Sat Aug 19 04:29:10 2017 UTC ()
Pull up following revision(s) (requested by mrg in ticket #1486):
	sys/dev/ic/ciss.c: revision 1.37
Reject negative indices from userland.


(snj)
diff -r1.27.14.1 -r1.27.14.2 src/sys/dev/ic/ciss.c
cvs diff -r1.27.14.1 -r1.27.14.2 src/sys/dev/ic/ciss.c (expand / switch to unified diff)

--- src/sys/dev/ic/ciss.c 2012/11/22 17:26:37 1.27.14.1
+++ src/sys/dev/ic/ciss.c 2017/08/19 04:29:10 1.27.14.2
@@ -1,35 +1,35 @@ @@ -1,35 +1,35 @@
1/* $NetBSD: ciss.c,v 1.27.14.1 2012/11/22 17:26:37 riz Exp $ */ 1/* $NetBSD: ciss.c,v 1.27.14.2 2017/08/19 04:29:10 snj Exp $ */
2/* $OpenBSD: ciss.c,v 1.14 2006/03/13 16:02:23 mickey Exp $ */ 2/* $OpenBSD: ciss.c,v 1.14 2006/03/13 16:02:23 mickey Exp $ */
3 3
4/* 4/*
5 * Copyright (c) 2005 Michael Shalayeff 5 * Copyright (c) 2005 Michael Shalayeff
6 * All rights reserved. 6 * All rights reserved.
7 * 7 *
8 * Permission to use, copy, modify, and distribute this software for any 8 * Permission to use, copy, modify, and distribute this software for any
9 * purpose with or without fee is hereby granted, provided that the above 9 * purpose with or without fee is hereby granted, provided that the above
10 * copyright notice and this permission notice appear in all copies. 10 * copyright notice and this permission notice appear in all copies.
11 * 11 *
12 * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES 12 * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
13 * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF 13 * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
14 * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR 14 * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
15 * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES 15 * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
16 * WHATSOEVER RESULTING FROM LOSS OF MIND, USE, DATA OR PROFITS, WHETHER IN 16 * WHATSOEVER RESULTING FROM LOSS OF MIND, USE, DATA OR PROFITS, WHETHER IN
17 * AN ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT 17 * AN ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT
18 * OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. 18 * OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
19 */ 19 */
20 20
21#include <sys/cdefs.h> 21#include <sys/cdefs.h>
22__KERNEL_RCSID(0, "$NetBSD: ciss.c,v 1.27.14.1 2012/11/22 17:26:37 riz Exp $"); 22__KERNEL_RCSID(0, "$NetBSD: ciss.c,v 1.27.14.2 2017/08/19 04:29:10 snj Exp $");
23 23
24#include "bio.h" 24#include "bio.h"
25 25
26/* #define CISS_DEBUG */ 26/* #define CISS_DEBUG */
27 27
28#include <sys/param.h> 28#include <sys/param.h>
29#include <sys/systm.h> 29#include <sys/systm.h>
30#include <sys/buf.h> 30#include <sys/buf.h>
31#include <sys/ioctl.h> 31#include <sys/ioctl.h>
32#include <sys/device.h> 32#include <sys/device.h>
33#include <sys/kernel.h> 33#include <sys/kernel.h>
34#include <sys/malloc.h> 34#include <sys/malloc.h>
35#include <sys/proc.h> 35#include <sys/proc.h>
@@ -1188,32 +1188,32 @@ ciss_ioctl(device_t dev, u_long cmd, voi @@ -1188,32 +1188,32 @@ ciss_ioctl(device_t dev, u_long cmd, voi
1188 * XXX since we don't know how to associate physical drives with logical drives 1188 * XXX since we don't know how to associate physical drives with logical drives
1189 * yet, BIOCDISK_NOVOL is equivalent to BIOCDISK to the volume that we've 1189 * yet, BIOCDISK_NOVOL is equivalent to BIOCDISK to the volume that we've
1190 * associated all physical drives to. 1190 * associated all physical drives to.
1191 * Maybe assoicate all physical drives to all logical volumes, but only return 1191 * Maybe assoicate all physical drives to all logical volumes, but only return
1192 * physical drives on one logical volume. Which one? Either 1st volume that 1192 * physical drives on one logical volume. Which one? Either 1st volume that
1193 * is degraded, rebuilding, or failed? 1193 * is degraded, rebuilding, or failed?
1194 */ 1194 */
1195 bd = (struct bioc_disk *)addr; 1195 bd = (struct bioc_disk *)addr;
1196 bd->bd_volid = 0; 1196 bd->bd_volid = 0;
1197 bd->bd_disknovol = true; 1197 bd->bd_disknovol = true;
1198 /* FALLTHROUGH */ 1198 /* FALLTHROUGH */
1199 case BIOCDISK: 1199 case BIOCDISK:
1200 bd = (struct bioc_disk *)addr; 1200 bd = (struct bioc_disk *)addr;
1201 if (bd->bd_volid > sc->maxunits) { 1201 if (bd->bd_volid < 0 || bd->bd_volid > sc->maxunits) {
1202 error = EINVAL; 1202 error = EINVAL;
1203 break; 1203 break;
1204 } 1204 }
1205 ldp = sc->sc_lds[0]; 1205 ldp = sc->sc_lds[0];
1206 if (!ldp || (pd = bd->bd_diskid) > ldp->ndrives) { 1206 if (!ldp || (pd = bd->bd_diskid) < 0 || pd > ldp->ndrives) {
1207 error = EINVAL; 1207 error = EINVAL;
1208 break; 1208 break;
1209 } 1209 }
1210 ldstat = sc->scratch; 1210 ldstat = sc->scratch;
1211 if ((error = ciss_ldstat(sc, bd->bd_volid, ldstat))) { 1211 if ((error = ciss_ldstat(sc, bd->bd_volid, ldstat))) {
1212 break; 1212 break;
1213 } 1213 }
1214 bd->bd_status = -1; 1214 bd->bd_status = -1;
1215 if (ldstat->stat == CISS_LD_REBLD && 1215 if (ldstat->stat == CISS_LD_REBLD &&
1216 ldstat->bigrebuild == ldp->tgts[pd]) 1216 ldstat->bigrebuild == ldp->tgts[pd])
1217 bd->bd_status = BIOC_SDREBUILD; 1217 bd->bd_status = BIOC_SDREBUILD;
1218 if (ciss_bitset(ldp->tgts[pd] & (~CISS_BIGBIT), 1218 if (ciss_bitset(ldp->tgts[pd] & (~CISS_BIGBIT),
1219 ldstat->bigfailed)) { 1219 ldstat->bigfailed)) {
@@ -1294,27 +1294,27 @@ ciss_ioctl(device_t dev, u_long cmd, voi @@ -1294,27 +1294,27 @@ ciss_ioctl(device_t dev, u_long cmd, voi
1294 return (error); 1294 return (error);
1295} 1295}
1296 1296
1297int 1297int
1298ciss_ioctl_vol(struct ciss_softc *sc, struct bioc_vol *bv) 1298ciss_ioctl_vol(struct ciss_softc *sc, struct bioc_vol *bv)
1299{ 1299{
1300 struct ciss_ldid *ldid; 1300 struct ciss_ldid *ldid;
1301 struct ciss_ld *ldp; 1301 struct ciss_ld *ldp;
1302 struct ciss_ldstat *ldstat; 1302 struct ciss_ldstat *ldstat;
1303 struct ciss_pdid *pdid; 1303 struct ciss_pdid *pdid;
1304 int error = 0; 1304 int error = 0;
1305 u_int blks; 1305 u_int blks;
1306 1306
1307 if (bv->bv_volid > sc->maxunits) { 1307 if (bv->bv_volid < 0 || bv->bv_volid > sc->maxunits) {
1308 return EINVAL; 1308 return EINVAL;
1309 } 1309 }
1310 ldp = sc->sc_lds[bv->bv_volid]; 1310 ldp = sc->sc_lds[bv->bv_volid];
1311 ldid = sc->scratch; 1311 ldid = sc->scratch;
1312 if ((error = ciss_ldid(sc, bv->bv_volid, ldid))) { 1312 if ((error = ciss_ldid(sc, bv->bv_volid, ldid))) {
1313 return error; 1313 return error;
1314 } 1314 }
1315 bv->bv_status = BIOC_SVINVALID; 1315 bv->bv_status = BIOC_SVINVALID;
1316 blks = (u_int)le16toh(ldid->nblocks[1]) << 16 | 1316 blks = (u_int)le16toh(ldid->nblocks[1]) << 16 |
1317 le16toh(ldid->nblocks[0]); 1317 le16toh(ldid->nblocks[0]);
1318 bv->bv_size = blks * (u_quad_t)le16toh(ldid->blksize); 1318 bv->bv_size = blks * (u_quad_t)le16toh(ldid->blksize);
1319 bv->bv_level = ciss_level[ldid->type]; 1319 bv->bv_level = ciss_level[ldid->type];
1320/* 1320/*