Chameleon Commit Details - 2309 - Chameleon open source boot loader project.

Date:

2014-01-07 09:33:32 (10 years 3 months ago)

Author:

Chuck Fry

Commit:

2309

Parents:

2308

Message:

Improve robustness against buffer overruns

Changes:

M	/branches/chucko/i386/boot2/drivers.c

File differences

-244
245 245
246 246
247 
247
248 248
249 249
250 250
251 
251
252 252
253 253
254 254
... ...
278 278
279 279
280 280
281 
281
282 282
283 283
284 284
... ...
289 289
290 290
291 291
292 
292
293 293
294 294
295 295
... ...
336 336
337 337
338 338
339 
339
340 340
341 341
342 
342
343 343
344 344
345 345
346 346
347 347
348 
349 
348
349
350 350
351 351
352 352
... ...
383 383
384 384
385 385
386 
386
387 387
388 388
389 389
... ...
436 436
437 437
438 438
439 
439
440 440
441 441
442 442
... ...
460 460
461 461
462 462
463 
464 
465 
466 
463
464
465
466
467
468
467 469
468 470
469 471
470 472
471 473
472 474
473 
474 
475
476
477
478
475 479
476 480
477 481
... ...
481 485
482 486
483 487
484 
485 
486 
487 
488
489
490
491
492
493
488 494
489 495
490 496
... ...
574 580
575 581
576 582
577 
583
578 584
579 585
580 586
... ...
629 635
630 636
631 637
632 
638
633 639
634 640
635 641
+            else␊
            {␊
␉␉␉␉if (gMacOSVersion[3] == '9') {␊
␉␉␉␉␉strcpy(gExtensionsSpec, dirSpec);␊
                    strlcpy(gExtensionsSpec, dirSpec, 4087); /* 4096 - sizeof("Library/") */␊
␉␉␉␉␉strcat(gExtensionsSpec, "Library/");␊
␉␉␉␉␉FileLoadDrivers(gExtensionsSpec, 0);␊
␉␉␉␉}␊
                strcpy(gExtensionsSpec, dirSpec);␊
                strlcpy(gExtensionsSpec, dirSpec, 4080); /* 4096 - sizeof("System/Library/") */␊
                strcat(gExtensionsSpec, "System/Library/");␊
                FileLoadDrivers(gExtensionsSpec, 0);␊
            }␊

␉long␉ret, flags, time, time2;␊
␉char␉altDirSpec[512];␊
␉␊
␉sprintf (altDirSpec, "%s%s", dirSpec, extDirSpec);␊
␉snprintf(altDirSpec, sizeof(altDirSpec), "%s%s", dirSpec, extDirSpec);␊
␉ret = GetFileInfo(altDirSpec, "Extensions.mkext", &flags, &time);␊
␊
␉if ((ret == 0) && ((flags & kFileTypeMask) == kFileTypeFlat))␊

␉␉␉|| ((flags & kFileTypeMask) != kFileTypeDirectory)␊
␉␉␉|| (((gBootMode & kBootModeSafe) == 0) && (time == (time2 + 1))))␊
␉␉{␊
␉␉␉sprintf(gDriverSpec, "%sExtensions.mkext", altDirSpec);␊
            snprintf(gDriverSpec, sizeof(altDirSpec) + 18, "%sExtensions.mkext", altDirSpec);␊
␉␉␉verbose("LoadDrivers: Loading from [%s]\n", gDriverSpec);␊
␊
␉␉␉if (LoadDriverMKext(gDriverSpec) == 0)␊

        if (strcmp(name + length - 5, ".kext")) continue;␊
␊
        // Save the file name.␊
        strcpy(gFileName, name);␊
        strlcpy(gFileName, name, 4096);␊
    ␊
        // Determine the bundle type.␊
        sprintf(gTempSpec, "%s/%s", dirSpec, gFileName);␊
        snprintf(gTempSpec, 4096, "%s/%s", dirSpec, gFileName);␊
        ret = GetFileInfo(gTempSpec, "Contents", &flags, &time);␊
        if (ret == 0) bundleType = kCFBundleType2;␊
        else bundleType = kCFBundleType3;␊
␊
        if (!plugin)␊
            sprintf(gDriverSpec, "%s/%s/%sPlugIns", dirSpec, gFileName,␊
                    (bundleType == kCFBundleType2) ? "Contents/" : "");␊
          snprintf(gDriverSpec, 4096, "%s/%s/%sPlugIns", dirSpec, gFileName,␊
                   (bundleType == kCFBundleType2) ? "Contents/" : "");␊
␊
        ret = LoadDriverPList(dirSpec, gFileName, bundleType);␊
␊

#endif␊
␊
    // INTEL modification␊
    sprintf(gDriverSpec, "%s%s.mkext", dirSpec, bootInfo->bootFile);␊
    snprintf(gDriverSpec, 4096, "%s%s.mkext", dirSpec, bootInfo->bootFile);␊
    ␊
    verbose("NetLoadDrivers: Loading from [%s]\n", gDriverSpec);␊
    ␊

    memcpy((void *)driversAddr, (void *)package, driversLength);␊
␊
    // Add the MKext to the memory map.␊
    sprintf(segName, "DriversPackage-%lx", driversAddr);␊
    snprintf(segName, sizeof(segName), "DriversPackage-%lx", driversAddr);␊
    AllocateMemoryRange(segName, driversAddr, driversLength,␊
                        kBootDriverTypeMKEXT);␊
␊

    do {␊
        // Save the driver path.␊
        ␊
        if(name) sprintf(gFileSpec, "%s/%s/%s", dirSpec, name,␊
                (bundleType == kCFBundleType2) ? "Contents/MacOS/" : "");␊
        else sprintf(gFileSpec, "%s/%s", dirSpec,␊
                     (bundleType == kCFBundleType2) ? "Contents/MacOS/" : "");␊
        if(name)␊
          snprintf(gFileSpec, 4096, "%s/%s/%s", dirSpec, name,␊
                   (bundleType == kCFBundleType2) ? "Contents/MacOS/" : "");␊
        else␊
          snprintf(gFileSpec, 4096, "%s/%s", dirSpec,␊
                   (bundleType == kCFBundleType2) ? "Contents/MacOS/" : "");␊
        executablePathLength = strlen(gFileSpec) + 1;␊
␊
        tmpExecutablePath = malloc(executablePathLength);␊
        if (tmpExecutablePath == 0) break;␊
        strcpy(tmpExecutablePath, gFileSpec);␊
  ␊
        if(name) sprintf(gFileSpec, "%s/%s", dirSpec, name);␊
        else sprintf(gFileSpec, "%s", dirSpec);␊
        if(name) ␊
          snprintf(gFileSpec, 4096, "%s/%s", dirSpec, name);␊
        else␊
          snprintf(gFileSpec, 4096, "%s", dirSpec);␊
        bundlePathLength = strlen(gFileSpec) + 1;␊
␊
        tmpBundlePath = malloc(bundlePathLength);␊

␊
        // Construct the file spec to the plist, then load it.␊
␊
        if(name) sprintf(gFileSpec, "%s/%s/%sInfo.plist", dirSpec, name,␊
                (bundleType == kCFBundleType2) ? "Contents/" : "");␊
        else sprintf(gFileSpec, "%s/%sInfo.plist", dirSpec,␊
                     (bundleType == kCFBundleType2) ? "Contents/" : "");␊
        if(name)␊
          snprintf(gFileSpec, 4096, "%s/%s/%sInfo.plist", dirSpec, name,␊
                   (bundleType == kCFBundleType2) ? "Contents/" : "");␊
        else␊
          snprintf(gFileSpec, 4096, "%s/%sInfo.plist", dirSpec,␊
                   (bundleType == kCFBundleType2) ? "Contents/" : "");␊
␊
        length = LoadFile(gFileSpec);␊
        if (length == -1) break;␊

␉␉␉if (prop != 0)␊
␉␉␉{␊
␉␉␉␉fileName = prop->string;␊
␉␉␉␉sprintf(gFileSpec, "%s%s", module->executablePath, fileName);␊
␉␉␉␉snprintf(gFileSpec, 4096, "%s%s", module->executablePath, fileName);␊
␉␉␉␉length = LoadThinFatFile(gFileSpec, &executableAddr);␊
␉␉␉␉if (length == 0)␊
␉␉␉␉{␊

␉␉␉␉strcpy(driver->bundlePathAddr, module->bundlePath);␊
␊
␉␉␉␉// Add an entry to the memory map.␊
␉␉␉␉sprintf(segName, "Driver-%lx", (unsigned long)driver);␊
␉␉␉␉snprintf(segName, sizeof(segName), "Driver-%lx", (unsigned long)driver);␊
␉␉␉␉AllocateMemoryRange(segName, driverAddr, driverLength,␊
␉␉␉␉␉␉␉␉␉kBootDriverTypeKEXT);␊
␉␉␉}␊
 ...
 ...
 ...
 ...
 ...
 ...
 ...
 ...
 ...
             else␊
             {␊
 ␉␉␉␉if (gMacOSVersion[3] == '9') {␊
-␉␉␉␉␉strcpy(gExtensionsSpec, dirSpec);␊
+                    strlcpy(gExtensionsSpec, dirSpec, 4087); /* 4096 - sizeof("Library/") */␊
 ␉␉␉␉␉strcat(gExtensionsSpec, "Library/");␊
 ␉␉␉␉␉FileLoadDrivers(gExtensionsSpec, 0);␊
 ␉␉␉␉}␊
-                strcpy(gExtensionsSpec, dirSpec);␊
+                strlcpy(gExtensionsSpec, dirSpec, 4080); /* 4096 - sizeof("System/Library/") */␊
                 strcat(gExtensionsSpec, "System/Library/");␊
                 FileLoadDrivers(gExtensionsSpec, 0);␊
             }␊
 ␉long␉ret, flags, time, time2;␊
 ␉char␉altDirSpec[512];␊
 ␉␊
-␉sprintf (altDirSpec, "%s%s", dirSpec, extDirSpec);␊
+␉snprintf(altDirSpec, sizeof(altDirSpec), "%s%s", dirSpec, extDirSpec);␊
 ␉ret = GetFileInfo(altDirSpec, "Extensions.mkext", &flags, &time);␊
 ␊
 ␉if ((ret == 0) && ((flags & kFileTypeMask) == kFileTypeFlat))␊
 ␉␉␉|| ((flags & kFileTypeMask) != kFileTypeDirectory)␊
 ␉␉␉|| (((gBootMode & kBootModeSafe) == 0) && (time == (time2 + 1))))␊
 ␉␉{␊
-␉␉␉sprintf(gDriverSpec, "%sExtensions.mkext", altDirSpec);␊
+            snprintf(gDriverSpec, sizeof(altDirSpec) + 18, "%sExtensions.mkext", altDirSpec);␊
 ␉␉␉verbose("LoadDrivers: Loading from [%s]\n", gDriverSpec);␊
 ␊
 ␉␉␉if (LoadDriverMKext(gDriverSpec) == 0)␊
         if (strcmp(name + length - 5, ".kext")) continue;␊
 ␊
         // Save the file name.␊
-        strcpy(gFileName, name);␊
+        strlcpy(gFileName, name, 4096);␊
     ␊
         // Determine the bundle type.␊
-        sprintf(gTempSpec, "%s/%s", dirSpec, gFileName);␊
+        snprintf(gTempSpec, 4096, "%s/%s", dirSpec, gFileName);␊
         ret = GetFileInfo(gTempSpec, "Contents", &flags, &time);␊
         if (ret == 0) bundleType = kCFBundleType2;␊
         else bundleType = kCFBundleType3;␊
 ␊
         if (!plugin)␊
-            sprintf(gDriverSpec, "%s/%s/%sPlugIns", dirSpec, gFileName,␊
-                    (bundleType == kCFBundleType2) ? "Contents/" : "");␊
+          snprintf(gDriverSpec, 4096, "%s/%s/%sPlugIns", dirSpec, gFileName,␊
+                   (bundleType == kCFBundleType2) ? "Contents/" : "");␊
 ␊
         ret = LoadDriverPList(dirSpec, gFileName, bundleType);␊
 ␊
 #endif␊
 ␊
     // INTEL modification␊
-    sprintf(gDriverSpec, "%s%s.mkext", dirSpec, bootInfo->bootFile);␊
+    snprintf(gDriverSpec, 4096, "%s%s.mkext", dirSpec, bootInfo->bootFile);␊
     ␊
     verbose("NetLoadDrivers: Loading from [%s]\n", gDriverSpec);␊
     ␊
     memcpy((void *)driversAddr, (void *)package, driversLength);␊
 ␊
     // Add the MKext to the memory map.␊
-    sprintf(segName, "DriversPackage-%lx", driversAddr);␊
+    snprintf(segName, sizeof(segName), "DriversPackage-%lx", driversAddr);␊
     AllocateMemoryRange(segName, driversAddr, driversLength,␊
                         kBootDriverTypeMKEXT);␊
 ␊
     do {␊
         // Save the driver path.␊
         ␊
-        if(name) sprintf(gFileSpec, "%s/%s/%s", dirSpec, name,␊
-                (bundleType == kCFBundleType2) ? "Contents/MacOS/" : "");␊
-        else sprintf(gFileSpec, "%s/%s", dirSpec,␊
-                     (bundleType == kCFBundleType2) ? "Contents/MacOS/" : "");␊
+        if(name)␊
+          snprintf(gFileSpec, 4096, "%s/%s/%s", dirSpec, name,␊
+                   (bundleType == kCFBundleType2) ? "Contents/MacOS/" : "");␊
+        else␊
+          snprintf(gFileSpec, 4096, "%s/%s", dirSpec,␊
+                   (bundleType == kCFBundleType2) ? "Contents/MacOS/" : "");␊
         executablePathLength = strlen(gFileSpec) + 1;␊
 ␊
         tmpExecutablePath = malloc(executablePathLength);␊
         if (tmpExecutablePath == 0) break;␊
         strcpy(tmpExecutablePath, gFileSpec);␊
   ␊
-        if(name) sprintf(gFileSpec, "%s/%s", dirSpec, name);␊
-        else sprintf(gFileSpec, "%s", dirSpec);␊
+        if(name) ␊
+          snprintf(gFileSpec, 4096, "%s/%s", dirSpec, name);␊
+        else␊
+          snprintf(gFileSpec, 4096, "%s", dirSpec);␊
         bundlePathLength = strlen(gFileSpec) + 1;␊
 ␊
         tmpBundlePath = malloc(bundlePathLength);␊
 ␊
         // Construct the file spec to the plist, then load it.␊
 ␊
-        if(name) sprintf(gFileSpec, "%s/%s/%sInfo.plist", dirSpec, name,␊
-                (bundleType == kCFBundleType2) ? "Contents/" : "");␊
-        else sprintf(gFileSpec, "%s/%sInfo.plist", dirSpec,␊
-                     (bundleType == kCFBundleType2) ? "Contents/" : "");␊
+        if(name)␊
+          snprintf(gFileSpec, 4096, "%s/%s/%sInfo.plist", dirSpec, name,␊
+                   (bundleType == kCFBundleType2) ? "Contents/" : "");␊
+        else␊
+          snprintf(gFileSpec, 4096, "%s/%sInfo.plist", dirSpec,␊
+                   (bundleType == kCFBundleType2) ? "Contents/" : "");␊
 ␊
         length = LoadFile(gFileSpec);␊
         if (length == -1) break;␊
 ␉␉␉if (prop != 0)␊
 ␉␉␉{␊
 ␉␉␉␉fileName = prop->string;␊
-␉␉␉␉sprintf(gFileSpec, "%s%s", module->executablePath, fileName);␊
+␉␉␉␉snprintf(gFileSpec, 4096, "%s%s", module->executablePath, fileName);␊
 ␉␉␉␉length = LoadThinFatFile(gFileSpec, &executableAddr);␊
 ␉␉␉␉if (length == 0)␊
 ␉␉␉␉{␊
 ␉␉␉␉strcpy(driver->bundlePathAddr, module->bundlePath);␊
 ␊
 ␉␉␉␉// Add an entry to the memory map.␊
-␉␉␉␉sprintf(segName, "Driver-%lx", (unsigned long)driver);␊
+␉␉␉␉snprintf(segName, sizeof(segName), "Driver-%lx", (unsigned long)driver);␊
 ␉␉␉␉AllocateMemoryRange(segName, driverAddr, driverLength,␊
 ␉␉␉␉␉␉␉␉␉kBootDriverTypeKEXT);␊
 ␉␉␉}␊

Download the corresponding diff file