MFC sys_process.c 1.113, spigot.c 1.60:

Add or correct range checking of signal numbers in system calls and ioctls. MFC kern_sig.c 1.257: panic() if we try to handle an out-of-range signal number in psignal()/ tdsignal().
freebsd · Aug 10, 2003 · fcfc1f2 · fcfc1f2
1 parent 46c9584
commit fcfc1f2
Show file tree

Hide file tree

Showing 5 changed files with 21 additions and 5 deletions.
diff --git a/UPDATING b/UPDATING
@@ -4,6 +4,17 @@ This file is maintained and copyrighted by M. Warner Losh
 <imp@village.org>.  See end of file for further details.  For commonly
 done items, please see the COMMON ITEMS: section later in the file.
 
+This is for the 5.1 release branch.  All entries since 5.0 are an
+itemized list of commits to this branch, numbered from the beginning.
+
+The security advisories related to various patches contain information
+on how to build/install a minimal set of binaries and start/stop a
+minimal number of processes, if possible, for that patch.  For those
+updates that don't have an advisory, or to be safe, you can do a full
+build and install as described in the COMMON ITEMS section.
+
+20030810:	p1	FreeBSD-SA-03:09.signal
+	Repair range-checking errors in signal handling.
 
 20030603:
 	FreeBSD 5.1

diff --git a/sys/conf/newvers.sh b/sys/conf/newvers.sh
@@ -36,7 +36,7 @@
 
 TYPE="FreeBSD"
 REVISION="5.1"
-BRANCH="RELEASE"
+BRANCH="RELEASE-p1"
 RELEASE="${REVISION}-${BRANCH}"
 VERSION="${TYPE} ${RELEASE}"
 

diff --git a/sys/i386/isa/spigot.c b/sys/i386/isa/spigot.c
@@ -222,6 +222,8 @@ struct	spigot_info	*info;
 	if(!data) return(EINVAL);
 	switch(cmd){
 	case	SPIGOT_SETINT:
+		if (*(int *)data < 0 || *(int *)data > _SIG_MAXSIG)
+			return EINVAL;
 		ss->p = td->td_proc;
 		ss->signal_num = *((int *)data);
 		break;

diff --git a/sys/kern/kern_sig.c b/sys/kern/kern_sig.c
@@ -1534,6 +1534,9 @@ psignal(struct proc *p, int sig)
 	struct thread *td;
 	int prop;
 
+	if (!_SIG_VALID(sig))
+		panic("psignal(): invalid signal");
+
 	PROC_LOCK_ASSERT(p, MA_OWNED);
 	prop = sigprop(sig);
 
@@ -1558,8 +1561,8 @@ tdsignal(struct thread *td, int sig)
 	register int prop;
 	struct sigacts *ps;
 
-	KASSERT(_SIG_VALID(sig),
-	    ("tdsignal(): invalid signal %d\n", sig));
+	if (!_SIG_VALID(sig))
+		panic("do_tdsignal(): invalid signal");
 
 	p = td->td_proc;
 	ps = p->p_sigacts;

diff --git a/sys/kern/sys_process.c b/sys/kern/sys_process.c
@@ -549,8 +549,8 @@ kern_ptrace(struct thread *td, int req, pid_t pid, void *addr, int data)
 	case PT_STEP:
 	case PT_CONTINUE:
 	case PT_DETACH:
-		/* XXX data is used even in the PT_STEP case. */
-		if (req != PT_STEP && (unsigned)data > _SIG_MAXSIG) {
+		/* Zero means do not send any signal */
+		if (data < 0 || data > _SIG_MAXSIG) {
 			error = EINVAL;
 			goto fail;
 		}