| @@ -1,14 +1,14 @@ | | | @@ -1,14 +1,14 @@ |
1 | /* $NetBSD: vnd.c,v 1.232.2.3.2.1 2016/01/02 14:38:45 riz Exp $ */ | | 1 | /* $NetBSD: vnd.c,v 1.232.2.3.2.2 2017/08/19 05:19:28 snj Exp $ */ |
2 | | | 2 | |
3 | /*- | | 3 | /*- |
4 | * Copyright (c) 1996, 1997, 1998, 2008 The NetBSD Foundation, Inc. | | 4 | * Copyright (c) 1996, 1997, 1998, 2008 The NetBSD Foundation, Inc. |
5 | * All rights reserved. | | 5 | * All rights reserved. |
6 | * | | 6 | * |
7 | * This code is derived from software contributed to The NetBSD Foundation | | 7 | * This code is derived from software contributed to The NetBSD Foundation |
8 | * by Jason R. Thorpe. | | 8 | * by Jason R. Thorpe. |
9 | * | | 9 | * |
10 | * Redistribution and use in source and binary forms, with or without | | 10 | * Redistribution and use in source and binary forms, with or without |
11 | * modification, are permitted provided that the following conditions | | 11 | * modification, are permitted provided that the following conditions |
12 | * are met: | | 12 | * are met: |
13 | * 1. Redistributions of source code must retain the above copyright | | 13 | * 1. Redistributions of source code must retain the above copyright |
14 | * notice, this list of conditions and the following disclaimer. | | 14 | * notice, this list of conditions and the following disclaimer. |
| @@ -81,27 +81,27 @@ | | | @@ -81,27 +81,27 @@ |
81 | * systems where the block-level operations are not implemented for | | 81 | * systems where the block-level operations are not implemented for |
82 | * whatever reason. | | 82 | * whatever reason. |
83 | * | | 83 | * |
84 | * NOTE 2: There is a security issue involved with this driver. | | 84 | * NOTE 2: There is a security issue involved with this driver. |
85 | * Once mounted all access to the contents of the "mapped" file via | | 85 | * Once mounted all access to the contents of the "mapped" file via |
86 | * the special file is controlled by the permissions on the special | | 86 | * the special file is controlled by the permissions on the special |
87 | * file, the protection of the mapped file is ignored (effectively, | | 87 | * file, the protection of the mapped file is ignored (effectively, |
88 | * by using root credentials in all transactions). | | 88 | * by using root credentials in all transactions). |
89 | * | | 89 | * |
90 | * NOTE 3: Doesn't interact with leases, should it? | | 90 | * NOTE 3: Doesn't interact with leases, should it? |
91 | */ | | 91 | */ |
92 | | | 92 | |
93 | #include <sys/cdefs.h> | | 93 | #include <sys/cdefs.h> |
94 | __KERNEL_RCSID(0, "$NetBSD: vnd.c,v 1.232.2.3.2.1 2016/01/02 14:38:45 riz Exp $"); | | 94 | __KERNEL_RCSID(0, "$NetBSD: vnd.c,v 1.232.2.3.2.2 2017/08/19 05:19:28 snj Exp $"); |
95 | | | 95 | |
96 | #if defined(_KERNEL_OPT) | | 96 | #if defined(_KERNEL_OPT) |
97 | #include "opt_vnd.h" | | 97 | #include "opt_vnd.h" |
98 | #include "opt_compat_netbsd.h" | | 98 | #include "opt_compat_netbsd.h" |
99 | #endif | | 99 | #endif |
100 | | | 100 | |
101 | #include <sys/param.h> | | 101 | #include <sys/param.h> |
102 | #include <sys/systm.h> | | 102 | #include <sys/systm.h> |
103 | #include <sys/namei.h> | | 103 | #include <sys/namei.h> |
104 | #include <sys/proc.h> | | 104 | #include <sys/proc.h> |
105 | #include <sys/kthread.h> | | 105 | #include <sys/kthread.h> |
106 | #include <sys/errno.h> | | 106 | #include <sys/errno.h> |
107 | #include <sys/buf.h> | | 107 | #include <sys/buf.h> |
| @@ -1228,51 +1228,78 @@ vndioctl(dev_t dev, u_long cmd, void *da | | | @@ -1228,51 +1228,78 @@ vndioctl(dev_t dev, u_long cmd, void *da |
1228 | /* allocate space for compresed file header */ | | 1228 | /* allocate space for compresed file header */ |
1229 | ch = malloc(sizeof(struct vnd_comp_header), | | 1229 | ch = malloc(sizeof(struct vnd_comp_header), |
1230 | M_TEMP, M_WAITOK); | | 1230 | M_TEMP, M_WAITOK); |
1231 | | | 1231 | |
1232 | /* read compressed file header */ | | 1232 | /* read compressed file header */ |
1233 | error = vn_rdwr(UIO_READ, nd.ni_vp, (void *)ch, | | 1233 | error = vn_rdwr(UIO_READ, nd.ni_vp, (void *)ch, |
1234 | sizeof(struct vnd_comp_header), 0, UIO_SYSSPACE, | | 1234 | sizeof(struct vnd_comp_header), 0, UIO_SYSSPACE, |
1235 | IO_UNIT|IO_NODELOCKED, l->l_cred, NULL, NULL); | | 1235 | IO_UNIT|IO_NODELOCKED, l->l_cred, NULL, NULL); |
1236 | if (error) { | | 1236 | if (error) { |
1237 | free(ch, M_TEMP); | | 1237 | free(ch, M_TEMP); |
1238 | VOP_UNLOCK(nd.ni_vp); | | 1238 | VOP_UNLOCK(nd.ni_vp); |
1239 | goto close_and_exit; | | 1239 | goto close_and_exit; |
1240 | } | | 1240 | } |
| | | 1241 | |
| | | 1242 | if (ntohl(ch->block_size) == 0 || |
| | | 1243 | ntohl(ch->num_blocks) > UINT32_MAX - 1) { |
| | | 1244 | free(ch, M_TEMP); |
| | | 1245 | VOP_UNLOCK(nd.ni_vp); |
| | | 1246 | goto close_and_exit; |
| | | 1247 | } |
1241 | | | 1248 | |
1242 | /* save some header info */ | | 1249 | /* save some header info */ |
1243 | vnd->sc_comp_blksz = ntohl(ch->block_size); | | 1250 | vnd->sc_comp_blksz = ntohl(ch->block_size); |
1244 | /* note last offset is the file byte size */ | | 1251 | /* note last offset is the file byte size */ |
1245 | vnd->sc_comp_numoffs = ntohl(ch->num_blocks)+1; | | 1252 | vnd->sc_comp_numoffs = ntohl(ch->num_blocks)+1; |
1246 | free(ch, M_TEMP); | | 1253 | free(ch, M_TEMP); |
1247 | if (!DK_DEV_BSIZE_OK(vnd->sc_comp_blksz)) { | | 1254 | if (!DK_DEV_BSIZE_OK(vnd->sc_comp_blksz)) { |
1248 | VOP_UNLOCK(nd.ni_vp); | | 1255 | VOP_UNLOCK(nd.ni_vp); |
1249 | error = EINVAL; | | 1256 | error = EINVAL; |
1250 | goto close_and_exit; | | 1257 | goto close_and_exit; |
1251 | } | | 1258 | } |
1252 | if (sizeof(struct vnd_comp_header) + | | 1259 | KASSERT(0 < vnd->sc_comp_blksz); |
1253 | sizeof(u_int64_t) * vnd->sc_comp_numoffs > | | 1260 | KASSERT(0 < vnd->sc_comp_numoffs); |
1254 | vattr.va_size) { | | 1261 | /* |
| | | 1262 | * @#^@!$& gcc -Wtype-limits refuses to let me |
| | | 1263 | * write SIZE_MAX/sizeof(uint64_t) < numoffs, |
| | | 1264 | * because the range of the type on amd64 makes |
| | | 1265 | * the comparisons always false. |
| | | 1266 | */ |
| | | 1267 | #if SIZE_MAX <= UINT32_MAX*(64/CHAR_BIT) |
| | | 1268 | if (SIZE_MAX/sizeof(uint64_t) < vnd->sc_comp_numoffs) { |
| | | 1269 | VOP_UNLOCK(nd.ni_vp); |
| | | 1270 | error = EINVAL; |
| | | 1271 | goto close_and_exit; |
| | | 1272 | } |
| | | 1273 | #endif |
| | | 1274 | if ((vattr.va_size < sizeof(struct vnd_comp_header)) || |
| | | 1275 | (vattr.va_size - sizeof(struct vnd_comp_header) < |
| | | 1276 | sizeof(uint64_t)*vnd->sc_comp_numoffs) || |
| | | 1277 | (UQUAD_MAX/vnd->sc_comp_blksz < |
| | | 1278 | vnd->sc_comp_numoffs - 1)) { |
1255 | VOP_UNLOCK(nd.ni_vp); | | 1279 | VOP_UNLOCK(nd.ni_vp); |
1256 | error = EINVAL; | | 1280 | error = EINVAL; |
1257 | goto close_and_exit; | | 1281 | goto close_and_exit; |
1258 | } | | 1282 | } |
1259 | | | 1283 | |
1260 | /* set decompressed file size */ | | 1284 | /* set decompressed file size */ |
| | | 1285 | KASSERT(vnd->sc_comp_numoffs - 1 <= |
| | | 1286 | UQUAD_MAX/vnd->sc_comp_blksz); |
1261 | vattr.va_size = | | 1287 | vattr.va_size = |
1262 | ((u_quad_t)vnd->sc_comp_numoffs - 1) * | | 1288 | ((u_quad_t)vnd->sc_comp_numoffs - 1) * |
1263 | (u_quad_t)vnd->sc_comp_blksz; | | 1289 | (u_quad_t)vnd->sc_comp_blksz; |
1264 | | | 1290 | |
1265 | /* allocate space for all the compressed offsets */ | | 1291 | /* allocate space for all the compressed offsets */ |
| | | 1292 | __CTASSERT(UINT32_MAX <= UQUAD_MAX/sizeof(uint64_t)); |
1266 | vnd->sc_comp_offsets = | | 1293 | vnd->sc_comp_offsets = |
1267 | malloc(sizeof(u_int64_t) * vnd->sc_comp_numoffs, | | 1294 | malloc(sizeof(u_int64_t) * vnd->sc_comp_numoffs, |
1268 | M_DEVBUF, M_WAITOK); | | 1295 | M_DEVBUF, M_WAITOK); |
1269 | | | 1296 | |
1270 | /* read in the offsets */ | | 1297 | /* read in the offsets */ |
1271 | error = vn_rdwr(UIO_READ, nd.ni_vp, | | 1298 | error = vn_rdwr(UIO_READ, nd.ni_vp, |
1272 | (void *)vnd->sc_comp_offsets, | | 1299 | (void *)vnd->sc_comp_offsets, |
1273 | sizeof(u_int64_t) * vnd->sc_comp_numoffs, | | 1300 | sizeof(u_int64_t) * vnd->sc_comp_numoffs, |
1274 | sizeof(struct vnd_comp_header), UIO_SYSSPACE, | | 1301 | sizeof(struct vnd_comp_header), UIO_SYSSPACE, |
1275 | IO_UNIT|IO_NODELOCKED, l->l_cred, NULL, NULL); | | 1302 | IO_UNIT|IO_NODELOCKED, l->l_cred, NULL, NULL); |
1276 | if (error) { | | 1303 | if (error) { |
1277 | VOP_UNLOCK(nd.ni_vp); | | 1304 | VOP_UNLOCK(nd.ni_vp); |
1278 | goto close_and_exit; | | 1305 | goto close_and_exit; |