Check validity of signal callback requested via aio routines.

Also move the insertion of the request to after the request is validated, there's still looks like there may be some problems if an invalid address is passed to the aio routines, basically a possible leak or having a not completely initialized structure on the queue may still be possible. A new sig macro was made _SIG_VALID to check the validity of a signal, it would be advisable to use it from now on (in kern/kern_sig.c) rather than rolling your own. PR: kern/17152
svn path=/head/; revision=75682
2001-04-18 22:18:39 +00:00 · 2001-04-18 22:18:39 +00:00 · 2f3cf91876 · 2020-12-20 02:59:44 +00:00
commit 2f3cf91876
parent 08b0f4f908
3 changed files with 15 additions and 2 deletions
--- a/sys/kern/vfs_aio.c
+++ b/sys/kern/vfs_aio.c
@ -1237,6 +1237,11 @@ _aio_aqueue(struct proc *p, struct aiocb *job, struct aio_liojob *lj, int type)
 		zfree(aiocb_zone, aiocbe);
 		return error;
 	}
+	if (aiocbe->uaiocb.aio_sigevent.sigev_notify == SIGEV_SIGNAL &&
+		!_SIG_VALID(aiocbe->uaiocb.aio_sigevent.sigev_signo)) {
+		zfree(aiocb_zone, aiocbe);
+		return EINVAL;
+	}

 	/* Save userspace address of the job info. */
 	aiocbe->uuaiocb = job;
@ -1940,7 +1945,6 @@ lio_listio(struct proc *p, struct lio_listio_args *uap)
 	lj->lioj_queue_count = 0;
 	lj->lioj_queue_finished_count = 0;
 	lj->lioj_ki = ki;
-	TAILQ_INSERT_TAIL(&ki->kaio_liojoblist, lj, lioj_list);

 	/*
 	 * Setup signal.
@ -1948,13 +1952,20 @@ lio_listio(struct proc *p, struct lio_listio_args *uap)
 	if (uap->sig && (uap->mode == LIO_NOWAIT)) {
 		error = copyin(uap->sig, &lj->lioj_signal,
 			       sizeof(lj->lioj_signal));
-		if (error)
+		if (error) {
+			zfree(aiolio_zone, lj);
 			return error;
+		}
+		if (!_SIG_VALID(lj->lioj_signal.sigev_signo)) {
+			zfree(aiolio_zone, lj);
+			return EINVAL;
+		}
 		lj->lioj_flags |= LIOJ_SIGNAL;
 		lj->lioj_flags &= ~LIOJ_SIGNAL_POSTED;
 	} else
 		lj->lioj_flags &= ~LIOJ_SIGNAL;

+	TAILQ_INSERT_TAIL(&ki->kaio_liojoblist, lj, lioj_list);
 	/*
 	 * Get pointers to the list of I/O requests.
 	 */
--- a/sys/sys/_sigset.h
+++ b/sys/sys/_sigset.h
@ -53,6 +53,7 @@
 #define	_SIG_IDX(sig)	((sig) - 1)
 #define	_SIG_WORD(sig)	(_SIG_IDX(sig) >> 5)
 #define	_SIG_BIT(sig)	(1 << (_SIG_IDX(sig) & 31))
+#define	_SIG_VALID(sig)	((sig) < _SIG_MAXSIG && (sig) > 0)

 /*
 * System defined signals.
--- a/sys/sys/signal.h
+++ b/sys/sys/signal.h
@ -53,6 +53,7 @@
 #define	_SIG_IDX(sig)	((sig) - 1)
 #define	_SIG_WORD(sig)	(_SIG_IDX(sig) >> 5)
 #define	_SIG_BIT(sig)	(1 << (_SIG_IDX(sig) & 31))
+#define	_SIG_VALID(sig)	((sig) < _SIG_MAXSIG && (sig) > 0)

 /*
 * System defined signals.