Attachment 197075 Details for Bug 230993 – Patch to fix accesses to userland pointers in kernel module

[patch] Patch to fix accesses to userland pointers in kernel module

acpi_call_port.patch (text/plain), 5.26 KB, created by Jean-Sébastien Pédron on 2018-09-13 20:25:35 UTC

(hide)

Description:

Filename:

MIME Type:

Creator: Jean-Sébastien Pédron

Created: 2018-09-13 20:25:35 UTC

Size: 5.26 KB

patch

obsolete

>Index: sysutils/acpi_call/Makefile
>===================================================================
>--- sysutils/acpi_call/Makefile	(revision 479666)
>+++ sysutils/acpi_call/Makefile	(working copy)
>@@ -3,6 +3,7 @@
> 
> PORTNAME=	acpi_call
> PORTVERSION=	1.0.1
>+PORTREVISION=	1
> CATEGORIES=	sysutils
> MASTER_SITES=	http://projects.ukrweb.net/files/ \
> 		http://imax.in.ua/files/
>Index: sysutils/acpi_call/files/patch-acpi__call.c
>===================================================================
>--- sysutils/acpi_call/files/patch-acpi__call.c	(nonexistent)
>+++ sysutils/acpi_call/files/patch-acpi__call.c	(working copy)
>@@ -0,0 +1,75 @@
>+--- acpi_call.c.orig	2011-11-07 05:35:10 UTC
>++++ acpi_call.c
>+@@ -43,12 +43,13 @@
>+ #include "acpi_call_io.h"
>+ 
>+ 
>+-void acpi_call_fixup_pointers(ACPI_OBJECT *p, UINT8 *orig);
>++void acpi_call_fixup_pointers(ACPI_OBJECT *p, UINT8 *user, size_t len);
>+ 
>+ static int
>+ acpi_call_ioctl(u_long cmd, caddr_t addr, void *arg)
>+ {
>+ 	struct acpi_call_descr *params;
>++	char		path[MAX_ACPI_PATH + 1];
>+ 	ACPI_BUFFER	result;
>+ 
>+ 	result.Length = ACPI_ALLOCATE_BUFFER;
>+@@ -56,19 +57,24 @@ acpi_call_ioctl(u_long cmd, caddr_t addr, void *arg)
>+ 
>+ 	if (cmd == ACPIIO_CALL) {
>+ 		params = (struct acpi_call_descr*)addr;
>+-		params->retval = AcpiEvaluateObject(NULL, params->path, &params->args, &result);
>++		copyin(params->path, path, params->path_len);
>++		path[params->path_len] = '\0';
>++		params->retval = AcpiEvaluateObject(NULL, path, &params->args, &result);
>+ 		if (ACPI_SUCCESS(params->retval))
>+ 		{
>+ 			if (result.Pointer != NULL)
>+ 			{
>+ 				if (params->result.Pointer != NULL)
>+ 				{	
>++					if (params->result.Length < sizeof(ACPI_OBJECT)) {
>++						AcpiOsFree(result.Pointer);
>++						return (EINVAL);
>++					}
>+ 					params->result.Length = min(params->result.Length, result.Length);
>++					acpi_call_fixup_pointers((ACPI_OBJECT*)(result.Pointer), params->result.Pointer, result.Length);
>+ 					copyout(result.Pointer, params->result.Pointer,
>+ 							params->result.Length);
>+ 					params->reslen = result.Length;
>+-					if (result.Length >= sizeof(ACPI_OBJECT))
>+-						acpi_call_fixup_pointers((ACPI_OBJECT*)(params->result.Pointer), result.Pointer);
>+ 				}
>+ 				AcpiOsFree(result.Pointer);
>+ 			}
>+@@ -79,16 +85,24 @@ acpi_call_ioctl(u_long cmd, caddr_t addr, void *arg)
>+ }
>+ 
>+ void
>+-acpi_call_fixup_pointers(ACPI_OBJECT *p, UINT8 *orig)
>++acpi_call_fixup_pointers(ACPI_OBJECT *p, UINT8 *user, size_t len)
>+ {
>+ 	switch (p->Type)
>+ 	{
>+ 	case ACPI_TYPE_STRING:
>+-		p->String.Pointer = (char*)((UINT8*)(p->String.Pointer) - orig + (UINT8*)p);
>+-		break;
>++		if ((char *)(p->String.Pointer + p->String.Length/sizeof(*p->String.Pointer)) <= (char *)p + len) {
>++			p->String.Pointer = user + ( (char *)p->String.Pointer - (char *)p );
>++			return;
>++		}
>++		p->String.Pointer = NULL;
>++		return;
>+ 	case ACPI_TYPE_BUFFER:
>+-		p->Buffer.Pointer -= orig - (UINT8*)p;
>+-		break;
>++		if ((char *)(p->Buffer.Pointer + p->Buffer.Length/sizeof(*p->Buffer.Pointer)) <= (char *)p + len) {
>++			p->Buffer.Pointer = user + ( (char *)p->Buffer.Pointer - (char *)p );
>++			return;
>++		}
>++		p->Buffer.Pointer = NULL;
>++		return;
>+ 	}
>+ }
>+ 
>
>Property changes on: sysutils/acpi_call/files/patch-acpi__call.c
>___________________________________________________________________
>Added: fbsd:nokeywords
>## -0,0 +1 ##
>+yes
>\ No newline at end of property
>Added: svn:eol-style
>## -0,0 +1 ##
>+native
>\ No newline at end of property
>Added: svn:mime-type
>## -0,0 +1 ##
>+text/plain
>\ No newline at end of property
>Index: sysutils/acpi_call/files/patch-acpi__call__io.h
>===================================================================
>--- sysutils/acpi_call/files/patch-acpi__call__io.h	(nonexistent)
>+++ sysutils/acpi_call/files/patch-acpi__call__io.h	(working copy)
>@@ -0,0 +1,15 @@
>+--- acpi_call_io.h.orig	2018-09-13 19:07:48 UTC
>++++ acpi_call_io.h
>+@@ -38,9 +38,12 @@
>+ #	include <contrib/dev/acpica/actypes.h>
>+ #endif
>+ 
>++#define	MAX_ACPI_PATH	1024 // XXX
>++
>+ struct acpi_call_descr
>+ {
>+ 	char		*path;
>++	size_t		 path_len;
>+ 	ACPI_OBJECT_LIST	args;
>+ 	ACPI_STATUS	retval;
>+ 	ACPI_BUFFER	result;
>
>Property changes on: sysutils/acpi_call/files/patch-acpi__call__io.h
>___________________________________________________________________
>Added: fbsd:nokeywords
>## -0,0 +1 ##
>+yes
>\ No newline at end of property
>Added: svn:eol-style
>## -0,0 +1 ##
>+native
>\ No newline at end of property
>Added: svn:mime-type
>## -0,0 +1 ##
>+text/plain
>\ No newline at end of property
>Index: sysutils/acpi_call/files/patch-acpi__call__util.c
>===================================================================
>--- sysutils/acpi_call/files/patch-acpi__call__util.c	(revision 479666)
>+++ sysutils/acpi_call/files/patch-acpi__call__util.c	(working copy)
>@@ -1,5 +1,21 @@
> --- acpi_call_util.c.orig	2011-11-07 05:35:10 UTC
> +++ acpi_call_util.c
>+@@ -42,7 +42,6 @@
>+ #include <stdio.h>
>+ #include <string.h>
>+ 
>+-#define	MAX_ACPI_PATH	1024 // XXX
>+ #define MAX_ACPI_ARGS	7
>+ 
>+ char dev_path[MAXPATHLEN] = "/dev/acpi";
>+@@ -89,6 +88,7 @@ int main(int argc, char * argv[])
>+ 		fprintf(stderr, "Please specify path to method with -p flag\n");
>+ 		return 1;
>+ 	}
>++	params.path_len = strnlen(method_path, MAX_ACPI_PATH);
>+ 
>+ 	if (verbose)
>+ 		print_params(&params);
> @@ -102,6 +102,7 @@ int main(int argc, char * argv[])
>  	if (ioctl(fd, ACPIIO_CALL, &params) == -1)
>  	{

Actions: View | Diff

Attachments on bug 230993: 196667 | 197075 | 197077