From e59f3c667db81b200991dfb264423d87820f7f2d Mon Sep 17 00:00:00 2001
From: Samuel Thibault <samuel.thibault@ens-lyon.org>
Date: Tue, 14 Sep 2010 04:24:28 +0200
Subject: Protect exec from memory faults

* exec/exec.c (load_section): Call i`hurd_safe_copyin' instead of `memcpy'.
Handle error case.
(check_gzip): Likewise.
(check_bzip2): Likewise.
---
 exec/exec.c | 22 ++++++++++++++++------
 1 file changed, 16 insertions(+), 6 deletions(-)

(limited to 'exec')

diff --git a/exec/exec.c b/exec/exec.c
index d8765003..25628d79 100644
--- a/exec/exec.c
+++ b/exec/exec.c
@@ -233,11 +233,12 @@ load_section (void *section, struct execdata *u)
 	      u->error = (page == -1) ? errno : 0;
 	      if (! u->error)
 		{
-		  memcpy ((void *) page, /* XXX/fault */
+		  u->error = hurd_safe_copyin ((void *) page, /* XXX/fault */
 			  (void *) (contents + (size - off)),
 			  off);
-		  u->error = vm_write (u->task, mapstart + (size - off),
-				       page, vm_page_size);
+		  if (! u->error)
+		    u->error = vm_write (u->task, mapstart + (size - off),
+				         page, vm_page_size);
 		  munmap ((caddr_t) page, vm_page_size);
 		}
 	    }
@@ -339,7 +340,10 @@ load_section (void *section, struct execdata *u)
 	      const void *contents = map (u, filepos, readsize);
 	      if (!contents)
 		goto maplose;
-	      memcpy (readaddr, contents, readsize); /* XXX/fault */
+	      u->error = hurd_safe_copyin (readaddr, contents,
+	                                   readsize); /* XXX/fault */
+	      if (u->error)
+	        goto maplose;
 	    }
 	  u->error = vm_write (u->task, overlap_page, ourpage, size);
 	  if (u->error == KERN_PROTECTION_FAILURE)
@@ -1150,7 +1154,10 @@ check_gzip (struct execdata *earg)
 	  return -1;
 	}
       n = MIN (maxread, map_buffer (e) + map_fsize (e) - contents);
-      memcpy (buf, contents, n); /* XXX/fault */
+      errno = hurd_safe_copyin (buf, contents, n); /* XXX/fault */
+      if (errno)
+        longjmp (ziperr, 2);
+        
       zipread_pos += n;
       return n;
     }
@@ -1257,7 +1264,10 @@ check_bzip2 (struct execdata *earg)
 	  return -1;
 	}
       n = MIN (maxread, map_buffer (e) + map_fsize (e) - contents);
-      memcpy (buf, contents, n); /* XXX/fault */
+      errno = hurd_safe_copyin (buf, contents, n); /* XXX/fault */
+      if (errno)
+        longjmp (ziperr, 2);
+
       zipread_pos += n;
       return n;
     }
-- 
cgit v1.2.3