diff options
| author | hselasky <hselasky@FreeBSD.org> | 2014-10-28 12:00:39 +0000 |
|---|---|---|
| committer | hselasky <hselasky@FreeBSD.org> | 2014-10-28 12:00:39 +0000 |
| commit | a0b8ff0c54d6b632fe766de4566cee59bd8a4898 (patch) | |
| tree | 63f2365a6dbce30caad91ca3b5ad545a2e4beb51 /sys/dev | |
| parent | 2e5eee16fd7233cfa274ee05132fe6e0e542b1e7 (diff) | |
| download | FreeBSD-src-a0b8ff0c54d6b632fe766de4566cee59bd8a4898.zip FreeBSD-src-a0b8ff0c54d6b632fe766de4566cee59bd8a4898.tar.gz | |
The SYSCTL data pointers can come from userspace and must not be
directly accessed. Although this will work on some platforms, it can
throw an exception if the pointer is invalid and then panic the kernel.
Add a missing SYSCTL_IN() of "SCTP_BASE_STATS" structure.
MFC after: 3 days
Sponsored by: Mellanox Technologies
Diffstat (limited to 'sys/dev')
| -rw-r--r-- | sys/dev/acpi_support/acpi_ibm.c | 10 | ||||
| -rw-r--r-- | sys/dev/acpica/acpi.c | 15 | ||||
| -rw-r--r-- | sys/dev/asmc/asmc.c | 28 |
3 files changed, 28 insertions, 25 deletions
diff --git a/sys/dev/acpi_support/acpi_ibm.c b/sys/dev/acpi_support/acpi_ibm.c index 3f53c59..52cee09 100644 --- a/sys/dev/acpi_support/acpi_ibm.c +++ b/sys/dev/acpi_support/acpi_ibm.c @@ -899,6 +899,7 @@ acpi_ibm_handlerevents_sysctl(SYSCTL_HANDLER_ARGS) char *cp, *ep; int l, val; unsigned int handler_events; + char temp[128]; ACPI_FUNCTION_TRACE((char *)(uintptr_t)__func__); @@ -920,17 +921,18 @@ acpi_ibm_handlerevents_sysctl(SYSCTL_HANDLER_ARGS) sbuf_trim(&sb); sbuf_finish(&sb); - - /* Copy out the old values to the user. */ - error = SYSCTL_OUT(req, sbuf_data(&sb), sbuf_len(&sb)); + strlcpy(temp, sbuf_data(&sb), sizeof(temp)); sbuf_delete(&sb); + error = sysctl_handle_string(oidp, temp, sizeof(temp), req); + + /* Check for error or no change */ if (error != 0 || req->newptr == NULL) goto out; /* If the user is setting a string, parse it. */ handler_events = 0; - cp = (char *)req->newptr; + cp = temp; while (*cp) { if (isspace(*cp)) { cp++; diff --git a/sys/dev/acpica/acpi.c b/sys/dev/acpica/acpi.c index 1389bad..71fbe32 100644 --- a/sys/dev/acpica/acpi.c +++ b/sys/dev/acpica/acpi.c @@ -3783,6 +3783,7 @@ acpi_debug_sysctl(SYSCTL_HANDLER_ARGS) int error, *dbg; struct debugtag *tag; struct sbuf sb; + char temp[128]; if (sbuf_new(&sb, NULL, 128, SBUF_AUTOEXTEND) == NULL) return (ENOMEM); @@ -3806,16 +3807,16 @@ acpi_debug_sysctl(SYSCTL_HANDLER_ARGS) } sbuf_trim(&sb); sbuf_finish(&sb); - - /* Copy out the old values to the user. */ - error = SYSCTL_OUT(req, sbuf_data(&sb), sbuf_len(&sb)); + strlcpy(temp, sbuf_data(&sb), sizeof(temp)); sbuf_delete(&sb); - /* If the user is setting a string, parse it. */ + error = sysctl_handle_string(oidp, temp, sizeof(temp), req); + + /* Check for error or no change */ if (error == 0 && req->newptr != NULL) { - *dbg = 0; - kern_setenv((char *)oidp->oid_arg1, (char *)req->newptr); - acpi_set_debugging(NULL); + *dbg = 0; + kern_setenv((char *)oidp->oid_arg1, temp); + acpi_set_debugging(NULL); } ACPI_SERIAL_END(acpi); diff --git a/sys/dev/asmc/asmc.c b/sys/dev/asmc/asmc.c index b61dedb..2c8f6af 100644 --- a/sys/dev/asmc/asmc.c +++ b/sys/dev/asmc/asmc.c @@ -1052,7 +1052,7 @@ asmc_mb_sysctl_fanminspeed(SYSCTL_HANDLER_ARGS) error = sysctl_handle_int(oidp, &v, 0, req); if (error == 0 && req->newptr != NULL) { - unsigned int newspeed = *(unsigned int *)req->newptr; + unsigned int newspeed = v; asmc_fan_setvalue(dev, ASMC_KEY_FANMINSPEED, fan, newspeed); } @@ -1071,7 +1071,7 @@ asmc_mb_sysctl_fanmaxspeed(SYSCTL_HANDLER_ARGS) error = sysctl_handle_int(oidp, &v, 0, req); if (error == 0 && req->newptr != NULL) { - unsigned int newspeed = *(unsigned int *)req->newptr; + unsigned int newspeed = v; asmc_fan_setvalue(dev, ASMC_KEY_FANMAXSPEED, fan, newspeed); } @@ -1090,7 +1090,7 @@ asmc_mb_sysctl_fantargetspeed(SYSCTL_HANDLER_ARGS) error = sysctl_handle_int(oidp, &v, 0, req); if (error == 0 && req->newptr != NULL) { - unsigned int newspeed = *(unsigned int *)req->newptr; + unsigned int newspeed = v; asmc_fan_setvalue(dev, ASMC_KEY_FANTARGETSPEED, fan, newspeed); } @@ -1283,7 +1283,7 @@ asmc_mb_sysctl_sms_z(SYSCTL_HANDLER_ARGS) asmc_sms_read(dev, ASMC_KEY_SMS_Z, &val); v = (int32_t) val; - error = sysctl_handle_int(oidp, &v, sizeof(v), req); + error = sysctl_handle_int(oidp, &v, 0, req); return (error); } @@ -1298,7 +1298,7 @@ asmc_mbp_sysctl_light_left(SYSCTL_HANDLER_ARGS) asmc_key_read(dev, ASMC_KEY_LIGHTLEFT, buf, sizeof buf); v = buf[2]; - error = sysctl_handle_int(oidp, &v, sizeof(v), req); + error = sysctl_handle_int(oidp, &v, 0, req); return (error); } @@ -1313,7 +1313,7 @@ asmc_mbp_sysctl_light_right(SYSCTL_HANDLER_ARGS) asmc_key_read(dev, ASMC_KEY_LIGHTRIGHT, buf, sizeof buf); v = buf[2]; - error = sysctl_handle_int(oidp, &v, sizeof(v), req); + error = sysctl_handle_int(oidp, &v, 0, req); return (error); } @@ -1324,19 +1324,19 @@ asmc_mbp_sysctl_light_control(SYSCTL_HANDLER_ARGS) device_t dev = (device_t) arg1; uint8_t buf[2]; int error; - unsigned int level; - static int32_t v; - - error = sysctl_handle_int(oidp, &v, sizeof(v), req); + static unsigned int level; + int v; + + v = level; + error = sysctl_handle_int(oidp, &v, 0, req); + if (error == 0 && req->newptr != NULL) { - level = *(unsigned int *)req->newptr; - if (level > 255) + if (v < 0 || v > 255) return (EINVAL); - v = level; + level = v; buf[0] = level; buf[1] = 0x00; asmc_key_write(dev, ASMC_KEY_LIGHTVALUE, buf, sizeof buf); } - return (error); } |
