| @@ -1,14 +1,14 @@ | | | @@ -1,14 +1,14 @@ |
1 | /* $NetBSD: vnd.c,v 1.219.8.3 2015/02/04 04:18:23 snj Exp $ */ | | 1 | /* $NetBSD: vnd.c,v 1.219.8.4 2017/08/19 03:50:00 snj Exp $ */ |
2 | | | 2 | |
3 | /*- | | 3 | /*- |
4 | * Copyright (c) 1996, 1997, 1998, 2008 The NetBSD Foundation, Inc. | | 4 | * Copyright (c) 1996, 1997, 1998, 2008 The NetBSD Foundation, Inc. |
5 | * All rights reserved. | | 5 | * All rights reserved. |
6 | * | | 6 | * |
7 | * This code is derived from software contributed to The NetBSD Foundation | | 7 | * This code is derived from software contributed to The NetBSD Foundation |
8 | * by Jason R. Thorpe. | | 8 | * by Jason R. Thorpe. |
9 | * | | 9 | * |
10 | * Redistribution and use in source and binary forms, with or without | | 10 | * Redistribution and use in source and binary forms, with or without |
11 | * modification, are permitted provided that the following conditions | | 11 | * modification, are permitted provided that the following conditions |
12 | * are met: | | 12 | * are met: |
13 | * 1. Redistributions of source code must retain the above copyright | | 13 | * 1. Redistributions of source code must retain the above copyright |
14 | * notice, this list of conditions and the following disclaimer. | | 14 | * notice, this list of conditions and the following disclaimer. |
| @@ -81,27 +81,27 @@ | | | @@ -81,27 +81,27 @@ |
81 | * systems where the block-level operations are not implemented for | | 81 | * systems where the block-level operations are not implemented for |
82 | * whatever reason. | | 82 | * whatever reason. |
83 | * | | 83 | * |
84 | * NOTE 2: There is a security issue involved with this driver. | | 84 | * NOTE 2: There is a security issue involved with this driver. |
85 | * Once mounted all access to the contents of the "mapped" file via | | 85 | * Once mounted all access to the contents of the "mapped" file via |
86 | * the special file is controlled by the permissions on the special | | 86 | * the special file is controlled by the permissions on the special |
87 | * file, the protection of the mapped file is ignored (effectively, | | 87 | * file, the protection of the mapped file is ignored (effectively, |
88 | * by using root credentials in all transactions). | | 88 | * by using root credentials in all transactions). |
89 | * | | 89 | * |
90 | * NOTE 3: Doesn't interact with leases, should it? | | 90 | * NOTE 3: Doesn't interact with leases, should it? |
91 | */ | | 91 | */ |
92 | | | 92 | |
93 | #include <sys/cdefs.h> | | 93 | #include <sys/cdefs.h> |
94 | __KERNEL_RCSID(0, "$NetBSD: vnd.c,v 1.219.8.3 2015/02/04 04:18:23 snj Exp $"); | | 94 | __KERNEL_RCSID(0, "$NetBSD: vnd.c,v 1.219.8.4 2017/08/19 03:50:00 snj Exp $"); |
95 | | | 95 | |
96 | #if defined(_KERNEL_OPT) | | 96 | #if defined(_KERNEL_OPT) |
97 | #include "opt_vnd.h" | | 97 | #include "opt_vnd.h" |
98 | #include "opt_compat_netbsd.h" | | 98 | #include "opt_compat_netbsd.h" |
99 | #endif | | 99 | #endif |
100 | | | 100 | |
101 | #include <sys/param.h> | | 101 | #include <sys/param.h> |
102 | #include <sys/systm.h> | | 102 | #include <sys/systm.h> |
103 | #include <sys/namei.h> | | 103 | #include <sys/namei.h> |
104 | #include <sys/proc.h> | | 104 | #include <sys/proc.h> |
105 | #include <sys/kthread.h> | | 105 | #include <sys/kthread.h> |
106 | #include <sys/errno.h> | | 106 | #include <sys/errno.h> |
107 | #include <sys/buf.h> | | 107 | #include <sys/buf.h> |
| @@ -1157,52 +1157,79 @@ vndioctl(dev_t dev, u_long cmd, void *da | | | @@ -1157,52 +1157,79 @@ vndioctl(dev_t dev, u_long cmd, void *da |
1157 | /* allocate space for compresed file header */ | | 1157 | /* allocate space for compresed file header */ |
1158 | ch = malloc(sizeof(struct vnd_comp_header), | | 1158 | ch = malloc(sizeof(struct vnd_comp_header), |
1159 | M_TEMP, M_WAITOK); | | 1159 | M_TEMP, M_WAITOK); |
1160 | | | 1160 | |
1161 | /* read compressed file header */ | | 1161 | /* read compressed file header */ |
1162 | error = vn_rdwr(UIO_READ, nd.ni_vp, (void *)ch, | | 1162 | error = vn_rdwr(UIO_READ, nd.ni_vp, (void *)ch, |
1163 | sizeof(struct vnd_comp_header), 0, UIO_SYSSPACE, | | 1163 | sizeof(struct vnd_comp_header), 0, UIO_SYSSPACE, |
1164 | IO_UNIT|IO_NODELOCKED, l->l_cred, NULL, NULL); | | 1164 | IO_UNIT|IO_NODELOCKED, l->l_cred, NULL, NULL); |
1165 | if (error) { | | 1165 | if (error) { |
1166 | free(ch, M_TEMP); | | 1166 | free(ch, M_TEMP); |
1167 | VOP_UNLOCK(nd.ni_vp); | | 1167 | VOP_UNLOCK(nd.ni_vp); |
1168 | goto close_and_exit; | | 1168 | goto close_and_exit; |
1169 | } | | 1169 | } |
| | | 1170 | |
| | | 1171 | if (ntohl(ch->block_size) == 0 || |
| | | 1172 | ntohl(ch->num_blocks) > UINT32_MAX - 1) { |
| | | 1173 | free(ch, M_TEMP); |
| | | 1174 | VOP_UNLOCK(nd.ni_vp); |
| | | 1175 | goto close_and_exit; |
| | | 1176 | } |
1170 | | | 1177 | |
1171 | /* save some header info */ | | 1178 | /* save some header info */ |
1172 | vnd->sc_comp_blksz = ntohl(ch->block_size); | | 1179 | vnd->sc_comp_blksz = ntohl(ch->block_size); |
1173 | /* note last offset is the file byte size */ | | 1180 | /* note last offset is the file byte size */ |
1174 | vnd->sc_comp_numoffs = ntohl(ch->num_blocks)+1; | | 1181 | vnd->sc_comp_numoffs = ntohl(ch->num_blocks)+1; |
1175 | free(ch, M_TEMP); | | 1182 | free(ch, M_TEMP); |
1176 | if (vnd->sc_comp_blksz == 0 || | | 1183 | if (vnd->sc_comp_blksz == 0 || |
1177 | vnd->sc_comp_blksz % DEV_BSIZE !=0) { | | 1184 | vnd->sc_comp_blksz % DEV_BSIZE !=0) { |
1178 | VOP_UNLOCK(nd.ni_vp); | | 1185 | VOP_UNLOCK(nd.ni_vp); |
1179 | error = EINVAL; | | 1186 | error = EINVAL; |
1180 | goto close_and_exit; | | 1187 | goto close_and_exit; |
1181 | } | | 1188 | } |
1182 | if (sizeof(struct vnd_comp_header) + | | 1189 | KASSERT(0 < vnd->sc_comp_blksz); |
1183 | sizeof(u_int64_t) * vnd->sc_comp_numoffs > | | 1190 | KASSERT(0 < vnd->sc_comp_numoffs); |
1184 | vattr.va_size) { | | 1191 | /* |
| | | 1192 | * @#^@!$& gcc -Wtype-limits refuses to let me |
| | | 1193 | * write SIZE_MAX/sizeof(uint64_t) < numoffs, |
| | | 1194 | * because the range of the type on amd64 makes |
| | | 1195 | * the comparisons always false. |
| | | 1196 | */ |
| | | 1197 | #if SIZE_MAX <= UINT32_MAX*(64/CHAR_BIT) |
| | | 1198 | if (SIZE_MAX/sizeof(uint64_t) < vnd->sc_comp_numoffs) { |
| | | 1199 | VOP_UNLOCK(nd.ni_vp); |
| | | 1200 | error = EINVAL; |
| | | 1201 | goto close_and_exit; |
| | | 1202 | } |
| | | 1203 | #endif |
| | | 1204 | if ((vattr.va_size < sizeof(struct vnd_comp_header)) || |
| | | 1205 | (vattr.va_size - sizeof(struct vnd_comp_header) < |
| | | 1206 | sizeof(uint64_t)*vnd->sc_comp_numoffs) || |
| | | 1207 | (UQUAD_MAX/vnd->sc_comp_blksz < |
| | | 1208 | vnd->sc_comp_numoffs - 1)) { |
1185 | VOP_UNLOCK(nd.ni_vp); | | 1209 | VOP_UNLOCK(nd.ni_vp); |
1186 | error = EINVAL; | | 1210 | error = EINVAL; |
1187 | goto close_and_exit; | | 1211 | goto close_and_exit; |
1188 | } | | 1212 | } |
1189 | | | 1213 | |
1190 | /* set decompressed file size */ | | 1214 | /* set decompressed file size */ |
| | | 1215 | KASSERT(vnd->sc_comp_numoffs - 1 <= |
| | | 1216 | UQUAD_MAX/vnd->sc_comp_blksz); |
1191 | vattr.va_size = | | 1217 | vattr.va_size = |
1192 | ((u_quad_t)vnd->sc_comp_numoffs - 1) * | | 1218 | ((u_quad_t)vnd->sc_comp_numoffs - 1) * |
1193 | (u_quad_t)vnd->sc_comp_blksz; | | 1219 | (u_quad_t)vnd->sc_comp_blksz; |
1194 | | | 1220 | |
1195 | /* allocate space for all the compressed offsets */ | | 1221 | /* allocate space for all the compressed offsets */ |
| | | 1222 | __CTASSERT(UINT32_MAX <= UQUAD_MAX/sizeof(uint64_t)); |
1196 | vnd->sc_comp_offsets = | | 1223 | vnd->sc_comp_offsets = |
1197 | malloc(sizeof(u_int64_t) * vnd->sc_comp_numoffs, | | 1224 | malloc(sizeof(u_int64_t) * vnd->sc_comp_numoffs, |
1198 | M_DEVBUF, M_WAITOK); | | 1225 | M_DEVBUF, M_WAITOK); |
1199 | | | 1226 | |
1200 | /* read in the offsets */ | | 1227 | /* read in the offsets */ |
1201 | error = vn_rdwr(UIO_READ, nd.ni_vp, | | 1228 | error = vn_rdwr(UIO_READ, nd.ni_vp, |
1202 | (void *)vnd->sc_comp_offsets, | | 1229 | (void *)vnd->sc_comp_offsets, |
1203 | sizeof(u_int64_t) * vnd->sc_comp_numoffs, | | 1230 | sizeof(u_int64_t) * vnd->sc_comp_numoffs, |
1204 | sizeof(struct vnd_comp_header), UIO_SYSSPACE, | | 1231 | sizeof(struct vnd_comp_header), UIO_SYSSPACE, |
1205 | IO_UNIT|IO_NODELOCKED, l->l_cred, NULL, NULL); | | 1232 | IO_UNIT|IO_NODELOCKED, l->l_cred, NULL, NULL); |
1206 | if (error) { | | 1233 | if (error) { |
1207 | VOP_UNLOCK(nd.ni_vp); | | 1234 | VOP_UNLOCK(nd.ni_vp); |
1208 | goto close_and_exit; | | 1235 | goto close_and_exit; |