Check validity of signal callback requested via aio routines.

Also move the insertion of the request to after the request is validated,
there's still looks like there may be some problems if an invalid address
is passed to the aio routines, basically a possible leak or having a
not completely initialized structure on the queue may still be possible.

A new sig macro was made _SIG_VALID to check the validity of a signal,
it would be advisable to use it from now on (in kern/kern_sig.c) rather
than rolling your own.

PR: kern/17152

1 files changed, 13 insertions, 2 deletions

diff --git a/sys/kern/vfs_aio.c b/sys/kern/vfs_aio.c
index 7e18d89..a695e5d 100644
--- a/sys/kern/vfs_aio.c
+++ b/sys/kern/vfs_aio.c
@@ -1237,6 +1237,11 @@ _aio_aqueue(struct proc *p, struct aiocb *job, struct aio_liojob *lj, int type)
 		zfree(aiocb_zone, aiocbe);
 		return error;
 	}
+	if (aiocbe->uaiocb.aio_sigevent.sigev_notify == SIGEV_SIGNAL &&
+		!_SIG_VALID(aiocbe->uaiocb.aio_sigevent.sigev_signo)) {
+		zfree(aiocb_zone, aiocbe);
+		return EINVAL;
+	}
 
 	/* Save userspace address of the job info. */
 	aiocbe->uuaiocb = job;
@@ -1940,7 +1945,6 @@ lio_listio(struct proc *p, struct lio_listio_args *uap)
 	lj->lioj_queue_count = 0;
 	lj->lioj_queue_finished_count = 0;
 	lj->lioj_ki = ki;
-	TAILQ_INSERT_TAIL(&ki->kaio_liojoblist, lj, lioj_list);
 
 	/*
 	 * Setup signal.
@@ -1948,13 +1952,20 @@ lio_listio(struct proc *p, struct lio_listio_args *uap)
 	if (uap->sig && (uap->mode == LIO_NOWAIT)) {
 		error = copyin(uap->sig, &lj->lioj_signal,
 			       sizeof(lj->lioj_signal));
-		if (error)
+		if (error) {
+			zfree(aiolio_zone, lj);
 			return error;
+		}
+		if (!_SIG_VALID(lj->lioj_signal.sigev_signo)) {
+			zfree(aiolio_zone, lj);
+			return EINVAL;
+		}
 		lj->lioj_flags |= LIOJ_SIGNAL;
 		lj->lioj_flags &= ~LIOJ_SIGNAL_POSTED;
 	} else
 		lj->lioj_flags &= ~LIOJ_SIGNAL;
 
+	TAILQ_INSERT_TAIL(&ki->kaio_liojoblist, lj, lioj_list);
 	/*
 	 * Get pointers to the list of I/O requests.
 	 */