freebsd-skq/sys/libkern/iconv.c

579 lines
13 KiB
C
Raw Normal View History

/*-
* SPDX-License-Identifier: BSD-2-Clause-FreeBSD
*
* Copyright (c) 2000-2001 Boris Popov
* All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
* 1. Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
* 2. Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in the
* documentation and/or other materials provided with the distribution.
*
* THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
* ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
* ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
* FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
* DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
* OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
* SUCH DAMAGE.
*/
2003-06-11 05:37:42 +00:00
#include <sys/cdefs.h>
__FBSDID("$FreeBSD$");
#include <sys/param.h>
#include <sys/systm.h>
#include <sys/kernel.h>
#include <sys/iconv.h>
#include <sys/malloc.h>
#include <sys/mount.h>
#include <sys/sx.h>
#include <sys/syslog.h>
#include "iconv_converter_if.h"
SYSCTL_DECL(_kern_iconv);
SYSCTL_NODE(_kern, OID_AUTO, iconv, CTLFLAG_RW, NULL, "kernel iconv interface");
MALLOC_DEFINE(M_ICONV, "iconv", "ICONV structures");
static MALLOC_DEFINE(M_ICONVDATA, "iconv_data", "ICONV data");
MODULE_VERSION(libiconv, 2);
static struct sx iconv_lock;
#ifdef notnow
/*
* iconv converter instance
*/
struct iconv_converter {
KOBJ_FIELDS;
void * c_data;
};
#endif
struct sysctl_oid *iconv_oid_hook = &sysctl___kern_iconv;
/*
* List of loaded converters
*/
static TAILQ_HEAD(iconv_converter_list, iconv_converter_class)
iconv_converters = TAILQ_HEAD_INITIALIZER(iconv_converters);
/*
* List of supported/loaded charsets pairs
*/
static TAILQ_HEAD(, iconv_cspair)
iconv_cslist = TAILQ_HEAD_INITIALIZER(iconv_cslist);
static int iconv_csid = 1;
static char iconv_unicode_string[] = "unicode"; /* save eight bytes when possible */
static void iconv_unregister_cspair(struct iconv_cspair *csp);
static int
iconv_mod_unload(void)
{
struct iconv_cspair *csp;
sx_xlock(&iconv_lock);
TAILQ_FOREACH(csp, &iconv_cslist, cp_link) {
if (csp->cp_refcount) {
sx_xunlock(&iconv_lock);
return EBUSY;
}
}
while ((csp = TAILQ_FIRST(&iconv_cslist)) != NULL)
iconv_unregister_cspair(csp);
sx_xunlock(&iconv_lock);
sx_destroy(&iconv_lock);
return 0;
}
static int
iconv_mod_handler(module_t mod, int type, void *data)
{
int error;
switch (type) {
case MOD_LOAD:
error = 0;
sx_init(&iconv_lock, "iconv");
break;
case MOD_UNLOAD:
error = iconv_mod_unload();
break;
default:
error = EINVAL;
}
return error;
}
static moduledata_t iconv_mod = {
"iconv", iconv_mod_handler, NULL
};
DECLARE_MODULE(iconv, iconv_mod, SI_SUB_DRIVERS, SI_ORDER_SECOND);
static int
iconv_register_converter(struct iconv_converter_class *dcp)
{
kobj_class_compile((struct kobj_class*)dcp);
dcp->refs++;
TAILQ_INSERT_TAIL(&iconv_converters, dcp, cc_link);
return 0;
}
static int
iconv_unregister_converter(struct iconv_converter_class *dcp)
{
dcp->refs--;
if (dcp->refs > 1) {
2013-11-29 20:14:26 +00:00
ICDEBUG("converter has %d references left\n", dcp->refs);
return EBUSY;
}
TAILQ_REMOVE(&iconv_converters, dcp, cc_link);
kobj_class_free((struct kobj_class*)dcp);
return 0;
}
static int
iconv_lookupconv(const char *name, struct iconv_converter_class **dcpp)
{
struct iconv_converter_class *dcp;
TAILQ_FOREACH(dcp, &iconv_converters, cc_link) {
if (name == NULL)
continue;
if (strcmp(name, ICONV_CONVERTER_NAME(dcp)) == 0) {
if (dcpp)
*dcpp = dcp;
return 0;
}
}
return ENOENT;
}
static int
iconv_lookupcs(const char *to, const char *from, struct iconv_cspair **cspp)
{
struct iconv_cspair *csp;
TAILQ_FOREACH(csp, &iconv_cslist, cp_link) {
if (strcasecmp(csp->cp_to, to) == 0 &&
strcasecmp(csp->cp_from, from) == 0) {
if (cspp)
*cspp = csp;
return 0;
}
}
return ENOENT;
}
static int
iconv_register_cspair(const char *to, const char *from,
struct iconv_converter_class *dcp, void *data,
struct iconv_cspair **cspp)
{
struct iconv_cspair *csp;
char *cp;
int csize, ucsto, ucsfrom;
if (iconv_lookupcs(to, from, NULL) == 0)
return EEXIST;
csize = sizeof(*csp);
ucsto = strcmp(to, iconv_unicode_string) == 0;
if (!ucsto)
csize += strlen(to) + 1;
ucsfrom = strcmp(from, iconv_unicode_string) == 0;
if (!ucsfrom)
csize += strlen(from) + 1;
csp = malloc(csize, M_ICONV, M_WAITOK);
bzero(csp, csize);
csp->cp_id = iconv_csid++;
csp->cp_dcp = dcp;
cp = (char*)(csp + 1);
if (!ucsto) {
strcpy(cp, to);
csp->cp_to = cp;
cp += strlen(cp) + 1;
} else
csp->cp_to = iconv_unicode_string;
if (!ucsfrom) {
strcpy(cp, from);
csp->cp_from = cp;
} else
csp->cp_from = iconv_unicode_string;
csp->cp_data = data;
TAILQ_INSERT_TAIL(&iconv_cslist, csp, cp_link);
*cspp = csp;
return 0;
}
static void
iconv_unregister_cspair(struct iconv_cspair *csp)
{
TAILQ_REMOVE(&iconv_cslist, csp, cp_link);
if (csp->cp_data)
free(csp->cp_data, M_ICONVDATA);
free(csp, M_ICONV);
}
/*
* Lookup and create an instance of converter.
* Currently this layer didn't have associated 'instance' structure
* to avoid unnesessary memory allocation.
*/
int
iconv_open(const char *to, const char *from, void **handle)
{
struct iconv_cspair *csp, *cspfrom, *cspto;
struct iconv_converter_class *dcp;
const char *cnvname;
int error;
/*
* First, lookup fully qualified cspairs
*/
error = iconv_lookupcs(to, from, &csp);
if (error == 0)
return ICONV_CONVERTER_OPEN(csp->cp_dcp, csp, NULL, handle);
/*
* Well, nothing found. Now try to construct a composite conversion
* ToDo: add a 'capability' field to converter
*/
TAILQ_FOREACH(dcp, &iconv_converters, cc_link) {
cnvname = ICONV_CONVERTER_NAME(dcp);
if (cnvname == NULL)
continue;
error = iconv_lookupcs(cnvname, from, &cspfrom);
if (error)
continue;
error = iconv_lookupcs(to, cnvname, &cspto);
if (error)
continue;
/*
* Fine, we're found a pair which can be combined together
*/
return ICONV_CONVERTER_OPEN(dcp, cspto, cspfrom, handle);
}
return ENOENT;
}
int
iconv_close(void *handle)
{
return ICONV_CONVERTER_CLOSE(handle);
}
int
iconv_conv(void *handle, const char **inbuf,
size_t *inbytesleft, char **outbuf, size_t *outbytesleft)
{
return ICONV_CONVERTER_CONV(handle, inbuf, inbytesleft, outbuf, outbytesleft, 0, 0);
}
int
iconv_conv_case(void *handle, const char **inbuf,
size_t *inbytesleft, char **outbuf, size_t *outbytesleft, int casetype)
{
return ICONV_CONVERTER_CONV(handle, inbuf, inbytesleft, outbuf, outbytesleft, 0, casetype);
}
int
iconv_convchr(void *handle, const char **inbuf,
size_t *inbytesleft, char **outbuf, size_t *outbytesleft)
{
return ICONV_CONVERTER_CONV(handle, inbuf, inbytesleft, outbuf, outbytesleft, 1, 0);
}
int
iconv_convchr_case(void *handle, const char **inbuf,
size_t *inbytesleft, char **outbuf, size_t *outbytesleft, int casetype)
{
return ICONV_CONVERTER_CONV(handle, inbuf, inbytesleft, outbuf, outbytesleft, 1, casetype);
}
int
towlower(int c, void *handle)
{
return ICONV_CONVERTER_TOLOWER(handle, c);
}
int
towupper(int c, void *handle)
{
return ICONV_CONVERTER_TOUPPER(handle, c);
}
/*
* Give a list of loaded converters. Each name terminated with 0.
* An empty string terminates the list.
*/
static int
iconv_sysctl_drvlist(SYSCTL_HANDLER_ARGS)
{
struct iconv_converter_class *dcp;
const char *name;
char spc;
int error;
error = 0;
sx_slock(&iconv_lock);
TAILQ_FOREACH(dcp, &iconv_converters, cc_link) {
name = ICONV_CONVERTER_NAME(dcp);
if (name == NULL)
continue;
error = SYSCTL_OUT(req, name, strlen(name) + 1);
if (error)
break;
}
sx_sunlock(&iconv_lock);
if (error)
return error;
spc = 0;
error = SYSCTL_OUT(req, &spc, sizeof(spc));
return error;
}
SYSCTL_PROC(_kern_iconv, OID_AUTO, drvlist, CTLFLAG_RD | CTLTYPE_OPAQUE,
NULL, 0, iconv_sysctl_drvlist, "S,xlat", "registered converters");
/*
* List all available charset pairs.
*/
static int
iconv_sysctl_cslist(SYSCTL_HANDLER_ARGS)
{
struct iconv_cspair *csp;
struct iconv_cspair_info csi;
int error;
error = 0;
bzero(&csi, sizeof(csi));
csi.cs_version = ICONV_CSPAIR_INFO_VER;
sx_slock(&iconv_lock);
TAILQ_FOREACH(csp, &iconv_cslist, cp_link) {
csi.cs_id = csp->cp_id;
csi.cs_refcount = csp->cp_refcount;
csi.cs_base = csp->cp_base ? csp->cp_base->cp_id : 0;
strcpy(csi.cs_to, csp->cp_to);
strcpy(csi.cs_from, csp->cp_from);
error = SYSCTL_OUT(req, &csi, sizeof(csi));
if (error)
break;
}
sx_sunlock(&iconv_lock);
return error;
}
SYSCTL_PROC(_kern_iconv, OID_AUTO, cslist, CTLFLAG_RD | CTLTYPE_OPAQUE,
NULL, 0, iconv_sysctl_cslist, "S,xlat", "registered charset pairs");
int
iconv_add(const char *converter, const char *to, const char *from)
{
struct iconv_converter_class *dcp;
struct iconv_cspair *csp;
if (iconv_lookupconv(converter, &dcp) != 0)
return EINVAL;
return iconv_register_cspair(to, from, dcp, NULL, &csp);
}
/*
* Add new charset pair
*/
static int
iconv_sysctl_add(SYSCTL_HANDLER_ARGS)
{
struct iconv_converter_class *dcp;
struct iconv_cspair *csp;
struct iconv_add_in din;
struct iconv_add_out dout;
int error;
error = SYSCTL_IN(req, &din, sizeof(din));
if (error)
return error;
if (din.ia_version != ICONV_ADD_VER)
return EINVAL;
if (din.ia_datalen > ICONV_CSMAXDATALEN)
return EINVAL;
iconv uses strlen directly on user supplied memory `iconv_sysctl_add` from `sys/libkern/iconv.c` incorrectly limits the size of user strings, such that several out of bounds reads could have been possible. static int iconv_sysctl_add(SYSCTL_HANDLER_ARGS) { struct iconv_converter_class *dcp; struct iconv_cspair *csp; struct iconv_add_in din; struct iconv_add_out dout; int error; error = SYSCTL_IN(req, &din, sizeof(din)); if (error) return error; if (din.ia_version != ICONV_ADD_VER) return EINVAL; if (din.ia_datalen > ICONV_CSMAXDATALEN) return EINVAL; if (strlen(din.ia_from) >= ICONV_CSNMAXLEN) return EINVAL; if (strlen(din.ia_to) >= ICONV_CSNMAXLEN) return EINVAL; if (strlen(din.ia_converter) >= ICONV_CNVNMAXLEN) return EINVAL; ... Since the `din` struct is directly copied from userland, there is no guarantee that the strings supplied will be NULL terminated. The `strlen` calls could continue reading past the designated buffer sizes. Declaration of `struct iconv_add_in` is found in `sys/sys/iconv.h`: struct iconv_add_in { int ia_version; char ia_converter[ICONV_CNVNMAXLEN]; char ia_to[ICONV_CSNMAXLEN]; char ia_from[ICONV_CSNMAXLEN]; int ia_datalen; const void *ia_data; }; Our strings are followed by the `ia_datalen` member, which is checked before the `strlen` calls: if (din.ia_datalen > ICONV_CSMAXDATALEN) Since `ICONV_CSMAXDATALEN` has value `0x41000` (and is `unsigned`), this ensures that `din.ia_datalen` contains at least 1 byte of 0, so it is not possible to trigger a read out of bounds of the `struct` however, this code is fragile and could introduce subtle bugs in the future if the `struct` is ever modified. PR: 207302 Submitted by: CTurt <cturt@hardenedbsd.org> Reported by: CTurt <cturt@hardenedbsd.org> Reviewed by: jhb, vangyzen MFC after: 1 week Sponsored by: Dell EMC Differential Revision: https://reviews.freebsd.org/D14521
2018-02-26 18:23:36 +00:00
if (strnlen(din.ia_from, sizeof(din.ia_from)) >= ICONV_CSNMAXLEN)
return EINVAL;
iconv uses strlen directly on user supplied memory `iconv_sysctl_add` from `sys/libkern/iconv.c` incorrectly limits the size of user strings, such that several out of bounds reads could have been possible. static int iconv_sysctl_add(SYSCTL_HANDLER_ARGS) { struct iconv_converter_class *dcp; struct iconv_cspair *csp; struct iconv_add_in din; struct iconv_add_out dout; int error; error = SYSCTL_IN(req, &din, sizeof(din)); if (error) return error; if (din.ia_version != ICONV_ADD_VER) return EINVAL; if (din.ia_datalen > ICONV_CSMAXDATALEN) return EINVAL; if (strlen(din.ia_from) >= ICONV_CSNMAXLEN) return EINVAL; if (strlen(din.ia_to) >= ICONV_CSNMAXLEN) return EINVAL; if (strlen(din.ia_converter) >= ICONV_CNVNMAXLEN) return EINVAL; ... Since the `din` struct is directly copied from userland, there is no guarantee that the strings supplied will be NULL terminated. The `strlen` calls could continue reading past the designated buffer sizes. Declaration of `struct iconv_add_in` is found in `sys/sys/iconv.h`: struct iconv_add_in { int ia_version; char ia_converter[ICONV_CNVNMAXLEN]; char ia_to[ICONV_CSNMAXLEN]; char ia_from[ICONV_CSNMAXLEN]; int ia_datalen; const void *ia_data; }; Our strings are followed by the `ia_datalen` member, which is checked before the `strlen` calls: if (din.ia_datalen > ICONV_CSMAXDATALEN) Since `ICONV_CSMAXDATALEN` has value `0x41000` (and is `unsigned`), this ensures that `din.ia_datalen` contains at least 1 byte of 0, so it is not possible to trigger a read out of bounds of the `struct` however, this code is fragile and could introduce subtle bugs in the future if the `struct` is ever modified. PR: 207302 Submitted by: CTurt <cturt@hardenedbsd.org> Reported by: CTurt <cturt@hardenedbsd.org> Reviewed by: jhb, vangyzen MFC after: 1 week Sponsored by: Dell EMC Differential Revision: https://reviews.freebsd.org/D14521
2018-02-26 18:23:36 +00:00
if (strnlen(din.ia_to, sizeof(din.ia_to)) >= ICONV_CSNMAXLEN)
return EINVAL;
iconv uses strlen directly on user supplied memory `iconv_sysctl_add` from `sys/libkern/iconv.c` incorrectly limits the size of user strings, such that several out of bounds reads could have been possible. static int iconv_sysctl_add(SYSCTL_HANDLER_ARGS) { struct iconv_converter_class *dcp; struct iconv_cspair *csp; struct iconv_add_in din; struct iconv_add_out dout; int error; error = SYSCTL_IN(req, &din, sizeof(din)); if (error) return error; if (din.ia_version != ICONV_ADD_VER) return EINVAL; if (din.ia_datalen > ICONV_CSMAXDATALEN) return EINVAL; if (strlen(din.ia_from) >= ICONV_CSNMAXLEN) return EINVAL; if (strlen(din.ia_to) >= ICONV_CSNMAXLEN) return EINVAL; if (strlen(din.ia_converter) >= ICONV_CNVNMAXLEN) return EINVAL; ... Since the `din` struct is directly copied from userland, there is no guarantee that the strings supplied will be NULL terminated. The `strlen` calls could continue reading past the designated buffer sizes. Declaration of `struct iconv_add_in` is found in `sys/sys/iconv.h`: struct iconv_add_in { int ia_version; char ia_converter[ICONV_CNVNMAXLEN]; char ia_to[ICONV_CSNMAXLEN]; char ia_from[ICONV_CSNMAXLEN]; int ia_datalen; const void *ia_data; }; Our strings are followed by the `ia_datalen` member, which is checked before the `strlen` calls: if (din.ia_datalen > ICONV_CSMAXDATALEN) Since `ICONV_CSMAXDATALEN` has value `0x41000` (and is `unsigned`), this ensures that `din.ia_datalen` contains at least 1 byte of 0, so it is not possible to trigger a read out of bounds of the `struct` however, this code is fragile and could introduce subtle bugs in the future if the `struct` is ever modified. PR: 207302 Submitted by: CTurt <cturt@hardenedbsd.org> Reported by: CTurt <cturt@hardenedbsd.org> Reviewed by: jhb, vangyzen MFC after: 1 week Sponsored by: Dell EMC Differential Revision: https://reviews.freebsd.org/D14521
2018-02-26 18:23:36 +00:00
if (strnlen(din.ia_converter, sizeof(din.ia_converter)) >= ICONV_CNVNMAXLEN)
return EINVAL;
if (iconv_lookupconv(din.ia_converter, &dcp) != 0)
return EINVAL;
sx_xlock(&iconv_lock);
error = iconv_register_cspair(din.ia_to, din.ia_from, dcp, NULL, &csp);
if (error) {
sx_xunlock(&iconv_lock);
return error;
}
if (din.ia_datalen) {
csp->cp_data = malloc(din.ia_datalen, M_ICONVDATA, M_WAITOK);
error = copyin(din.ia_data, csp->cp_data, din.ia_datalen);
if (error)
goto bad;
}
dout.ia_csid = csp->cp_id;
error = SYSCTL_OUT(req, &dout, sizeof(dout));
if (error)
goto bad;
sx_xunlock(&iconv_lock);
ICDEBUG("%s => %s, %d bytes\n",din.ia_from, din.ia_to, din.ia_datalen);
return 0;
bad:
iconv_unregister_cspair(csp);
sx_xunlock(&iconv_lock);
return error;
}
SYSCTL_PROC(_kern_iconv, OID_AUTO, add, CTLFLAG_RW | CTLTYPE_OPAQUE,
NULL, 0, iconv_sysctl_add, "S,xlat", "register charset pair");
/*
* Default stubs for converters
*/
int
iconv_converter_initstub(struct iconv_converter_class *dp)
{
return 0;
}
int
iconv_converter_donestub(struct iconv_converter_class *dp)
{
return 0;
}
int
iconv_converter_tolowerstub(int c, void *handle)
{
return (c);
}
int
iconv_converter_handler(module_t mod, int type, void *data)
{
struct iconv_converter_class *dcp = data;
int error;
switch (type) {
case MOD_LOAD:
sx_xlock(&iconv_lock);
error = iconv_register_converter(dcp);
if (error) {
sx_xunlock(&iconv_lock);
break;
}
error = ICONV_CONVERTER_INIT(dcp);
if (error)
iconv_unregister_converter(dcp);
sx_xunlock(&iconv_lock);
break;
case MOD_UNLOAD:
sx_xlock(&iconv_lock);
ICONV_CONVERTER_DONE(dcp);
error = iconv_unregister_converter(dcp);
sx_xunlock(&iconv_lock);
break;
default:
error = EINVAL;
}
return error;
}
/*
* Common used functions (don't use with unicode)
*/
char *
iconv_convstr(void *handle, char *dst, const char *src)
{
char *p = dst;
2002-10-06 12:20:09 +00:00
size_t inlen, outlen;
int error;
if (handle == NULL) {
strcpy(dst, src);
return dst;
}
inlen = outlen = strlen(src);
error = iconv_conv(handle, NULL, NULL, &p, &outlen);
if (error)
return NULL;
error = iconv_conv(handle, &src, &inlen, &p, &outlen);
if (error)
return NULL;
*p = 0;
return dst;
}
void *
iconv_convmem(void *handle, void *dst, const void *src, int size)
{
const char *s = src;
char *d = dst;
2002-10-06 12:20:09 +00:00
size_t inlen, outlen;
int error;
if (size == 0)
return dst;
if (handle == NULL) {
memcpy(dst, src, size);
return dst;
}
inlen = outlen = size;
error = iconv_conv(handle, NULL, NULL, &d, &outlen);
if (error)
return NULL;
error = iconv_conv(handle, &s, &inlen, &d, &outlen);
if (error)
return NULL;
return dst;
}
int
iconv_lookupcp(char **cpp, const char *s)
{
if (cpp == NULL) {
ICDEBUG("warning a NULL list passed\n", "");
return ENOENT;
}
for (; *cpp; cpp++)
if (strcmp(*cpp, s) == 0)
return 0;
return ENOENT;
}
/*
* Return if fsname is in use of not
*/
int
iconv_vfs_refcount(const char *fsname)
{
struct vfsconf *vfsp;
vfsp = vfs_byname(fsname);
if (vfsp != NULL && vfsp->vfc_refcount > 0)
return (EBUSY);
return (0);
}