diff options
author | hselasky <hselasky@FreeBSD.org> | 2014-10-30 08:04:48 +0000 |
---|---|---|
committer | hselasky <hselasky@FreeBSD.org> | 2014-10-30 08:04:48 +0000 |
commit | 1d17f744c7fc351c6163d4e1a9862bef78a632d5 (patch) | |
tree | b10daf90a34256f49336c4827661577d2b1339d3 /sys/dev | |
parent | 2b4fb093044897c573e0f1cfe28d235e8c83db08 (diff) | |
download | FreeBSD-src-1d17f744c7fc351c6163d4e1a9862bef78a632d5.zip FreeBSD-src-1d17f744c7fc351c6163d4e1a9862bef78a632d5.tar.gz |
MFC r273733, r273740 and r273773:
The SYSCTL data pointers can come from userspace and must not be
directly accessed. Although this will work on some platforms, it can
throw an exception if the pointer is invalid and then panic the kernel.
Add a missing SYSCTL_IN() of "SCTP_BASE_STATS" structure.
Sponsored by: Mellanox Technologies
Diffstat (limited to 'sys/dev')
-rw-r--r-- | sys/dev/acpi_support/acpi_ibm.c | 10 | ||||
-rw-r--r-- | sys/dev/acpica/acpi.c | 11 | ||||
-rw-r--r-- | sys/dev/asmc/asmc.c | 28 |
3 files changed, 26 insertions, 23 deletions
diff --git a/sys/dev/acpi_support/acpi_ibm.c b/sys/dev/acpi_support/acpi_ibm.c index 3f53c59..52cee09 100644 --- a/sys/dev/acpi_support/acpi_ibm.c +++ b/sys/dev/acpi_support/acpi_ibm.c @@ -899,6 +899,7 @@ acpi_ibm_handlerevents_sysctl(SYSCTL_HANDLER_ARGS) char *cp, *ep; int l, val; unsigned int handler_events; + char temp[128]; ACPI_FUNCTION_TRACE((char *)(uintptr_t)__func__); @@ -920,17 +921,18 @@ acpi_ibm_handlerevents_sysctl(SYSCTL_HANDLER_ARGS) sbuf_trim(&sb); sbuf_finish(&sb); - - /* Copy out the old values to the user. */ - error = SYSCTL_OUT(req, sbuf_data(&sb), sbuf_len(&sb)); + strlcpy(temp, sbuf_data(&sb), sizeof(temp)); sbuf_delete(&sb); + error = sysctl_handle_string(oidp, temp, sizeof(temp), req); + + /* Check for error or no change */ if (error != 0 || req->newptr == NULL) goto out; /* If the user is setting a string, parse it. */ handler_events = 0; - cp = (char *)req->newptr; + cp = temp; while (*cp) { if (isspace(*cp)) { cp++; diff --git a/sys/dev/acpica/acpi.c b/sys/dev/acpica/acpi.c index 315686b..2bf04c5 100644 --- a/sys/dev/acpica/acpi.c +++ b/sys/dev/acpica/acpi.c @@ -3748,6 +3748,7 @@ acpi_debug_sysctl(SYSCTL_HANDLER_ARGS) int error, *dbg; struct debugtag *tag; struct sbuf sb; + char temp[128]; if (sbuf_new(&sb, NULL, 128, SBUF_AUTOEXTEND) == NULL) return (ENOMEM); @@ -3771,15 +3772,15 @@ acpi_debug_sysctl(SYSCTL_HANDLER_ARGS) } sbuf_trim(&sb); sbuf_finish(&sb); - - /* Copy out the old values to the user. */ - error = SYSCTL_OUT(req, sbuf_data(&sb), sbuf_len(&sb)); + strlcpy(temp, sbuf_data(&sb), sizeof(temp)); sbuf_delete(&sb); - /* If the user is setting a string, parse it. */ + error = sysctl_handle_string(oidp, temp, sizeof(temp), req); + + /* Check for error or no change */ if (error == 0 && req->newptr != NULL) { *dbg = 0; - setenv((char *)oidp->oid_arg1, (char *)req->newptr); + setenv((char *)oidp->oid_arg1, temp); acpi_set_debugging(NULL); } ACPI_SERIAL_END(acpi); diff --git a/sys/dev/asmc/asmc.c b/sys/dev/asmc/asmc.c index 5933307..5ae4b80 100644 --- a/sys/dev/asmc/asmc.c +++ b/sys/dev/asmc/asmc.c @@ -1052,7 +1052,7 @@ asmc_mb_sysctl_fanminspeed(SYSCTL_HANDLER_ARGS) error = sysctl_handle_int(oidp, &v, 0, req); if (error == 0 && req->newptr != NULL) { - unsigned int newspeed = *(unsigned int *)req->newptr; + unsigned int newspeed = v; asmc_fan_setvalue(dev, ASMC_KEY_FANMINSPEED, fan, newspeed); } @@ -1071,7 +1071,7 @@ asmc_mb_sysctl_fanmaxspeed(SYSCTL_HANDLER_ARGS) error = sysctl_handle_int(oidp, &v, 0, req); if (error == 0 && req->newptr != NULL) { - unsigned int newspeed = *(unsigned int *)req->newptr; + unsigned int newspeed = v; asmc_fan_setvalue(dev, ASMC_KEY_FANMAXSPEED, fan, newspeed); } @@ -1090,7 +1090,7 @@ asmc_mb_sysctl_fantargetspeed(SYSCTL_HANDLER_ARGS) error = sysctl_handle_int(oidp, &v, 0, req); if (error == 0 && req->newptr != NULL) { - unsigned int newspeed = *(unsigned int *)req->newptr; + unsigned int newspeed = v; asmc_fan_setvalue(dev, ASMC_KEY_FANTARGETSPEED, fan, newspeed); } @@ -1283,7 +1283,7 @@ asmc_mb_sysctl_sms_z(SYSCTL_HANDLER_ARGS) asmc_sms_read(dev, ASMC_KEY_SMS_Z, &val); v = (int32_t) val; - error = sysctl_handle_int(oidp, &v, sizeof(v), req); + error = sysctl_handle_int(oidp, &v, 0, req); return (error); } @@ -1298,7 +1298,7 @@ asmc_mbp_sysctl_light_left(SYSCTL_HANDLER_ARGS) asmc_key_read(dev, ASMC_KEY_LIGHTLEFT, buf, sizeof buf); v = buf[2]; - error = sysctl_handle_int(oidp, &v, sizeof(v), req); + error = sysctl_handle_int(oidp, &v, 0, req); return (error); } @@ -1313,7 +1313,7 @@ asmc_mbp_sysctl_light_right(SYSCTL_HANDLER_ARGS) asmc_key_read(dev, ASMC_KEY_LIGHTRIGHT, buf, sizeof buf); v = buf[2]; - error = sysctl_handle_int(oidp, &v, sizeof(v), req); + error = sysctl_handle_int(oidp, &v, 0, req); return (error); } @@ -1324,19 +1324,19 @@ asmc_mbp_sysctl_light_control(SYSCTL_HANDLER_ARGS) device_t dev = (device_t) arg1; uint8_t buf[2]; int error; - unsigned int level; - static int32_t v; - - error = sysctl_handle_int(oidp, &v, sizeof(v), req); + static unsigned int level; + int v; + + v = level; + error = sysctl_handle_int(oidp, &v, 0, req); + if (error == 0 && req->newptr != NULL) { - level = *(unsigned int *)req->newptr; - if (level > 255) + if (v < 0 || v > 255) return (EINVAL); - v = level; + level = v; buf[0] = level; buf[1] = 0x00; asmc_key_write(dev, ASMC_KEY_LIGHTVALUE, buf, sizeof buf); } - return (error); } |