Check against the size of the struct, not the pointer. Previously, a message
with a cm_len between 9 and 23 (inclusive) could cause int msglen to underflow
and read(2) to be invoked with msglen size (implicitly cast to signed),
overrunning the caller-provided buffer.
All users of cm_recv() supply a stack buffer.
On the other hand, the rtadvd control socket appears to only be writable by the
owner, who is probably root.
While here, correct some types to be size_t or ssize_t.
Reported by: Coverity
CID: 1008477
Security: unix socket remotes may overflow stack in rtadvd
Sponsored by: EMC / Isilon Storage Division
On WIN8 like host systems, when rescan happens, the already installed
disks seem to return random invalid results for INQUIRY.
More investigation is under way to figure out why random invalid INQUIRY
results are delivered to VM on WIN8 like host systems.
Submitted by: Hongjiang Zhang <honzhan microsoft com>
Reviewed by: sephe
MFC after: 1 week
Sponsored by: Microsoft OSTC
Differential Revision: https://reviews.freebsd.org/D6316
More of the same sort of issue as r299503, just missed some sysctls added in a
different place than the others.
Reported by: Coverity
CIDs: 1007692, 1009677, 1009678
Sponsored by: EMC / Isilon Storage Division
None of the sysctl handlers in hdaa use the arg2 parameter, so just pass zero
instead. Additionally, the sizes being passed in were suspect (size of the
pointer rather than the value).
Reported by: Coverity
CIDs: 1007694, 1009679
Sponsored by: EMC / Isilon Storage Division
h_aliases is a NULL-terminated rather than fixed-length array. nitems() is not
a valid way to determine its end; instead, check for NULL.
Reported by: Coverity
CID: 1346578
Sponsored by: EMC / Isilon Storage Division
If atf_list_append(, X, ) fails, X is freed. Don't free it again.
If anyone wants to walk this patch upstream, be my guest. I literally cannot
upstream it myself due to Google's stupid CLA.
Reported by: Coverity
CID: 979936
Sponsored by: EMC / Isilon Storage Division
If krb5_make_principal fails, tmp_creds.server may remain a pointer to freed
memory and then be double-freed. After freeing it the first time, initialize
it to NULL, which causes subsequent krb5_free_principal calls to do the right
thing.
Reported by: Coverity
CID: 1273430
Sponsored by: EMC / Isilon Storage Division
In the case that the subsequent sysctl(3) call failed, 'buf' could be free(3)ed
repeatedly. It isn't clear to me that that case is possible, but be clear and
do the right thing in case it is.
Reported by: Coverity
CID: 272537
Sponsored by: EMC / Isilon Storage Division
In the case where a file lacks a trailing newline, there is some "evil" code to
reverse goto the tokenizing code ("make_token") for the final token in the
file. In this case, 'fd' is closed more than once. Use a negative sentinel
value to guard close(2), preventing the double close.
Ideally, this code would be restructured to avoid this ugly construction.
Reported by: Coverity
CID: 1006123
Sponsored by: EMC / Isilon Storage Division
The kern.ps_strings sysctl was introduced in r103767 and the last
use of PS_STRINGS in userspace code was removed in r297888.
PR: 208760 [exp-run]
Reviewed by: kib
Sponsored by: The FreeBSD Foundation
Differential Revision: https://reviews.freebsd.org/D5933
- Introduce new OF API function OF_prop_free to free memory allocated by
OF_getprop_alloc and OF_getencprop_alloc. Current code just calls free(9)
with M_OFWPROP memory class which assumes knowledge about OF_*prop_alloc
functions' internals and leads to unneccessary code coupling
- Convert some of the free(..., M_OFWPROP) instances to OF_prop_free
Files affected by this commit are the ones I was able to test on real
hardware. The rest of free(..., M_OFWPROP) instances will be handled with
idividual maintainers
Reviewed by: andrew
Differential Revision: https://reviews.freebsd.org/D6315
Close the fd the poll error was detected on, rather than the last opened fd, to
fix the double-close.
Use -1 to make it explict which int variables no longer own socket file
descriptors.
Actually shrink, rather than grow, the poll timeout to match comment.
Reported by: Coverity
CID: 1304860, 1305616
Sponsored by: EMC / Isilon Storage Division
gpiokey driver implements functional subset of gpiokeys device-tree bindings:
https://www.kernel.org/doc/Documentation/devicetree/bindings/input/gpio-keys.txt
It acts as a virtual keyboard, so keys are visible through kbdmux(4)
Driver maps linux scancodes for most common keys to FreeBSD scancodes and
also extends spec by introducing freebsd,code property to specify
FreeBSD-native scancodes.
Reviewed by: mmel, jmcneill
Differential Revision: https://reviews.freebsd.org/D6279
We want to avoid .text relocations in shared objects. libcrypto was the
only consumer and it is now fixed (as of r299389). Remove the now-unused
support for turning off the linker warning.
Reviewed by: kib
Differential Revision: https://reviews.freebsd.org/D6323
This logic was added to the whois() function in r281959, but could easily be
its own routine. In this case, I think the abstraction makes both functions
easier to reason about.
This precedes some Coverity-suggested cleanup.
Sponsored by: EMC / Isilon Storage Division
Coverity really should have figured this out from the exit(3) call at the end
of the routine, but just make it explicit.
No functional change.
Reported by: Coverity
CID: 1304866 (false positive double-close of 'baz')
Sponsored by: EMC / Isilon Storage Division
detect failures, and get different PCI IDs.
For the former the interface returns an int to signal an error. The ID is
returned at a uintptr_t * argument.
For the latter there is a type argument that allows selecting the ID type.
This only specifies a single type, however a MSI type will be added
to handle the need to find the ID the hardware passes to the ARM GICv3
interrupt controller.
A follow up commit will be made to remove pci_get_rid.
Reviewed by: jhb, rstone
Obtained from: ABT Systems Ltd
Sponsored by: The FreeBSD Foundation
Differential Revision: https://reviews.freebsd.org/D6239
This fixes a number of possible strcpy() buffer overruns between the various
community strings in trap.c.
Reported by: Coverity
CIDs: 1006820, 1006821, 1006822
Sponsored by: EMC / Isilon Storage Division
list of memory that the kernel will need to sync when operating with a
non-cache coherent DMA engine.
Obtained from: ABT Systems Ltd
Sponsored by: The FreeBSD Foundation
Maybe this case is impossible. Either way, when attempting to "/dev/"-prefix a
non-global device name, check that we do not overrun the f_mntfromname buffer.
In this case, truncating (with strlcpy or similar) would not be useful, since
the f_mntfromname result of getmntpt() is passed directly to open(2) later.
Reported by: Coverity
CID: 1006789
Sponsored by: EMC / Isilon Storage Division
Use size of destination buffer, rather than a constant that may or may not
correspond to the source buffer, to restrict the length of copied strings. In
particular, pr_fname has 16+1 characters but MAXCOMLEN is 18+1.
Use strlcpy instead of strncpy to ensure the result is nul-terminated. This
seems to be what is expected of these fields.
Reported by: Coverity
CIDs: 1011302, 1011378
Sponsored by: EMC / Isilon Storage Division
to ensure ordering between the CPU and device. As the CPU and DMA target
may be in different shareability domains they need to be full system
barriers.
Obtained from: ABT Systems Ltd
Sponsored by: The FreeBSD Foundation
We have identical code no matter the expression behind the if.
Avoid the desision altogether and keep doing what is expected.
Reviewed by: dfr
CID: 1305689
delete permissions for ACLs
Reviewed by: Gordon Ross <gwr@nexenta.com>
Reviewed by: Yuri Pankov <yuri.pankov@nexenta.com>
Author: Kevin Crowe <kevin.crowe@nexenta.com>
openzfs/openzfs@a40149b935
aclmode=passthrough
Reviewed by: Gordon Ross <gwr@nexenta.com>
Reviewed by: Yuri Pankov <yuri.pankov@nexenta.com>
Author: Albert Lee <trisk@nexenta.com>
openzfs/openzfs@1bcf0d240b