make sure that the user supplied signals in struct vt_mode are actually

valid signals, else return EINVAL for ioctl VT_SETMODE.

this fixes a problem that anybody with vty access can panic the system.

2.2-Candidate (and 2.1.0 I believe)

Reviewed-by: sos

sys/dev/syscons/syscons.c

@@ -25,7 +25,7 @@
  * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
  * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
  *
- *  $Id: syscons.c,v 1.203 1997/02/28 08:42:35 yokota Exp $
+ *  $Id: syscons.c,v 1.204 1997/02/28 14:26:34 bde Exp $
  */
 
 #include "sc.h"
@@ -168,6 +168,7 @@ static const int	nsccons = MAXCONS+2;
 #define WRAPHIST(scp, pointer, offset)\
     ((scp->history) + ((((pointer) - (scp->history)) + (scp->history_size)\
     + (offset)) % (scp->history_size)))
+#define ISSIGVALID(sig)	((sig) > 0 && (sig) < NSIG)
 
 /* prototypes */
 static int scattach(struct isa_device *dev);
@@ -794,7 +795,7 @@ scioctl(dev_t dev, int cmd, caddr_t data, int flag, struct proc *p)
 	
 	switch (mouse->operation) {
 	case MOUSE_MODE:
-	    if (mouse->u.mode.signal > 0 && mouse->u.mode.signal < NSIG) {
+	    if (ISSIGVALID(mouse->u.mode.signal)) {
 		scp->mouse_signal = mouse->u.mode.signal;
 		scp->mouse_proc = p;
 		scp->mouse_pid = p->p_pid;
@@ -1026,12 +1027,21 @@ scioctl(dev_t dev, int cmd, caddr_t data, int flag, struct proc *p)
 	return 0;
 
     case VT_SETMODE:    	/* set screen switcher mode */
-	bcopy(data, &scp->smode, sizeof(struct vt_mode));
-	if (scp->smode.mode == VT_PROCESS) {
-	    scp->proc = p;
-	    scp->pid = scp->proc->p_pid;
-	}
-	return 0;
+    {
+	struct vt_mode *mode;
+
+	mode = (struct vt_mode *)data;
+	if (ISSIGVALID(mode->relsig) && ISSIGVALID(mode->acqsig) &&
+	    ISSIGVALID(mode->frsig)) {
+	    bcopy(data, &scp->smode, sizeof(struct vt_mode));
+	    if (scp->smode.mode == VT_PROCESS) {
+		scp->proc = p;
+		scp->pid = scp->proc->p_pid;
+	    }
+	    return 0;
+	} else
+	    return EINVAL;
+    }
 
     case VT_GETMODE:    	/* get screen switcher mode */
 	bcopy(&scp->smode, data, sizeof(struct vt_mode));

sys/i386/isa/syscons.c

@@ -25,7 +25,7 @@
  * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
  * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
  *
- *  $Id: syscons.c,v 1.203 1997/02/28 08:42:35 yokota Exp $
+ *  $Id: syscons.c,v 1.204 1997/02/28 14:26:34 bde Exp $
  */
 
 #include "sc.h"
@@ -168,6 +168,7 @@ static const int	nsccons = MAXCONS+2;
 #define WRAPHIST(scp, pointer, offset)\
     ((scp->history) + ((((pointer) - (scp->history)) + (scp->history_size)\
     + (offset)) % (scp->history_size)))
+#define ISSIGVALID(sig)	((sig) > 0 && (sig) < NSIG)
 
 /* prototypes */
 static int scattach(struct isa_device *dev);
@@ -794,7 +795,7 @@ scioctl(dev_t dev, int cmd, caddr_t data, int flag, struct proc *p)
 	
 	switch (mouse->operation) {
 	case MOUSE_MODE:
-	    if (mouse->u.mode.signal > 0 && mouse->u.mode.signal < NSIG) {
+	    if (ISSIGVALID(mouse->u.mode.signal)) {
 		scp->mouse_signal = mouse->u.mode.signal;
 		scp->mouse_proc = p;
 		scp->mouse_pid = p->p_pid;
@@ -1026,12 +1027,21 @@ scioctl(dev_t dev, int cmd, caddr_t data, int flag, struct proc *p)
 	return 0;
 
     case VT_SETMODE:    	/* set screen switcher mode */
-	bcopy(data, &scp->smode, sizeof(struct vt_mode));
-	if (scp->smode.mode == VT_PROCESS) {
-	    scp->proc = p;
-	    scp->pid = scp->proc->p_pid;
-	}
-	return 0;
+    {
+	struct vt_mode *mode;
+
+	mode = (struct vt_mode *)data;
+	if (ISSIGVALID(mode->relsig) && ISSIGVALID(mode->acqsig) &&
+	    ISSIGVALID(mode->frsig)) {
+	    bcopy(data, &scp->smode, sizeof(struct vt_mode));
+	    if (scp->smode.mode == VT_PROCESS) {
+		scp->proc = p;
+		scp->pid = scp->proc->p_pid;
+	    }
+	    return 0;
+	} else
+	    return EINVAL;
+    }
 
     case VT_GETMODE:    	/* get screen switcher mode */
 	bcopy(&scp->smode, data, sizeof(struct vt_mode));

sys/isa/syscons.c

@@ -25,7 +25,7 @@
  * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
  * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
  *
- *  $Id: syscons.c,v 1.203 1997/02/28 08:42:35 yokota Exp $
+ *  $Id: syscons.c,v 1.204 1997/02/28 14:26:34 bde Exp $
  */
 
 #include "sc.h"
@@ -168,6 +168,7 @@ static const int	nsccons = MAXCONS+2;
 #define WRAPHIST(scp, pointer, offset)\
     ((scp->history) + ((((pointer) - (scp->history)) + (scp->history_size)\
     + (offset)) % (scp->history_size)))
+#define ISSIGVALID(sig)	((sig) > 0 && (sig) < NSIG)
 
 /* prototypes */
 static int scattach(struct isa_device *dev);
@@ -794,7 +795,7 @@ scioctl(dev_t dev, int cmd, caddr_t data, int flag, struct proc *p)
 	
 	switch (mouse->operation) {
 	case MOUSE_MODE:
-	    if (mouse->u.mode.signal > 0 && mouse->u.mode.signal < NSIG) {
+	    if (ISSIGVALID(mouse->u.mode.signal)) {
 		scp->mouse_signal = mouse->u.mode.signal;
 		scp->mouse_proc = p;
 		scp->mouse_pid = p->p_pid;
@@ -1026,12 +1027,21 @@ scioctl(dev_t dev, int cmd, caddr_t data, int flag, struct proc *p)
 	return 0;
 
     case VT_SETMODE:    	/* set screen switcher mode */
-	bcopy(data, &scp->smode, sizeof(struct vt_mode));
-	if (scp->smode.mode == VT_PROCESS) {
-	    scp->proc = p;
-	    scp->pid = scp->proc->p_pid;
-	}
-	return 0;
+    {
+	struct vt_mode *mode;
+
+	mode = (struct vt_mode *)data;
+	if (ISSIGVALID(mode->relsig) && ISSIGVALID(mode->acqsig) &&
+	    ISSIGVALID(mode->frsig)) {
+	    bcopy(data, &scp->smode, sizeof(struct vt_mode));
+	    if (scp->smode.mode == VT_PROCESS) {
+		scp->proc = p;
+		scp->pid = scp->proc->p_pid;
+	    }
+	    return 0;
+	} else
+	    return EINVAL;
+    }
 
     case VT_GETMODE:    	/* get screen switcher mode */
 	bcopy(&scp->smode, data, sizeof(struct vt_mode));