Implement bounds checking in some places in display driver code to avoid

the possibility of a local user panic.
2007-07-28 20:28:56 +00:00 · 2007-07-28 20:28:56 +00:00 · 05619021ad
parent bd8009e530
commit 05619021ad
7 changed files with 57 additions and 18 deletions
--- a/sys/dev/ic/pcdisplay_subr.c
+++ b/sys/dev/ic/pcdisplay_subr.c
@ -1,4 +1,4 @@
-/* $NetBSD: pcdisplay_subr.c,v 1.32 2006/04/15 17:48:23 jmmv Exp $ */
+/* $NetBSD: pcdisplay_subr.c,v 1.33 2007/07/28 20:28:56 mjf Exp $ */

 /*
 * Copyright (c) 1995, 1996 Carnegie-Mellon University.
@ -28,7 +28,7 @@
 */

 #include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: pcdisplay_subr.c,v 1.32 2006/04/15 17:48:23 jmmv Exp $");
+__KERNEL_RCSID(0, "$NetBSD: pcdisplay_subr.c,v 1.33 2007/07/28 20:28:56 mjf Exp $");

 #include "opt_wsmsgattrs.h" /* for WSDISPLAY_CUSTOM_OUTPUT */

@ -157,10 +157,14 @@ pcdisplay_putchar(void *id, int row, int col, unsigned int c, long attr)
 	struct pcdisplayscreen *scr = id;
 	bus_space_tag_t memt = scr->hdl->ph_memt;
 	bus_space_handle_t memh = scr->hdl->ph_memh;
-	int off;
+	size_t off;

 	off = row * scr->type->ncols + col;

+	/* check for bogus row and column sizes */
+	if (__predict_false(off >= (scr->type->ncols * scr->type->nrows)))
+		return;
+
 	if (scr->active)
 		bus_space_write_2(memt, memh, scr->dispoffset + off * 2,
 				  c | (attr << 8));
@ -293,7 +297,7 @@ pcdisplay_replaceattr(void *id, long oldattr, long newattr)
 int
 pcdisplay_getwschar(struct pcdisplayscreen *scr, struct wsdisplay_char *wschar)
 {
-	int off;
+	size_t off;
 	uint16_t chardata;
 	uint8_t attrbyte;

@ -323,7 +327,7 @@ pcdisplay_getwschar(struct pcdisplayscreen *scr, struct wsdisplay_char *wschar)
 int
 pcdisplay_putwschar(struct pcdisplayscreen *scr, struct wsdisplay_char *wschar)
 {
-	int off;
+	size_t off;
 	uint16_t chardata;
 	uint8_t attrbyte;

--- a/sys/dev/ic/vga.c
+++ b/sys/dev/ic/vga.c
@ -1,4 +1,4 @@
-/* $NetBSD: vga.c,v 1.94 2007/07/19 22:24:06 dsl Exp $ */
+/* $NetBSD: vga.c,v 1.95 2007/07/28 20:28:56 mjf Exp $ */

 /*
 * Copyright (c) 1995, 1996 Carnegie-Mellon University.
@ -28,7 +28,7 @@
 */

 #include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: vga.c,v 1.94 2007/07/19 22:24:06 dsl Exp $");
+__KERNEL_RCSID(0, "$NetBSD: vga.c,v 1.95 2007/07/28 20:28:56 mjf Exp $");

 /* for WSCONS_SUPPORT_PCVTFONTS */
 #include "opt_wsdisplay_compat.h"
@ -1104,6 +1104,10 @@ vga_allocattr(void *id, int fg, int bg, int flags, long *attrp)
 	struct vgascreen *scr = id;
 	struct vga_config *vc = scr->cfg;

+	if (__predict_false((unsigned int)fg >= sizeof(fgansitopc) || 
+	    (unsigned int)bg >= sizeof(bgansitopc)))
+		return (EINVAL);
+
 	if (vc->hdl.vh_mono) {
 		if (flags & WSATTR_WSCOLORS)
 			return (EINVAL);
--- a/sys/dev/ic/vga_raster.c
+++ b/sys/dev/ic/vga_raster.c
@ -1,4 +1,4 @@
-/*	$NetBSD: vga_raster.c,v 1.28 2007/07/09 21:00:40 ad Exp $	*/
+/*	$NetBSD: vga_raster.c,v 1.29 2007/07/28 20:28:57 mjf Exp $	*/

 /*
 * Copyright (c) 2001, 2002 Bang Jun-Young
@ -56,7 +56,7 @@
 */

 #include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: vga_raster.c,v 1.28 2007/07/09 21:00:40 ad Exp $");
+__KERNEL_RCSID(0, "$NetBSD: vga_raster.c,v 1.29 2007/07/28 20:28:57 mjf Exp $");

 #include "opt_wsmsgattrs.h" /* for WSDISPLAY_CUSTOM_OUTPUT */

@ -1118,12 +1118,15 @@ void
 vga_raster_putchar(void *id, int row, int col, u_int c, long attr)
 {
 	struct vgascreen *scr = id;
-	int off;
+	size_t off;
 	struct vga_raster_font *fs;
 	u_int tmp_ch;

 	off = row * scr->type->ncols + col;

+	if (__predict_false(off >= (scr->type->ncols * scr->type->nrows)))
+		return;
+
 	LIST_FOREACH(fs, &scr->fontset, next) {
 		if ((scr->encoding == fs->font->encoding) &&
 		    (c >= fs->font->firstchar) &&
@ -1394,6 +1397,10 @@ vga_raster_allocattr(void *id, int fg, int bg, int flags, long *attrp)
 	struct vgascreen *scr = id;
 	struct vga_config *vc = scr->cfg;

+	if (__predict_false((unsigned int)fg >= sizeof(fgansitopc) || 
+	    (unsigned int)bg >= sizeof(bgansitopc)))
+	    	return (EINVAL);
+
 	if (vc->hdl.vh_mono) {
 		if (flags & WSATTR_WSCOLORS)
 			return (EINVAL);
--- a/sys/dev/isa/ega.c
+++ b/sys/dev/isa/ega.c
@ -1,4 +1,4 @@
-/* $NetBSD: ega.c,v 1.22 2007/07/09 21:00:49 ad Exp $ */
+/* $NetBSD: ega.c,v 1.23 2007/07/28 20:28:57 mjf Exp $ */

 /*
 * Copyright (c) 1999
@ -27,7 +27,7 @@
 */

 #include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: ega.c,v 1.22 2007/07/09 21:00:49 ad Exp $");
+__KERNEL_RCSID(0, "$NetBSD: ega.c,v 1.23 2007/07/28 20:28:57 mjf Exp $");

 #include <sys/param.h>
 #include <sys/systm.h>
@ -851,6 +851,10 @@ ega_allocattr(id, fg, bg, flags, attrp)
 	struct egascreen *scr = id;
 	struct ega_config *vc = scr->cfg;

+	if (__predict_false((unsigned int)fg >= sizeof(fgansitopc) ||
+	    (unsigned int)bg >= sizeof(bgansitopc)))
+		return (EINVAL);
+
 	if (vc->hdl.vh_mono) {
 		if (flags & WSATTR_WSCOLORS)
 			return (EINVAL);
--- a/sys/dev/pci/chipsfb.c
+++ b/sys/dev/pci/chipsfb.c
@ -1,4 +1,4 @@
-/*	$NetBSD: chipsfb.c,v 1.9 2007/03/04 06:02:17 christos Exp $	*/
+/*	$NetBSD: chipsfb.c,v 1.10 2007/07/28 20:28:57 mjf Exp $	*/

 /*
 * Copyright (c) 2006 Michael Lorenz
@ -33,7 +33,7 @@
 */

 #include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: chipsfb.c,v 1.9 2007/03/04 06:02:17 christos Exp $");
+__KERNEL_RCSID(0, "$NetBSD: chipsfb.c,v 1.10 2007/07/28 20:28:57 mjf Exp $");

 #include <sys/param.h>
 #include <sys/systm.h>
@ -685,6 +685,10 @@ chipsfb_putchar(void *cookie, int row, int col, u_int c, long attr)
 	struct vcons_screen *scr = ri->ri_hw;
 	struct chipsfb_softc *sc = scr->scr_cookie;

+	if (__predict_false((unsigned int)row > ri->ri_rows ||
+	    (unsigned int)col > ri->ri_cols))
+		return;
+
 	if (sc->sc_mode == WSDISPLAYIO_MODE_EMUL) {
 		uint8_t *data;
 		int fg, bg, uc;
--- a/sys/dev/rasops/rasops.c
+++ b/sys/dev/rasops/rasops.c
@ -1,4 +1,4 @@
-/*	 $NetBSD: rasops.c,v 1.55 2007/02/02 02:10:24 ober Exp $	*/
+/*	 $NetBSD: rasops.c,v 1.56 2007/07/28 20:28:57 mjf Exp $	*/

 /*-
 * Copyright (c) 1999 The NetBSD Foundation, Inc.
@ -37,7 +37,7 @@
 */

 #include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: rasops.c,v 1.55 2007/02/02 02:10:24 ober Exp $");
+__KERNEL_RCSID(0, "$NetBSD: rasops.c,v 1.56 2007/07/28 20:28:57 mjf Exp $");

 #include "opt_rasops.h"
 #include "rasops_glue.h"
@ -437,6 +437,10 @@ rasops_allocattr_color(void *cookie, int fg, int bg, int flg,
 {
 	int swap;

+	if (__predict_false((unsigned int)fg >= sizeof(rasops_isgray) ||
+	    (unsigned int)bg >= sizeof(rasops_isgray)))
+		return (EINVAL);
+
 #ifdef RASOPS_CLIPPING
 	fg &= 7;
 	bg &= 7;
@ -1257,6 +1261,14 @@ rasops_putchar_rotated(cookie, row, col, uc, attr)

 	ri = (struct rasops_info *)cookie;

+	if (__predict_false((unsigned int)row > ri->ri_rows ||
+	    (unsigned int)col > ri->ri_cols))
+		return;
+
+	/* Avoid underflow */
+	if ((ri->ri_rows - row - 1) < 0)
+		return;
+
 	/* Do rotated char sans (side)underline */
 	ri->ri_real_ops.putchar(cookie, col, ri->ri_rows - row - 1, uc,
 	    attr & ~1);
--- a/sys/dev/wscons/wsdisplay_vcons.c
+++ b/sys/dev/wscons/wsdisplay_vcons.c
@ -1,4 +1,4 @@
-/*	$NetBSD: wsdisplay_vcons.c,v 1.11 2007/07/09 21:01:26 ad Exp $ */
+/*	$NetBSD: wsdisplay_vcons.c,v 1.12 2007/07/28 20:28:57 mjf Exp $ */

 /*-
 * Copyright (c) 2005, 2006 Michael Lorenz
@ -34,7 +34,7 @@
 */

 #include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: wsdisplay_vcons.c,v 1.11 2007/07/09 21:01:26 ad Exp $");
+__KERNEL_RCSID(0, "$NetBSD: wsdisplay_vcons.c,v 1.12 2007/07/28 20:28:57 mjf Exp $");

 #include <sys/param.h>
 #include <sys/systm.h>
@ -663,6 +663,10 @@ vcons_putwschar(struct vcons_screen *scr, struct wsdisplay_char *wsc)

 	KASSERT(scr != NULL && wsc != NULL);

+	if (__predict_false((unsigned int)wsc->col > ri->ri_cols ||
+	    (unsigned int)wsc->row > ri->ri_rows))
+			return (EINVAL);
+
 	ri = &scr->scr_ri;
 	
 	ri->ri_ops.allocattr(ri, wsc->foreground, wsc->background,