kprof: use parsecmd() instead of strncmp on user pointers
authorBarret Rhoden <brho@cs.berkeley.edu>
Thu, 2 May 2019 03:09:45 +0000 (23:09 -0400)
committerBarret Rhoden <brho@cs.berkeley.edu>
Thu, 2 May 2019 03:13:35 +0000 (23:13 -0400)
The string passed to error("%s") was a user pointer.  We shouldn't even
be using manual strncmps and whatnot on user pointers - they might be
able to give us a pointer right below ULIM.

One fix for the strncmp checks would be to use MIN(write_amt,
static_len), since we know sys_write() made sure write_amt bytes were
valid.

But since we already called parsecmd(), let's just use it.

Reported-by: syzbot+75a997a9a55827b3871d@syzkaller.appspotmail.com
Signed-off-by: Barret Rhoden <brho@cs.berkeley.edu>
kern/drivers/dev/kprof.c

index 9a6bd66..243f97f 100644 (file)
@@ -406,14 +406,16 @@ static size_t kprof_write(struct chan *c, void *a, size_t n, off64_t unused)
                }
                break;
        case Kprintxqid:
-               if (!strncmp(a, "on", 2))
+               if (cb->nf < 1)
+                       error(EFAIL, "no printx option: (on|off|toggle)");
+               if (!strcmp(cb->f[0], "on"))
                        set_printx(1);
-               else if (!strncmp(a, "off", 3))
+               else if (!strcmp(cb->f[0], "off"))
                        set_printx(0);
-               else if (!strncmp(a, "toggle", 6))
+               else if (!strcmp(cb->f[0], "toggle"))
                        set_printx(2);
                else
-                       error(EFAIL, "Invalid option to Kprintx %s\n", a);
+                       error(EFAIL, "bad printx option: (on|off|toggle)");
                break;
        case Kmpstatqid:
        case Kmpstatrawqid: