hrev56155 adds 7 changesets to branch 'master'
old head: 3e9b842151944134c92982cefa9dfb741f925b33
new head: 2823fe54e1cfb232d13214e0c835cd45ed1098a9
overview:
https://git.haiku-os.org/haiku/log/?qt=range&q=2823fe54e1cf+%5E3e9b84215194
----------------------------------------------------------------------------
77694f9225e6: kernel: Move validate_user_memory_range to kernel.h and rename it.
It has more general use than just in the VM code; basically anything
which receives buffers from userland should be invoking this if it
does anything besides user_memcpy (which alreay does it.)
e52da6c73ba6: kernel/fs: Invoke the new is_user_address_range on more I/O
buffers.
We do not access these buffers directly here but pass them deeper
into the kernel, where they may be used in IO operations that do
not invoke user_* functions at all, so we have to validate them fully here.
Part of #14961.
00f1e7c5e40b: kernel: Rework iovec copying from userland.
Create a utility function which performs all necessary checks,
allocates memory, and copies the structures, and then make use of it
in the three places in the kernel which did all this manually.
None of them were previously complete: the fd and socket code only
checked iov_base and not iov_len, while the port code did not check
anything at all.
Part of #14961.
8af65cc461be: strace: Fix and enable tracing of msghdr structures.
Useful for sendmsg/recvmsg. However at present it only works for recvmsg,
as sendmsg's parameter is const, and this is not automatically matched.
679a91d17958: network/stack: Simplify access to msg_iov in socket_send.
As the TODO comment noted, msg_iov has already been copied to the kernel
at this point (it is done in the syscall handler), so we do not need to
use the user memory access functions.
(I verified that the iovecs passed from userland are indeed copied to
the kernel, but I did not find anything that actually posts more than
a single iov, so this is not tested especially thoroughly.)
eb26002b47c7: kernel/util: Remove kqueue.h.
It is not used anymore, and we have more advanced queuing facilities now.
2823fe54e1cf: kernel/heap: Check for multiplication overflows in calloc.
Logic inspired by musl's.
[ Augustin Cavalier <waddlesplash@xxxxxxxxx> ]
----------------------------------------------------------------------------
12 files changed, 110 insertions(+), 179 deletions(-)
headers/private/kernel/kernel.h | 17 ++++++
headers/private/kernel/util/iovec_support.h | 41 ++++++++++++++
headers/private/kernel/util/kqueue.h | 63 ---------------------
src/add-ons/kernel/network/stack/net_socket.cpp | 37 ++----------
src/bin/debug/strace/NetworkTypes.cpp | 31 +++++-----
src/bin/debug/strace/TypeHandler.h | 2 +
src/system/kernel/fs/fd.cpp | 28 +++------
src/system/kernel/fs/socket.cpp | 29 +++-------
src/system/kernel/heap.cpp | 3 +
src/system/kernel/int.cpp | 1 -
src/system/kernel/port.cpp | 14 ++---
src/system/kernel/vm/vm.cpp | 23 ++------
############################################################################
Commit: 77694f9225e669df054dfdc0810d0119dcbece61
URL: https://git.haiku-os.org/haiku/commit/?id=77694f9225e6
Author: Augustin Cavalier <waddlesplash@xxxxxxxxx>
Date: Fri Jun 3 19:35:17 2022 UTC
kernel: Move validate_user_memory_range to kernel.h and rename it.
It has more general use than just in the VM code; basically anything
which receives buffers from userland should be invoking this if it
does anything besides user_memcpy (which alreay does it.)
----------------------------------------------------------------------------
diff --git a/headers/private/kernel/kernel.h b/headers/private/kernel/kernel.h
index 36ace801fb..981f37a892 100644
--- a/headers/private/kernel/kernel.h
+++ b/headers/private/kernel/kernel.h
@@ -40,6 +40,23 @@
((addr_t)(x) >= USER_BASE && (addr_t)(x) <= USER_TOP)
#endif
+#ifdef __cplusplus
+// Validate that an address range is fully in userspace.
+static inline bool
+is_user_address_range(const void* addr, size_t size)
+{
+ addr_t address = (addr_t)addr;
+
+ // Check for overflows on all addresses.
+ if ((address + size) < address)
+ return false;
+
+ // Validate that both the start and end address are in userspace
+ return IS_USER_ADDRESS(address) && IS_USER_ADDRESS(address + size - 1);
+}
+#endif
+
+
#define DEBUG_KERNEL_STACKS
// Note, debugging kernel stacks doesn't really work yet. Since the
// interrupt will also try to use the stack on a page fault, all
diff --git a/src/system/kernel/vm/vm.cpp b/src/system/kernel/vm/vm.cpp
index 75f058852e..941232c851 100644
--- a/src/system/kernel/vm/vm.cpp
+++ b/src/system/kernel/vm/vm.cpp
@@ -5433,21 +5433,6 @@ validate_memory_range(const void* addr, size_t size)
}
-/** Validate that a memory range is fully in userspace. */
-static inline bool
-validate_user_memory_range(const void* addr, size_t size)
-{
- addr_t address = (addr_t)addr;
-
- // Check for overflows on all addresses.
- if ((address + size) < address)
- return false;
-
- // Validate that both the start and end address are in userspace
- return IS_USER_ADDRESS(address) && IS_USER_ADDRESS(address + size - 1);
-}
-
-
// #pragma mark - kernel public API
@@ -6626,7 +6611,7 @@ _user_set_memory_protection(void* _address, size_t size,
uint32 protection)
if ((address % B_PAGE_SIZE) != 0)
return B_BAD_VALUE;
- if (!validate_user_memory_range(_address, size)) {
+ if (!is_user_address_range(_address, size)) {
// weird error code required by POSIX
return ENOMEM;
}
@@ -6777,7 +6762,7 @@ _user_sync_memory(void* _address, size_t size, uint32
flags)
// check params
if ((address % B_PAGE_SIZE) != 0)
return B_BAD_VALUE;
- if (!validate_user_memory_range(_address, size)) {
+ if (!is_user_address_range(_address, size)) {
// weird error code required by POSIX
return ENOMEM;
}
@@ -6855,7 +6840,7 @@ _user_memory_advice(void* _address, size_t size, uint32
advice)
return B_BAD_VALUE;
size = PAGE_ALIGN(size);
- if (!validate_user_memory_range(_address, size)) {
+ if (!is_user_address_range(_address, size)) {
// weird error code required by POSIX
return B_NO_MEMORY;
}
@@ -6932,7 +6917,7 @@ user_set_memory_swappable(const void* _address, size_t
size, bool swappable)
if ((address % B_PAGE_SIZE) != 0)
return EINVAL;
- if (!validate_user_memory_range(_address, size))
+ if (!is_user_address_range(_address, size))
return EINVAL;
const addr_t endAddress = address + size;
############################################################################
Commit: e52da6c73ba6731a3598df7d01b4569c94bff80e
URL: https://git.haiku-os.org/haiku/commit/?id=e52da6c73ba6
Author: Augustin Cavalier <waddlesplash@xxxxxxxxx>
Date: Fri Jun 3 19:36:50 2022 UTC
Ticket: https://dev.haiku-os.org/ticket/14961
kernel/fs: Invoke the new is_user_address_range on more I/O buffers.
We do not access these buffers directly here but pass them deeper
into the kernel, where they may be used in IO operations that do
not invoke user_* functions at all, so we have to validate them fully here.
Part of #14961.
----------------------------------------------------------------------------
diff --git a/src/system/kernel/fs/fd.cpp b/src/system/kernel/fs/fd.cpp
index 4389bfe557..905414ff5b 100644
--- a/src/system/kernel/fs/fd.cpp
+++ b/src/system/kernel/fs/fd.cpp
@@ -759,7 +759,7 @@ common_user_io(int fd, off_t pos, void* buffer, size_t
length, bool write)
if (length == 0)
return 0;
- if (!IS_USER_ADDRESS(buffer))
+ if (!is_user_address_range(buffer, length))
return B_BAD_ADDRESS;
SyscallRestartWrapper<status_t> status;
diff --git a/src/system/kernel/fs/socket.cpp b/src/system/kernel/fs/socket.cpp
index e4c02f46c9..f234e92f93 100644
--- a/src/system/kernel/fs/socket.cpp
+++ b/src/system/kernel/fs/socket.cpp
@@ -918,7 +918,7 @@ _user_accept(int socket, struct sockaddr *userAddress,
ssize_t
_user_recv(int socket, void *data, size_t length, int flags)
{
- if (data == NULL || !IS_USER_ADDRESS(data))
+ if (data == NULL || !is_user_address_range(data, length))
return B_BAD_ADDRESS;
SyscallRestartWrapper<ssize_t> result;
@@ -930,7 +930,7 @@ ssize_t
_user_recvfrom(int socket, void *data, size_t length, int flags,
struct sockaddr *userAddress, socklen_t *_addressLength)
{
- if (data == NULL || !IS_USER_ADDRESS(data))
+ if (data == NULL || !is_user_address_range(data, length))
return B_BAD_ADDRESS;
// check parameters
@@ -1021,7 +1021,7 @@ _user_recvmsg(int socket, struct msghdr *userMessage, int
flags)
ssize_t
_user_send(int socket, const void *data, size_t length, int flags)
{
- if (data == NULL || !IS_USER_ADDRESS(data))
+ if (data == NULL || !is_user_address_range(data, length))
return B_BAD_ADDRESS;
SyscallRestartWrapper<ssize_t> result;
@@ -1033,7 +1033,7 @@ ssize_t
_user_sendto(int socket, const void *data, size_t length, int flags,
const struct sockaddr *userAddress, socklen_t addressLength)
{
- if (data == NULL || !IS_USER_ADDRESS(data))
+ if (data == NULL || !is_user_address_range(data, length))
return B_BAD_ADDRESS;
if (addressLength <= 0
############################################################################
Commit: 00f1e7c5e40b41f892625b720c6a032b20f0c405
URL: https://git.haiku-os.org/haiku/commit/?id=00f1e7c5e40b
Author: Augustin Cavalier <waddlesplash@xxxxxxxxx>
Date: Fri Jun 3 20:32:11 2022 UTC
Ticket: https://dev.haiku-os.org/ticket/14961
kernel: Rework iovec copying from userland.
Create a utility function which performs all necessary checks,
allocates memory, and copies the structures, and then make use of it
in the three places in the kernel which did all this manually.
None of them were previously complete: the fd and socket code only
checked iov_base and not iov_len, while the port code did not check
anything at all.
Part of #14961.
----------------------------------------------------------------------------
diff --git a/headers/private/kernel/util/iovec_support.h
b/headers/private/kernel/util/iovec_support.h
new file mode 100644
index 0000000000..9482d10af5
--- /dev/null
+++ b/headers/private/kernel/util/iovec_support.h
@@ -0,0 +1,41 @@
+/*
+ * Copyright 2022, Haiku, Inc. All rights reserved.
+ * Distributed under the terms of the MIT license.
+ */
+#ifndef _UTIL_IOVEC_SUPPORT_H
+#define _UTIL_IOVEC_SUPPORT_H
+
+
+#include <KernelExport.h>
+
+
+static inline status_t
+get_iovecs_from_user(const iovec* userVecs, size_t vecCount, iovec*& vecs,
+ bool permitNull = false)
+{
+ // prevent integer overflow
+ if (vecCount > IOV_MAX)
+ return B_BAD_VALUE;
+
+ if (!IS_USER_ADDRESS(userVecs))
+ return B_BAD_ADDRESS;
+
+ vecs = (iovec*)malloc(sizeof(iovec) * vecCount);
+ if (vecs == NULL)
+ return B_NO_MEMORY;
+
+ if (user_memcpy(vecs, userVecs, sizeof(iovec) * vecCount) != B_OK)
+ return B_BAD_ADDRESS;
+
+ for (size_t i = 0; i < vecCount; i++) {
+ if (permitNull && vecs[i].iov_base == NULL)
+ continue;
+ if (!is_user_address_range(vecs[i].iov_base, vecs[i].iov_len))
+ return B_BAD_ADDRESS;
+ }
+
+ return B_OK;
+}
+
+
+#endif // _UTIL_IOVEC_SUPPORT_H
diff --git a/src/system/kernel/fs/fd.cpp b/src/system/kernel/fs/fd.cpp
index 905414ff5b..7f528563b0 100644
--- a/src/system/kernel/fs/fd.cpp
+++ b/src/system/kernel/fs/fd.cpp
@@ -23,6 +23,7 @@
#include <syscall_restart.h>
#include <slab/Slab.h>
#include <util/AutoLock.h>
+#include <util/iovec_support.h>
#include <vfs.h>
#include <wait_for_objects.h>
@@ -785,15 +786,14 @@ static ssize_t
common_user_vector_io(int fd, off_t pos, const iovec* userVecs, size_t count,
bool write)
{
- if (!IS_USER_ADDRESS(userVecs))
- return B_BAD_ADDRESS;
-
if (pos < -1)
return B_BAD_VALUE;
- // prevent integer overflow exploit in malloc()
- if (count > IOV_MAX)
- return B_BAD_VALUE;
+ iovec* vecs;
+ status_t error = get_iovecs_from_user(userVecs, count, vecs, true);
+ if (error != B_OK)
+ return error;
+ MemoryDeleter _(vecs);
FDGetter fdGetter;
struct file_descriptor* descriptor = fdGetter.SetTo(fd, false);
@@ -805,14 +805,6 @@ common_user_vector_io(int fd, off_t pos, const iovec*
userVecs, size_t count,
return B_FILE_ERROR;
}
- iovec* vecs = (iovec*)malloc(sizeof(iovec) * count);
- if (vecs == NULL)
- return B_NO_MEMORY;
- MemoryDeleter _(vecs);
-
- if (user_memcpy(vecs, userVecs, sizeof(iovec) * count) != B_OK)
- return B_BAD_ADDRESS;
-
bool movePosition = false;
if (pos == -1) {
pos = descriptor->pos;
@@ -830,12 +822,6 @@ common_user_vector_io(int fd, off_t pos, const iovec*
userVecs, size_t count,
for (uint32 i = 0; i < count; i++) {
if (vecs[i].iov_base == NULL)
continue;
- if (!IS_USER_ADDRESS(vecs[i].iov_base)) {
- status = B_BAD_ADDRESS;
- if (bytesTransferred == 0)
- return status;
- break;
- }
size_t length = vecs[i].iov_len;
if (write) {
diff --git a/src/system/kernel/fs/socket.cpp b/src/system/kernel/fs/socket.cpp
index f234e92f93..a587eaa403 100644
--- a/src/system/kernel/fs/socket.cpp
+++ b/src/system/kernel/fs/socket.cpp
@@ -1,7 +1,6 @@
/*
* Copyright 2009-2010, Axel Dörfler, axeld@xxxxxxxxxxxxxxxx.
* Copyright 2008, Ingo Weinhold, ingo_weinhold@xxxxxx.
- *
* Distributed under the terms of the MIT License.
*/
@@ -22,6 +21,7 @@
#include <lock.h>
#include <syscall_restart.h>
#include <util/AutoLock.h>
+#include <util/iovec_support.h>
#include <vfs.h>
#include <net_stack_interface.h>
@@ -161,22 +161,11 @@ prepare_userland_msghdr(const msghdr* userMessage,
msghdr& message,
if (message.msg_iovlen < 0 || message.msg_iovlen > IOV_MAX)
return EMSGSIZE;
if (userVecs != NULL && message.msg_iovlen > 0) {
- iovec* vecs = (iovec*)malloc(sizeof(iovec) *
message.msg_iovlen);
- if (vecs == NULL)
- return B_NO_MEMORY;
+ iovec* vecs;
+ status_t error = get_iovecs_from_user(message.msg_iov,
message.msg_iovlen, vecs);
+ if (error != B_OK)
+ return error;
vecsDeleter.SetTo(vecs);
-
- if (!IS_USER_ADDRESS(message.msg_iov)
- || user_memcpy(vecs, message.msg_iov,
- message.msg_iovlen * sizeof(iovec)) !=
B_OK) {
- return B_BAD_ADDRESS;
- }
-
- for (int i = 0; i < message.msg_iovlen; i++) {
- if (!IS_USER_ADDRESS(vecs[i].iov_base))
- return B_BAD_ADDRESS;
- }
-
message.msg_iov = vecs;
} else {
message.msg_iov = NULL;
diff --git a/src/system/kernel/port.cpp b/src/system/kernel/port.cpp
index 8e6d65cfd8..cacc36a330 100644
--- a/src/system/kernel/port.cpp
+++ b/src/system/kernel/port.cpp
@@ -33,6 +33,7 @@
#include <tracing.h>
#include <util/AutoLock.h>
#include <util/list.h>
+#include <util/iovec_support.h>
#include <vm/vm.h>
#include <wait_for_objects.h>
@@ -1923,15 +1924,10 @@ _user_writev_port_etc(port_id port, int32 messageCode,
const iovec *userVecs,
return B_BAD_ADDRESS;
iovec *vecs = NULL;
- if (userVecs && vecCount != 0) {
- vecs = (iovec*)malloc(sizeof(iovec) * vecCount);
- if (vecs == NULL)
- return B_NO_MEMORY;
-
- if (user_memcpy(vecs, userVecs, sizeof(iovec) * vecCount) <
B_OK) {
- free(vecs);
- return B_BAD_ADDRESS;
- }
+ if (userVecs != NULL && vecCount != 0) {
+ status_t status = get_iovecs_from_user(userVecs, vecCount,
vecs);
+ if (status != B_OK)
+ return status;
}
status_t status = writev_port_etc(port, messageCode, vecs, vecCount,
############################################################################
Commit: 8af65cc461be589f15f9bf7b3e2e28853d5769ce
URL: https://git.haiku-os.org/haiku/commit/?id=8af65cc461be
Author: Augustin Cavalier <waddlesplash@xxxxxxxxx>
Date: Fri Jun 3 21:05:41 2022 UTC
strace: Fix and enable tracing of msghdr structures.
Useful for sendmsg/recvmsg. However at present it only works for recvmsg,
as sendmsg's parameter is const, and this is not automatically matched.
----------------------------------------------------------------------------
diff --git a/src/bin/debug/strace/NetworkTypes.cpp
b/src/bin/debug/strace/NetworkTypes.cpp
index bb1544a357..67bf78952f 100644
--- a/src/bin/debug/strace/NetworkTypes.cpp
+++ b/src/bin/debug/strace/NetworkTypes.cpp
@@ -562,19 +562,6 @@ format_pointer(Context &context, socket_args *args)
}
-static string
-get_iovec(Context &context, iovec *iov, int iovlen)
-{
- if (iov == NULL && iovlen == 0)
- return "(empty)";
-
- string r = "{";
- r += context.FormatPointer(iov);
- r += ", " + context.FormatSigned(iovlen);
- return r + "}";
-}
-
-
static string
format_pointer(Context &context, message_args *msg)
{
@@ -587,6 +574,20 @@ format_pointer(Context &context, message_args *msg)
return r;
}
+#endif
+
+
+static string
+get_iovec(Context &context, iovec *iov, int iovlen)
+{
+ if (iov == NULL && iovlen == 0)
+ return "(empty)";
+
+ string r = "{";
+ r += context.FormatPointer(iov);
+ r += ", " + context.FormatSigned(iovlen);
+ return r + "}";
+}
static string
@@ -605,7 +606,7 @@ format_pointer(Context &context, msghdr *h)
return r;
}
-#endif
+
static string
format_pointer(Context &context, ifreq *ifr)
@@ -710,9 +711,9 @@ POINTER_TYPE(ifconf_ptr, ifconf);
POINTER_TYPE(ifreq_ptr, ifreq);
DEFINE_TYPE(pollfd_ptr, pollfd *);
POINTER_TYPE(siginfo_t_ptr, siginfo_t);
+POINTER_TYPE(msghdr_ptr, msghdr);
#if 0
POINTER_TYPE(message_args_ptr, message_args);
-POINTER_TYPE(msghdr_ptr, msghdr);
POINTER_TYPE(sockaddr_args_ptr, sockaddr_args);
POINTER_TYPE(sockopt_args_ptr, sockopt_args);
POINTER_TYPE(socket_args_ptr, socket_args);
diff --git a/src/bin/debug/strace/TypeHandler.h
b/src/bin/debug/strace/TypeHandler.h
index d52866342e..135635a049 100644
--- a/src/bin/debug/strace/TypeHandler.h
+++ b/src/bin/debug/strace/TypeHandler.h
@@ -101,6 +101,7 @@ struct fd_set;
struct flock;
struct ifconf;
struct ifreq;
+struct msghdr;
struct message_args;
struct pollfd;
struct sockaddr_args;
@@ -111,6 +112,7 @@ DEFINE_FACTORY(fdset_ptr, fd_set *);
DEFINE_FACTORY(flock_ptr, flock *);
DEFINE_FACTORY(ifconf_ptr, ifconf *);
DEFINE_FACTORY(ifreq_ptr, ifreq *);
+DEFINE_FACTORY(msghdr_ptr, msghdr *);
DEFINE_FACTORY(message_args_ptr, message_args *);
DEFINE_FACTORY(pollfd_ptr, pollfd *);
DEFINE_FACTORY(siginfo_t_ptr, siginfo_t *);
############################################################################
Commit: 679a91d17958399441836534283ddd966b8c949b
URL: https://git.haiku-os.org/haiku/commit/?id=679a91d17958
Author: Augustin Cavalier <waddlesplash@xxxxxxxxx>
Date: Fri Jun 3 21:16:52 2022 UTC
network/stack: Simplify access to msg_iov in socket_send.
As the TODO comment noted, msg_iov has already been copied to the kernel
at this point (it is done in the syscall handler), so we do not need to
use the user memory access functions.
(I verified that the iovecs passed from userland are indeed copied to
the kernel, but I did not find anything that actually posts more than
a single iov, so this is not tested especially thoroughly.)
----------------------------------------------------------------------------
diff --git a/src/add-ons/kernel/network/stack/net_socket.cpp
b/src/add-ons/kernel/network/stack/net_socket.cpp
index 814a7523ae..59ecb3048f 100644
--- a/src/add-ons/kernel/network/stack/net_socket.cpp
+++ b/src/add-ons/kernel/network/stack/net_socket.cpp
@@ -162,23 +162,6 @@ net_socket_private::RemoveFromParent()
// #pragma mark -
-static size_t
-compute_user_iovec_length(iovec* userVec, uint32 count)
-{
- size_t length = 0;
-
- for (uint32 i = 0; i < count; i++) {
- iovec vec;
- if (user_memcpy(&vec, userVec + i, sizeof(iovec)) < B_OK)
- return 0;
-
- length += vec.iov_len;
- }
-
- return length;
-}
-
-
static status_t
create_socket(int family, int type, int protocol, net_socket_private** _socket)
{
@@ -1420,12 +1403,11 @@ socket_send(net_socket* socket, msghdr* header, const
void* data, size_t length,
// iovec. So drop the header, if it is the only iovec. Otherwise compute
// the size of the remaining ones.
if (header != NULL) {
- if (header->msg_iovlen <= 1)
+ if (header->msg_iovlen <= 1) {
header = NULL;
- else {
-// TODO: The iovecs have already been copied to kernel space. Simplify!
- bytesLeft += compute_user_iovec_length(header->msg_iov
+ 1,
- header->msg_iovlen - 1);
+ } else {
+ for (int i = 1; i < header->msg_iovlen; i++)
+ bytesLeft += header->msg_iov[i].iov_len;
}
}
@@ -1443,15 +1425,8 @@ socket_send(net_socket* socket, msghdr* header, const
void* data, size_t length,
&& buffer->size < bytesLeft) {
if (vecIndex > 0 && vecOffset == 0) {
// retrieve next iovec buffer from header
- iovec vec;
- if (user_memcpy(&vec, header->msg_iov +
vecIndex, sizeof(iovec))
- < B_OK) {
- gNetBufferModule.free(buffer);
- return B_BAD_ADDRESS;
- }
-
- data = vec.iov_base;
- length = vec.iov_len;
+ data = header->msg_iov[vecIndex].iov_base;
+ length = header->msg_iov[vecIndex].iov_len;
}
size_t bytes = length;
############################################################################
Commit: eb26002b47c7d9e1bd5379989924d8b886b286fa
URL: https://git.haiku-os.org/haiku/commit/?id=eb26002b47c7
Author: Augustin Cavalier <waddlesplash@xxxxxxxxx>
Date: Fri Jun 3 21:18:32 2022 UTC
kernel/util: Remove kqueue.h.
It is not used anymore, and we have more advanced queuing facilities now.
----------------------------------------------------------------------------
diff --git a/headers/private/kernel/util/kqueue.h
b/headers/private/kernel/util/kqueue.h
deleted file mode 100644
index b185cd0f95..0000000000
--- a/headers/private/kernel/util/kqueue.h
+++ /dev/null
@@ -1,63 +0,0 @@
-/*
-** Copyright 2002, Axel Dörfler, axeld@xxxxxxxxxxxxxxxx. All rights reserved.
-** Distributed under the terms of the MIT License.
-*/
-#ifndef KQUEUE_H
-#define KQUEUE_H
-
-/* The name "que" actually means that it is a very
- * light-weight implementation of a queue ;-))
- */
-
-/* The object that is put into a queue must begin with these
- * fields, but it doesn't have to be this structure.
- */
-struct quehead {
- struct quehead *next;
- struct quehead *prev;
-};
-
-/* You can use this macro to iterate through the queue. */
-#define kqueue_foreach(head, element) \
- for ((element) = (void *)(head)->next; (element) != (void *)(head);
(element) = (void *)((struct quehead *)(element))->next)
-
-
-/** Initializes a queue to be used */
-
-static inline void
-initque(void *_head)
-{
- struct quehead *head = (struct quehead *)_head;
-
- head->next = head->prev = head;
-}
-
-
-/** Inserts an element (_element) to the queue (_head) */
-
-static inline void
-insque(void *_element, void *_head)
-{
- struct quehead *element = (struct quehead *)_element,
- *head = (struct quehead *)_head;
-
- element->next = head->next;
- element->prev = head;
- head->next = element;
- element->next->prev = element;
-}
-
-
-/** removes an element from the queue it's currently in */
-
-static inline void
-remque(void *_element)
-{
- struct quehead *element = (struct quehead *)_element;
-
- element->next->prev = element->prev;
- element->prev->next = element->next;
- element->prev = 0;
-}
-
-#endif /* KQUEUE_H */
diff --git a/src/system/kernel/int.cpp b/src/system/kernel/int.cpp
index 13c1569967..ce45cf19a1 100644
--- a/src/system/kernel/int.cpp
+++ b/src/system/kernel/int.cpp
@@ -25,7 +25,6 @@
#include <elf.h>
#include <load_tracking.h>
#include <util/AutoLock.h>
-#include <util/kqueue.h>
#include <smp.h>
#include "kernel_debug_config.h"
############################################################################
Revision: hrev56155
Commit: 2823fe54e1cfb232d13214e0c835cd45ed1098a9
URL: https://git.haiku-os.org/haiku/commit/?id=2823fe54e1cf
Author: Augustin Cavalier <waddlesplash@xxxxxxxxx>
Date: Fri Jun 3 21:18:55 2022 UTC
kernel/heap: Check for multiplication overflows in calloc.
Logic inspired by musl's.
----------------------------------------------------------------------------
diff --git a/src/system/kernel/heap.cpp b/src/system/kernel/heap.cpp
index 9fb146c3b5..abd9bbdbd9 100644
--- a/src/system/kernel/heap.cpp
+++ b/src/system/kernel/heap.cpp
@@ -2482,6 +2482,9 @@ realloc(void *address, size_t newSize)
void *
calloc(size_t numElements, size_t size)
{
+ if (size != 0 && numElements > (((size_t)(-1)) / size))
+ return NULL;
+
void *address = malloc(numElements * size);
if (address != NULL)
memset(address, 0, numElements * size);
