summaryrefslogtreecommitdiff
path: root/usr/src/uts/common/contract/process.c
diff options
context:
space:
mode:
authoracruz <none@none>2008-03-17 13:30:12 -0700
committeracruz <none@none>2008-03-17 13:30:12 -0700
commitd170b13ab825d81e5f4efc7b970b75c163482b8c (patch)
treed71d5a042a10b5e4a4dcaa58cbaa3b980788ded9 /usr/src/uts/common/contract/process.c
parentdccdf0ade300ebd8e2a17bc94f407c044aac6547 (diff)
downloadillumos-joyent-d170b13ab825d81e5f4efc7b970b75c163482b8c.tar.gz
6675747 uninitialized kernel memory returned by ctfs when specially crafted parameter is passed to ioctl
Diffstat (limited to 'usr/src/uts/common/contract/process.c')
-rw-r--r--usr/src/uts/common/contract/process.c10
1 files changed, 10 insertions, 0 deletions
diff --git a/usr/src/uts/common/contract/process.c b/usr/src/uts/common/contract/process.c
index e054ffdcea..97e9be4735 100644
--- a/usr/src/uts/common/contract/process.c
+++ b/usr/src/uts/common/contract/process.c
@@ -236,6 +236,8 @@ ctmpl_process_set(struct ct_template *tmpl, ct_param_t *param, const cred_t *cr)
str_value = (char *)param->ctpm_value;
str_value[param->ctpm_size - 1] = '\0';
} else {
+ if (param->ctpm_size < sizeof (uint64_t))
+ return (EINVAL);
param_value = *(uint64_t *)param->ctpm_value;
/*
* No process contract parameters are > 32 bits.
@@ -358,6 +360,14 @@ ctmpl_process_get(struct ct_template *template, ct_param_t *param)
ctmpl_process_t *ctp = template->ctmpl_data;
uint64_t *param_value = param->ctpm_value;
+ if (param->ctpm_id == CTPP_SUBSUME ||
+ param->ctpm_id == CTPP_PARAMS ||
+ param->ctpm_id == CTPP_EV_FATAL) {
+ if (param->ctpm_size < sizeof (uint64_t))
+ return (EINVAL);
+ param->ctpm_size = sizeof (uint64_t);
+ }
+
switch (param->ctpm_id) {
case CTPP_SUBSUME:
*param_value = ctp->ctp_subsume ?
generated by cgit v1.2.3 (git 2.39.1) at 2025-06-27 03:09:43 +0000