From d447abd487a89b6f91ef4ea8a3af29ca166c488b Mon Sep 17 00:00:00 2001 From: jmg Date: Sat, 1 Mar 1997 23:53:46 +0000 Subject: [PATCH] make sure that the user supplied signals in struct vt_mode are actually valid signals, else return EINVAL for ioctl VT_SETMODE. this fixes a problem that anybody with vty access can panic the system. 2.2-Candidate (and 2.1.0 I believe) Reviewed-by: sos --- sys/dev/syscons/syscons.c | 26 ++++++++++++++++++-------- sys/i386/isa/syscons.c | 26 ++++++++++++++++++-------- sys/isa/syscons.c | 26 ++++++++++++++++++-------- 3 files changed, 54 insertions(+), 24 deletions(-) diff --git a/sys/dev/syscons/syscons.c b/sys/dev/syscons/syscons.c index 94b650d06d13..4db4f9aa5c0f 100644 --- a/sys/dev/syscons/syscons.c +++ b/sys/dev/syscons/syscons.c @@ -25,7 +25,7 @@ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. * - * $Id: syscons.c,v 1.203 1997/02/28 08:42:35 yokota Exp $ + * $Id: syscons.c,v 1.204 1997/02/28 14:26:34 bde Exp $ */ #include "sc.h" @@ -168,6 +168,7 @@ static const int nsccons = MAXCONS+2; #define WRAPHIST(scp, pointer, offset)\ ((scp->history) + ((((pointer) - (scp->history)) + (scp->history_size)\ + (offset)) % (scp->history_size))) +#define ISSIGVALID(sig) ((sig) > 0 && (sig) < NSIG) /* prototypes */ static int scattach(struct isa_device *dev); @@ -794,7 +795,7 @@ scioctl(dev_t dev, int cmd, caddr_t data, int flag, struct proc *p) switch (mouse->operation) { case MOUSE_MODE: - if (mouse->u.mode.signal > 0 && mouse->u.mode.signal < NSIG) { + if (ISSIGVALID(mouse->u.mode.signal)) { scp->mouse_signal = mouse->u.mode.signal; scp->mouse_proc = p; scp->mouse_pid = p->p_pid; @@ -1026,12 +1027,21 @@ scioctl(dev_t dev, int cmd, caddr_t data, int flag, struct proc *p) return 0; case VT_SETMODE: /* set screen switcher mode */ - bcopy(data, &scp->smode, sizeof(struct vt_mode)); - if (scp->smode.mode == VT_PROCESS) { - scp->proc = p; - scp->pid = scp->proc->p_pid; - } - return 0; + { + struct vt_mode *mode; + + mode = (struct vt_mode *)data; + if (ISSIGVALID(mode->relsig) && ISSIGVALID(mode->acqsig) && + ISSIGVALID(mode->frsig)) { + bcopy(data, &scp->smode, sizeof(struct vt_mode)); + if (scp->smode.mode == VT_PROCESS) { + scp->proc = p; + scp->pid = scp->proc->p_pid; + } + return 0; + } else + return EINVAL; + } case VT_GETMODE: /* get screen switcher mode */ bcopy(&scp->smode, data, sizeof(struct vt_mode)); diff --git a/sys/i386/isa/syscons.c b/sys/i386/isa/syscons.c index 94b650d06d13..4db4f9aa5c0f 100644 --- a/sys/i386/isa/syscons.c +++ b/sys/i386/isa/syscons.c @@ -25,7 +25,7 @@ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. * - * $Id: syscons.c,v 1.203 1997/02/28 08:42:35 yokota Exp $ + * $Id: syscons.c,v 1.204 1997/02/28 14:26:34 bde Exp $ */ #include "sc.h" @@ -168,6 +168,7 @@ static const int nsccons = MAXCONS+2; #define WRAPHIST(scp, pointer, offset)\ ((scp->history) + ((((pointer) - (scp->history)) + (scp->history_size)\ + (offset)) % (scp->history_size))) +#define ISSIGVALID(sig) ((sig) > 0 && (sig) < NSIG) /* prototypes */ static int scattach(struct isa_device *dev); @@ -794,7 +795,7 @@ scioctl(dev_t dev, int cmd, caddr_t data, int flag, struct proc *p) switch (mouse->operation) { case MOUSE_MODE: - if (mouse->u.mode.signal > 0 && mouse->u.mode.signal < NSIG) { + if (ISSIGVALID(mouse->u.mode.signal)) { scp->mouse_signal = mouse->u.mode.signal; scp->mouse_proc = p; scp->mouse_pid = p->p_pid; @@ -1026,12 +1027,21 @@ scioctl(dev_t dev, int cmd, caddr_t data, int flag, struct proc *p) return 0; case VT_SETMODE: /* set screen switcher mode */ - bcopy(data, &scp->smode, sizeof(struct vt_mode)); - if (scp->smode.mode == VT_PROCESS) { - scp->proc = p; - scp->pid = scp->proc->p_pid; - } - return 0; + { + struct vt_mode *mode; + + mode = (struct vt_mode *)data; + if (ISSIGVALID(mode->relsig) && ISSIGVALID(mode->acqsig) && + ISSIGVALID(mode->frsig)) { + bcopy(data, &scp->smode, sizeof(struct vt_mode)); + if (scp->smode.mode == VT_PROCESS) { + scp->proc = p; + scp->pid = scp->proc->p_pid; + } + return 0; + } else + return EINVAL; + } case VT_GETMODE: /* get screen switcher mode */ bcopy(&scp->smode, data, sizeof(struct vt_mode)); diff --git a/sys/isa/syscons.c b/sys/isa/syscons.c index 94b650d06d13..4db4f9aa5c0f 100644 --- a/sys/isa/syscons.c +++ b/sys/isa/syscons.c @@ -25,7 +25,7 @@ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. * - * $Id: syscons.c,v 1.203 1997/02/28 08:42:35 yokota Exp $ + * $Id: syscons.c,v 1.204 1997/02/28 14:26:34 bde Exp $ */ #include "sc.h" @@ -168,6 +168,7 @@ static const int nsccons = MAXCONS+2; #define WRAPHIST(scp, pointer, offset)\ ((scp->history) + ((((pointer) - (scp->history)) + (scp->history_size)\ + (offset)) % (scp->history_size))) +#define ISSIGVALID(sig) ((sig) > 0 && (sig) < NSIG) /* prototypes */ static int scattach(struct isa_device *dev); @@ -794,7 +795,7 @@ scioctl(dev_t dev, int cmd, caddr_t data, int flag, struct proc *p) switch (mouse->operation) { case MOUSE_MODE: - if (mouse->u.mode.signal > 0 && mouse->u.mode.signal < NSIG) { + if (ISSIGVALID(mouse->u.mode.signal)) { scp->mouse_signal = mouse->u.mode.signal; scp->mouse_proc = p; scp->mouse_pid = p->p_pid; @@ -1026,12 +1027,21 @@ scioctl(dev_t dev, int cmd, caddr_t data, int flag, struct proc *p) return 0; case VT_SETMODE: /* set screen switcher mode */ - bcopy(data, &scp->smode, sizeof(struct vt_mode)); - if (scp->smode.mode == VT_PROCESS) { - scp->proc = p; - scp->pid = scp->proc->p_pid; - } - return 0; + { + struct vt_mode *mode; + + mode = (struct vt_mode *)data; + if (ISSIGVALID(mode->relsig) && ISSIGVALID(mode->acqsig) && + ISSIGVALID(mode->frsig)) { + bcopy(data, &scp->smode, sizeof(struct vt_mode)); + if (scp->smode.mode == VT_PROCESS) { + scp->proc = p; + scp->pid = scp->proc->p_pid; + } + return 0; + } else + return EINVAL; + } case VT_GETMODE: /* get screen switcher mode */ bcopy(&scp->smode, data, sizeof(struct vt_mode));