diff options
author | Alice Frosi <afrosi@redhat.com> | 2023-05-09 10:38:21 +0200 |
---|---|---|
committer | Alice Frosi <afrosi@redhat.com> | 2023-05-09 15:58:23 +0200 |
commit | 0977f0876af186975d3861c53b8431a80a27fa83 (patch) | |
tree | 9ace2c75d0389175591e8f3b9cf7e6589330514f /operations.c | |
parent | 384d09cd3d2e62bae19b59b615bc57b7a23d0b0a (diff) | |
download | seitan-0977f0876af186975d3861c53b8431a80a27fa83.tar seitan-0977f0876af186975d3861c53b8431a80a27fa83.tar.gz seitan-0977f0876af186975d3861c53b8431a80a27fa83.tar.bz2 seitan-0977f0876af186975d3861c53b8431a80a27fa83.tar.lz seitan-0977f0876af186975d3861c53b8431a80a27fa83.tar.xz seitan-0977f0876af186975d3861c53b8431a80a27fa83.tar.zst seitan-0977f0876af186975d3861c53b8431a80a27fa83.zip |
gluten: check limits
Add bounds checking:
- if offset is larger then the maximum per offset type
- if memcpy is reading/writing inside gluten
Diffstat (limited to 'operations.c')
-rw-r--r-- | operations.c | 16 |
1 files changed, 8 insertions, 8 deletions
diff --git a/operations.c b/operations.c index 870ecf1..bf03ab8 100644 --- a/operations.c +++ b/operations.c @@ -177,6 +177,7 @@ int op_load(const struct seccomp_notif *req, int notifier, struct gluten *g, ret = -1; goto out; } + check_gluten_limits(&g, load->dst, load->size); if (pread(fd, gluten_write_ptr(g, load->dst), load->size, *src) < 0) { perror("pread"); return -1; @@ -232,7 +233,7 @@ int op_call(const struct seccomp_notif *req, int notifier, struct gluten *g, * reference */ if (op->has_ret) - memcpy(gluten_write_ptr(g, op->ret), &c.ret, sizeof(c.ret)); + gluten_write(g, op->ret, c.ret); return 0; } @@ -263,7 +264,7 @@ int op_return(const struct seccomp_notif *req, int notifier, struct gluten *g, resp.flags = 0; resp.error = 0; - memcpy(&resp.val, gluten_ptr(NULL, g, op->val), sizeof(resp.val)); + gluten_read(NULL, g, resp.val, op->val, sizeof(resp.val)); if (send_target(&resp, notifier) == -1) return -1; @@ -299,10 +300,8 @@ static int do_inject(const struct seccomp_notif *req, int notifier, resp.newfd_flags = 0; resp.id = req->id; - memcpy(&resp.newfd, gluten_ptr(NULL, g, op->new_fd), - sizeof(resp.newfd)); - memcpy(&resp.srcfd, gluten_ptr(NULL, g, op->new_fd), - sizeof(resp.srcfd)); + gluten_read(NULL, g, resp.newfd, op->new_fd, sizeof(resp.newfd)); + gluten_read(NULL, g, resp.srcfd, op->old_fd, sizeof(resp.srcfd)); if (atomic) resp.flags |= SECCOMP_ADDFD_FLAG_SEND; @@ -351,8 +350,9 @@ int op_resolve_fd(const struct seccomp_notif *req, int notifier, (void)notifier; - memcpy(&path, gluten_ptr(NULL, g, op->path), op->path_size); - memcpy(&fd, gluten_ptr(NULL, g, op->fd), sizeof(fd)); + + gluten_read(NULL, g, path, op->path, sizeof(op->path_size)); + gluten_read(NULL, g, fd, op->fd, sizeof(fd)); snprintf(fdpath, PATH_MAX, "/proc/%d/fd/%d", req->pid, fd); if ((nbytes = readlink(fdpath, buf, op->path_size)) < 0) { |