Check validity of signal callback requested via aio routines.

Also move the insertion of the request to after the request is validated, there's still looks like there may be some problems if an invalid address is passed to the aio routines, basically a possible leak or having a not completely initialized structure on the queue may still be possible. A new sig macro was made _SIG_VALID to check the validity of a signal, it would be advisable to use it from now on (in kern/kern_sig.c) rather than rolling your own. PR: kern/17152
author: alfred <alfred@FreeBSD.org> 2001-04-18 22:18:39 +0000
committer: alfred <alfred@FreeBSD.org> 2001-04-18 22:18:39 +0000
commit: 3405c2ccfaa89a7eae96cd33fc941b60ba3f2ceb (patch)
tree: 1a78f947f681ecfa0a4ea98318a2d0311d11b38d /sys
parent: a222601bea58d10488a2942c409fda3e5890ea4c (diff)
download: FreeBSD-src-3405c2ccfaa89a7eae96cd33fc941b60ba3f2ceb.zip
FreeBSD-src-3405c2ccfaa89a7eae96cd33fc941b60ba3f2ceb.tar.gz
3 files changed, 15 insertions, 2 deletions
diff --git a/sys/kern/vfs_aio.c b/sys/kern/vfs_aio.c
index 7e18d89..a695e5d 100644
--- a/sys/kern/vfs_aio.c
+++ b/sys/kern/vfs_aio.c
@@ -1237,6 +1237,11 @@ _aio_aqueue(struct proc *p, struct aiocb *job, struct aio_liojob *lj, int type)
 		zfree(aiocb_zone, aiocbe);
 		return error;
 	}
+	if (aiocbe->uaiocb.aio_sigevent.sigev_notify == SIGEV_SIGNAL &&
+		!_SIG_VALID(aiocbe->uaiocb.aio_sigevent.sigev_signo)) {
+		zfree(aiocb_zone, aiocbe);
+		return EINVAL;
+	}
 
 	/* Save userspace address of the job info. */
 	aiocbe->uuaiocb = job;
@@ -1940,7 +1945,6 @@ lio_listio(struct proc *p, struct lio_listio_args *uap)
 	lj->lioj_queue_count = 0;
 	lj->lioj_queue_finished_count = 0;
 	lj->lioj_ki = ki;
-	TAILQ_INSERT_TAIL(&ki->kaio_liojoblist, lj, lioj_list);
 
 	/*
 	 * Setup signal.
@@ -1948,13 +1952,20 @@ lio_listio(struct proc *p, struct lio_listio_args *uap)
 	if (uap->sig && (uap->mode == LIO_NOWAIT)) {
 		error = copyin(uap->sig, &lj->lioj_signal,
 			       sizeof(lj->lioj_signal));
-		if (error)
+		if (error) {
+			zfree(aiolio_zone, lj);
 			return error;
+		}
+		if (!_SIG_VALID(lj->lioj_signal.sigev_signo)) {
+			zfree(aiolio_zone, lj);
+			return EINVAL;
+		}
 		lj->lioj_flags |= LIOJ_SIGNAL;
 		lj->lioj_flags &= ~LIOJ_SIGNAL_POSTED;
 	} else
 		lj->lioj_flags &= ~LIOJ_SIGNAL;
 
+	TAILQ_INSERT_TAIL(&ki->kaio_liojoblist, lj, lioj_list);
 	/*
 	 * Get pointers to the list of I/O requests.
 	 */
diff --git a/sys/sys/_sigset.h b/sys/sys/_sigset.h
index 95891ff..ebbc4f5 100644
--- a/sys/sys/_sigset.h
+++ b/sys/sys/_sigset.h
@@ -53,6 +53,7 @@
 #define	_SIG_IDX(sig)	((sig) - 1)
 #define	_SIG_WORD(sig)	(_SIG_IDX(sig) >> 5)
 #define	_SIG_BIT(sig)	(1 << (_SIG_IDX(sig) & 31))
+#define	_SIG_VALID(sig)	((sig) < _SIG_MAXSIG && (sig) > 0)
 
 /*
  * System defined signals.
diff --git a/sys/sys/signal.h b/sys/sys/signal.h
index 95891ff..ebbc4f5 100644
--- a/sys/sys/signal.h
+++ b/sys/sys/signal.h
@@ -53,6 +53,7 @@
 #define	_SIG_IDX(sig)	((sig) - 1)
 #define	_SIG_WORD(sig)	(_SIG_IDX(sig) >> 5)
 #define	_SIG_BIT(sig)	(1 << (_SIG_IDX(sig) & 31))
+#define	_SIG_VALID(sig)	((sig) < _SIG_MAXSIG && (sig) > 0)
 
 /*
  * System defined signals.
author	alfred <alfred@FreeBSD.org>	2001-04-18 22:18:39 +0000
committer	alfred <alfred@FreeBSD.org>	2001-04-18 22:18:39 +0000
commit	3405c2ccfaa89a7eae96cd33fc941b60ba3f2ceb (patch)
tree	1a78f947f681ecfa0a4ea98318a2d0311d11b38d /sys
parent	a222601bea58d10488a2942c409fda3e5890ea4c (diff)
download	FreeBSD-src-3405c2ccfaa89a7eae96cd33fc941b60ba3f2ceb.zip FreeBSD-src-3405c2ccfaa89a7eae96cd33fc941b60ba3f2ceb.tar.gz