hrev51866 adds 2 changesets to branch 'master'
old head: e1ceb339a0d71da3795ca3e32c8434d8efc1b1ca
new head: c101b576828471a84228eb01407efe2b370b0603
overview:
http://cgit.haiku-os.org/haiku/log/?qt=range&q=c101b5768284+%5Ee1ceb339a0d7
----------------------------------------------------------------------------
321372e3ef2a: kernel: Make size argument to create_area_etc() size_t.
It was limited to a uint32 and could for example be overflown by the
slab MemoryManager that uses size_t on a 64 bit system.
This aligns the signature with create_area() that already uses size_t
for the size argument.
Note that the function is currently private, so the impact should be
limited.
c101b5768284: kernel: Implement FD limit check for select/poll.
The amount of FDs that can be selected/polled needs to be limited by
the RLIMIT_NOFILES.
[ Michael Lotz <mmlr@xxxxxxxx> ]
----------------------------------------------------------------------------
3 files changed, 15 insertions(+), 3 deletions(-)
headers/private/kernel/vm/vm.h | 2 +-
src/system/kernel/vm/vm.cpp | 2 +-
src/system/kernel/wait_for_objects.cpp | 14 +++++++++++++-
############################################################################
Commit: 321372e3ef2a633c565697bc31a97006537b5e3c
URL: http://cgit.haiku-os.org/haiku/commit/?id=321372e3ef2a
Author: Michael Lotz <mmlr@xxxxxxxx>
Date: Tue Apr 3 21:44:00 2018 UTC
kernel: Make size argument to create_area_etc() size_t.
It was limited to a uint32 and could for example be overflown by the
slab MemoryManager that uses size_t on a 64 bit system.
This aligns the signature with create_area() that already uses size_t
for the size argument.
Note that the function is currently private, so the impact should be
limited.
----------------------------------------------------------------------------
diff --git a/headers/private/kernel/vm/vm.h b/headers/private/kernel/vm/vm.h
index ce85089594..9cbf9848e4 100644
--- a/headers/private/kernel/vm/vm.h
+++ b/headers/private/kernel/vm/vm.h
@@ -76,7 +76,7 @@ void permit_page_faults(void);
void forbid_page_faults(void);
// private kernel only extension (should be moved somewhere else):
-area_id create_area_etc(team_id team, const char *name, uint32 size,
+area_id create_area_etc(team_id team, const char *name, size_t size,
uint32 lock, uint32 protection, uint32 flags, uint32
guardSize,
const virtual_address_restrictions*
virtualAddressRestrictions,
const physical_address_restrictions*
physicalAddressRestrictions,
diff --git a/src/system/kernel/vm/vm.cpp b/src/system/kernel/vm/vm.cpp
index c3c1fb1123..478a0e5ba7 100644
--- a/src/system/kernel/vm/vm.cpp
+++ b/src/system/kernel/vm/vm.cpp
@@ -6079,7 +6079,7 @@ clone_area(const char* name, void** _address, uint32
addressSpec,
area_id
-create_area_etc(team_id team, const char* name, uint32 size, uint32 lock,
+create_area_etc(team_id team, const char* name, size_t size, uint32 lock,
uint32 protection, uint32 flags, uint32 guardSize,
const virtual_address_restrictions* virtualAddressRestrictions,
const physical_address_restrictions* physicalAddressRestrictions,
############################################################################
Revision: hrev51866
Commit: c101b576828471a84228eb01407efe2b370b0603
URL: http://cgit.haiku-os.org/haiku/commit/?id=c101b5768284
Author: Michael Lotz <mmlr@xxxxxxxx>
Date: Tue Apr 3 21:50:39 2018 UTC
kernel: Implement FD limit check for select/poll.
The amount of FDs that can be selected/polled needs to be limited by
the RLIMIT_NOFILES.
----------------------------------------------------------------------------
diff --git a/src/system/kernel/wait_for_objects.cpp
b/src/system/kernel/wait_for_objects.cpp
index dbb6ffdb54..edc3b8a286 100644
--- a/src/system/kernel/wait_for_objects.cpp
+++ b/src/system/kernel/wait_for_objects.cpp
@@ -906,6 +906,15 @@ _kern_wait_for_objects(object_wait_info* infos, int
numInfos, uint32 flags,
// #pragma mark - User syscalls
+static bool
+check_max_fds(int numFDs)
+{
+ struct io_context *context = get_current_io_context(false);
+ MutexLocker(&context->io_mutex);
+ return numFDs <= context->table_size;
+}
+
+
ssize_t
_user_select(int numFDs, fd_set *userReadSet, fd_set *userWriteSet,
fd_set *userErrorSet, bigtime_t timeout, const sigset_t *userSigMask)
@@ -917,7 +926,7 @@ _user_select(int numFDs, fd_set *userReadSet, fd_set
*userWriteSet,
syscall_restart_handle_timeout_pre(timeout);
- if (numFDs < 0)
+ if (numFDs < 0 || !check_max_fds(numFDs))
return B_BAD_VALUE;
if ((userReadSet != NULL && !IS_USER_ADDRESS(userReadSet))
@@ -1013,6 +1022,9 @@ _user_poll(struct pollfd *userfds, int numFDs, bigtime_t
timeout)
? syscall_restart_handle_timeout_post(result, timeout)
: result;
}
+ if (!check_max_fds(numFDs))
+ return B_BAD_VALUE;
+
// copy parameters
if (userfds == NULL || !IS_USER_ADDRESS(userfds))
return B_BAD_ADDRESS;