Fix some security bugs in the SVR4 emulator:

- Return NULL instead of returning memory outside of the stackgap
  in stackgap_alloc() (FreeBSD-SA-00:42.linux)
- Check for stackgap_alloc() returning NULL in svr4_emul_find(),
  and clean_pipe().
- Avoid integer overflow on large nfds argument in svr4_sys_poll()
- Reject negative nbytes argument in svr4_sys_getdents()
- Don't copy out past the end of the struct componentname
  pathname buffer in svr4_sys_resolvepath()
- Reject out-of-range signal numbers in svr4_sys_sigaction(),
  svr4_sys_signal(), and svr4_sys_kill().
- Don't malloc() user-specified lengths in show_ioc() and
  show_strbuf(), place arbitrary limits instead.
- Range-check lengths in si_listen(), ti_getinfo(), ti_bind(),
  svr4_do_putmsg(), svr4_do_getmsg(), svr4_stream_ti_ioctl().

Some fixes obtain from OpenBSD.

1 files changed, 7 insertions, 0 deletions

diff --git a/sys/compat/svr4/svr4_filio.c b/sys/compat/svr4/svr4_filio.c
index 3b4467a..79b9bf4 100644
--- a/sys/compat/svr4/svr4_filio.c
+++ b/sys/compat/svr4/svr4_filio.c
@@ -40,6 +40,8 @@ __FBSDID("$FreeBSD$");
 #include <sys/poll.h>
 #include <sys/malloc.h>
 #include <sys/mutex.h>
+#include <sys/resource.h>
+#include <sys/resourcevar.h>
 
 #include <sys/sysproto.h>
 
@@ -64,6 +66,11 @@ svr4_sys_poll(td, uap)
      int idx = 0, cerr;
      u_long siz;
 
+	mtx_assert(&Giant, MA_OWNED);
+	if (uap->nfds > td->td_proc->p_rlimit[RLIMIT_NOFILE].rlim_cur &&
+	    uap->nfds > FD_SETSIZE)
+		return (EINVAL);
+
      pa.fds = uap->fds;
      pa.nfds = uap->nfds;
      pa.timeout = uap->timeout;