sti_ioctl(void *v, void *vs, u_long cmd, cmapp = (struct wsdisplay_cmap *)data; idx = cmapp->index; count = cmapp->count; - if (idx >= STI_NCMAP || idx + count > STI_NCMAP) + if (idx >= STI_NCMAP || count > STI_NCMAP - idx) return EINVAL; if ((ret = copyout(&scr->scr_rcmap[idx], cmapp->red, count))) break; @@ -1041,7 +1041,7 @@ sti_ioctl(void *v, void *vs, u_long cmd, cmapp = (struct wsdisplay_cmap *)data; idx = cmapp->index; count = cmapp->count; - if (idx >= STI_NCMAP || idx + count > STI_NCMAP) + if (idx >= STI_NCMAP || count > STI_NCMAP - idx) return EINVAL; if ((ret = copyin(cmapp->red, &scr->scr_rcmap[idx], count))) break;