Commit Graph

123 Commits

Author SHA1 Message Date
joerg
e835604c26 libprop is currently using a recursive parser. While this is fine for
userland, deeply nested arrays and dictionaries can easily overflow
the kernel stack and thereby force a panic.

Fix the internalizer and prop_object_release to use a separate call
stack and alter the dictionary and array handling to not recurse on
the C stack. The default stack has an inline depth of 16 elements,
which should keep the overhead reasonable.

This issue was found by Pavel Cahyna and Jachym Holecek.

Additionally add a limit for prop_object_copyin_ioctl to prevent user
programs from temporary allocating unbound amount of kernel memory.
Allow malloc to fail so that tight loops of userland processes can't
force panics by exhausting the kernel map.

Tested with the sample exploit of Jachym, his test suite and reviewed
by himself (initial patch), Christos Zoulas and Jason Thorpe.
2007-08-16 21:44:06 +00:00
thorpej
04377267cc boolean_t -> bool
TRUE -> true
FALSE -> false
2007-08-16 16:28:17 +00:00
ad
79ba10e06a lockmgr > rwlock 2007-07-29 11:25:01 +00:00
drochner
de07feb28f cast to void* to avoid a fatal warning 2007-07-18 16:58:14 +00:00
joerg
17c77a58f0 Fix SIGBUS issues on strict alignment issues. Use le32dec in RMD160
as the data pointer to RMD160_Update doesn't have to be aligned.
In SHA256_Update and SHA512_Update, only operate directly on the passed
in data if no left-over in the context exists and the data is correctly
aligned. The problem was exposed by the audit-packages rewrite in C
and reported for the libnbcompat version in PR pkg/36662.
2007-07-18 13:57:54 +00:00
joerg
22549e91c8 Consider '\r' to be white space. Discussed with and also kept as local
change by freza. With this change, DOS style line endings work.
2007-07-17 20:36:38 +00:00
joerg
39dccbf2f1 prop_array_internalize and prop_dictionary_internalize are basically the
same code. Refactor it into _prop_generic_internalize, which gets passed
the second-level tag.
2007-07-16 19:20:17 +00:00
degroote
be58d0f67a Fix the prototyp of prop_dictionary_set_keysym in the DESCRIPTION part 2007-07-07 19:03:52 +00:00
scw
dba01be393 Apply the patch, with some minor tweaks, supplied in PR/36513.
This prevents a possible prefetch past the end of the source buffer.

Note that the semantics of the pld instruction mean that it is unlikely
that this would have caused any problems except in very specific
circumstances in some types of device drivers.
2007-06-21 21:37:04 +00:00
xtraeme
5386acb4ac Xref prop_dictionary_util(3) and prop_send_ioctl(3). 2007-06-21 12:02:31 +00:00
scw
5092a6592f Apply the patch supplied in PR/36512 to fix the buffer overlap check. 2007-06-20 22:31:21 +00:00
christos
a8565cf99b handle fortify, ansify. 2007-06-04 18:19:26 +00:00
christos
1418345039 Make these work with _FORTIFY_SOURCE, by overriding the fortified definitions 2007-06-03 17:39:26 +00:00
xtraeme
d4be10ac51 Typo: prop_dictionary_receive_ioctl -> prop_dictionary_recv_ioctl.
Bump date.
2007-05-10 22:15:47 +00:00
xtraeme
6af752323b It's "Copy a dictionary" not "Copy an dictionary". preempt wiz and
bump date.
2007-04-28 06:01:13 +00:00
yamt
1e244571b1 correct a section number. 2007-04-22 11:27:25 +00:00
yamt
8ad48713da correct function names. 2007-04-22 11:23:29 +00:00
scw
5764a76889 Remove support for NetBSD/{,evb}sh5. 2007-04-08 09:35:21 +00:00
matt
1c1dcb3369 Add these so kernels built -O0 will link. 2007-03-31 06:13:52 +00:00
ad
59d979c5f1 Pass an ipl argument to pool_init/POOL_INIT to be used when initializing
the pool's lock.
2007-03-12 18:18:22 +00:00
dillo
3827e4b3e7 Fix white space skipping before closing tag when padding characters
are present.

Okayed by thorpej.
2007-03-04 22:31:43 +00:00
freza
d7d800dc0c Add prop_data_size() to SYNOPSIS. 2007-02-22 22:49:29 +00:00
chs
d210472073 don't do the weak symbol thing in kernel context. 2007-02-19 18:33:09 +00:00
christos
ace49726e7 Make SHA512_Last static since it is not part of the API. Suggested by
Matthias Scheler
2007-02-18 18:13:38 +00:00
christos
5feb51ff2c make SHA512_Last weak. 2007-02-17 17:15:43 +00:00
mjf
118bbc15f5 Fix typo. 2007-02-02 19:35:59 +00:00
christos
4361f207b8 remove bogus (void)&var; from Anon Ymous 2006-12-18 00:41:54 +00:00
cube
bb54157110 Add a comment to explain how the value for uaddr is chosen. Maybe uvm_mmap
should do that instead of sys_mmap...
2006-11-28 18:36:26 +00:00
cube
00fbe2b725 In _prop_object_copyout_ioctl, uaddr was not initialised, although it is
used by uvm_mmap() as a hint for the virtual address to map memory to.  As
a consequence, it tended to fail a lot on some architectures.

We cannot use 0, so instead use the value that would have been used if we
were calling mmap(2) with 0 as the first argument.

Fixes PR#34639 by xtraeme@.
2006-11-28 18:30:47 +00:00
dyoung
e3361bb265 Add strsep(3) to libkern.
To avoid code duplication, move strsep.c to the kernel/userland
common files.

Soon I will commit source-address selection (options IPSELSRC).
It will use strsep(3).
2006-11-13 03:26:43 +00:00
he
80b96f1aa4 Add include of <sys/param.h>, to allow vax kernels to build again.
For vax, this causes <machine/macros.h> to be included and the
redefine of memset() to take effect.
2006-11-01 11:29:08 +00:00
uwe
5dd5d540a6 Simplify the __attribute__ ifdef mess now that __used does the right
thing for older gccs.
2006-10-27 22:14:13 +00:00
christos
d029b25938 restruct the include files to look like the other hash functions. 2006-10-27 21:25:21 +00:00
christos
77c9e41904 this is shared with the kernel now. 2006-10-27 21:23:15 +00:00
uwe
088af57adf Do the used/unused dance under #ifdef KERNEL too. Prevents mcount
from being optimized away when compiling sh3 kernels with profiling
enabled (gcc doesn't see that __mcount, which is written in asm,
refers to it).
2006-10-26 23:10:16 +00:00
thorpej
1aea07a325 Add prop_array_t support to prop_kern. 2006-10-26 18:51:21 +00:00
thorpej
26d4f90430 - Add prop_dictionary_all_keys(). Takes a snapshot of a dictionary's
keys and returns them in an array.  This effectively allows a caller
  to mutate a dictionary while iterating over it (really, you iterate
  over the array of keys instead of the dictionary itself).
- Add a slew of utility functions that make it more convenient (in some
  circumstances, anyway) to get/set values in a dictionary.
2006-10-26 05:02:12 +00:00
he
4df50368d1 sysconf() returns long, which isn't neccessarily assignment-compatible
with size_t, as evidenced by sh5, so add an explicit cast.
2006-10-19 10:10:35 +00:00
martin
ab82117070 Backout size_t casts - lint has been fixed. 2006-10-18 19:15:46 +00:00
martin
ec465210f2 Sprinkle a few size_t casts to avoid conversion warnings. 2006-10-18 14:49:21 +00:00
martin
b6f68b3740 Add casts to apease lint. 2006-10-18 14:41:08 +00:00
thorpej
d9fd2cbcd7 Add a _PROP_ARG_UNUSED that expands to __unused on NetBSD and to nothing
everywhere else.  Use it where Christos decided to use __unused in this
code.
2006-10-16 03:21:07 +00:00
christos
227b8ed7f9 delete junk I accidentally committed. 2006-10-15 19:11:58 +00:00
christos
dc579d1dcf de-lint. 2006-10-15 19:08:48 +00:00
martin
637106d04b Make it compile with -Wextra on big endian machines (at lest the #if in the
definition of struct rb_ndoe on the endianess is the only explanation I have
why nobody complained about this on i386 - I don't understand why it makes a
difference for gcc though)
2006-10-15 19:04:28 +00:00
wiz
35ca329954 Put macro argument right after macro, not in next line. 2006-10-14 07:30:16 +00:00
thorpej
3b2ca36caa Appease our stupid lint. 2006-10-12 18:52:55 +00:00
thorpej
873293facc Make prop_number_t handle both signed and unsigned numbers. The *integer*
routines now take int64_t arguments, and new *unsigned_integer* routines
take uint64_t arguments.  See prop_number(3) for complete details.
2006-10-12 04:46:56 +00:00
thorpej
b5c9ebab95 Make this compile with -Wunused and handle the case where __predict_false()
is not defined (non-NetBSD environments).
2006-10-12 04:43:20 +00:00
thorpej
4c9ab4b0a8 _prop_object_fini(): Consume all of the arguments. 2006-10-12 04:41:51 +00:00