From b261876b05beae09af1ac260b35bb38a79ca10da Mon Sep 17 00:00:00 2001 From: guenther Date: Thu, 14 Jul 2016 05:55:08 +0000 Subject: [PATCH] Prevent silly states via knotes on pids > 2^32 and on nonexistent signals. ok tedu@ --- regress/sys/kern/kqueue/kqueue-process.c | 11 ++++++++++- regress/sys/kern/kqueue/kqueue-signal.c | 8 +++++++- sys/kern/kern_event.c | 5 ++++- sys/kern/kern_sig.c | 5 ++++- 4 files changed, 25 insertions(+), 4 deletions(-) diff --git a/regress/sys/kern/kqueue/kqueue-process.c b/regress/sys/kern/kqueue/kqueue-process.c index d62b2699d18..a579445cdd5 100644 --- a/regress/sys/kern/kqueue/kqueue-process.c +++ b/regress/sys/kern/kqueue/kqueue-process.c @@ -1,4 +1,4 @@ -/* $OpenBSD: kqueue-process.c,v 1.9 2016/03/17 19:40:43 krw Exp $ */ +/* $OpenBSD: kqueue-process.c,v 1.10 2016/07/14 05:55:08 guenther Exp $ */ /* * Written by Artur Grabowski 2002 Public Domain */ @@ -10,6 +10,7 @@ #include #include #include +#include #include #include @@ -65,6 +66,14 @@ do_process(void) ASS(kevent(kq, &ke, 1, NULL, 0, NULL) == 0, warn("can't register events on kqueue")); + /* negative case */ + EV_SET(&ke, pid + (1ULL << 32), EVFILT_PROC, EV_ADD|EV_ENABLE|EV_CLEAR, + NOTE_EXIT|NOTE_FORK|NOTE_EXEC|NOTE_TRACK, 0, NULL); + ASS(kevent(kq, &ke, 1, NULL, 0, NULL) != 0, + warnx("can register bogus pid on kqueue")); + ASS(errno == ESRCH, + warn("register bogus pid on kqueue returned wrong error")); + kill(pid, SIGUSR1); /* sync 1 */ didfork = didchild = 0; diff --git a/regress/sys/kern/kqueue/kqueue-signal.c b/regress/sys/kern/kqueue/kqueue-signal.c index 0ad7b701303..97980968373 100644 --- a/regress/sys/kern/kqueue/kqueue-signal.c +++ b/regress/sys/kern/kqueue/kqueue-signal.c @@ -1,4 +1,4 @@ -/* $OpenBSD: kqueue-signal.c,v 1.1 2011/07/07 02:00:51 guenther Exp $ */ +/* $OpenBSD: kqueue-signal.c,v 1.2 2016/07/14 05:55:08 guenther Exp $ */ /* * Written by Philip Guenther 2011 Public Domain */ @@ -71,6 +71,12 @@ do_signal(void) ASS(kevent(kq, &ke, 1, NULL, 0, NULL) == 0, warn("can't register events on kqueue")); + EV_SET(&ke, 10000, EVFILT_SIGNAL, EV_ADD|EV_ENABLE, 0, 0, NULL); + ASS(kevent(kq, &ke, 1, NULL, 0, NULL) != 0, + warnx("registered bogus signal on kqueue")); + ASS(errno == EINVAL, + warn("registering bogus signal on kqueue returned wrong error")); + ASSX(saw_usr1 == 0); kill(pid, SIGUSR1); ASSX(saw_usr1 == 1); diff --git a/sys/kern/kern_event.c b/sys/kern/kern_event.c index 3010c198b37..b5ba9202f25 100644 --- a/sys/kern/kern_event.c +++ b/sys/kern/kern_event.c @@ -1,4 +1,4 @@ -/* $OpenBSD: kern_event.c,v 1.73 2016/07/14 02:35:17 tedu Exp $ */ +/* $OpenBSD: kern_event.c,v 1.74 2016/07/14 05:55:08 guenther Exp $ */ /*- * Copyright (c) 1999,2000,2001 Jonathan Lemon @@ -216,6 +216,9 @@ filt_procattach(struct knote *kn) (curproc->p_p->ps_pledge & PLEDGE_PROC) == 0) return pledge_fail(curproc, EPERM, PLEDGE_PROC); + if (kn->kn_id > PID_MAX) + return ESRCH; + pr = prfind(kn->kn_id); if (pr == NULL) return (ESRCH); diff --git a/sys/kern/kern_sig.c b/sys/kern/kern_sig.c index 0d9eb786495..374e58d9bc4 100644 --- a/sys/kern/kern_sig.c +++ b/sys/kern/kern_sig.c @@ -1,4 +1,4 @@ -/* $OpenBSD: kern_sig.c,v 1.201 2016/07/06 15:53:01 tedu Exp $ */ +/* $OpenBSD: kern_sig.c,v 1.202 2016/07/14 05:55:08 guenther Exp $ */ /* $NetBSD: kern_sig.c,v 1.54 1996/04/22 01:38:32 christos Exp $ */ /* @@ -1824,6 +1824,9 @@ filt_sigattach(struct knote *kn) { struct process *pr = curproc->p_p; + if (kn->kn_id >= NSIG) + return EINVAL; + kn->kn_ptr.p_process = pr; kn->kn_flags |= EV_CLEAR; /* automatically set */ -- 2.20.1