* sysdeps/gnu/bits/msq.h: Qualify kernel's

data structure pointers as __unbounded. 
* sysdeps/unix/sysv/linux/mips/bits/shm.h: Likewise. 
* sysdeps/generic/bp-semctl.h: New file. 
* sysdeps/unix/sysv/linux/msgctl.c: Qualify kernel's data structure 
pointers as __unbounded.  Check bounds of syscall args. 
* sysdeps/unix/sysv/linux/msgrcv.c: Likewise. 
* sysdeps/unix/sysv/linux/msgsnd.c: Likewise. 
* sysdeps/unix/sysv/linux/semctl.c: Likewise. 
* sysdeps/unix/sysv/linux/semop.c: Likewise. 
* sysdeps/unix/sysv/linux/shmat.c: Likewise. 
* sysdeps/unix/sysv/linux/shmctl.c: Likewise. 
* sysdeps/unix/sysv/linux/shmdt.c: Likewise. 
* sysdeps/unix/sysv/linux/alpha/msgctl.c: Likewise. 
* sysdeps/unix/sysv/linux/alpha/semctl.c: Likewise. 
* sysdeps/unix/sysv/linux/alpha/shmctl.c: Likewise. 
* sysdeps/unix/sysv/linux/i386/msgctl.c: Likewise. 
* sysdeps/unix/sysv/linux/i386/semctl.c: Likewise. 
* sysdeps/unix/sysv/linux/i386/shmctl.c: Likewise. 
* sysdeps/unix/sysv/linux/sparc/sparc64/msgctl.c: Likewise. 
* sysdeps/unix/sysv/linux/sparc/sparc64/semctl.c: Likewise. 
* sysdeps/unix/sysv/linux/sparc/sparc64/shmctl.c: Likewise.
2000-07-26  Greg McGary  <greg@mcgary.org>

	* sysdeps/gnu/bits/msq.h: Qualify kernel's
	data structure pointers as __unbounded.
	* sysdeps/unix/sysv/linux/mips/bits/shm.h: Likewise.
	* sysdeps/generic/bp-semctl.h: New file.
	* sysdeps/unix/sysv/linux/msgctl.c: Qualify kernel's data structure
	pointers as __unbounded.  Check bounds of syscall args.
	* sysdeps/unix/sysv/linux/msgrcv.c: Likewise.
	* sysdeps/unix/sysv/linux/msgsnd.c: Likewise.
	* sysdeps/unix/sysv/linux/semctl.c: Likewise.
	* sysdeps/unix/sysv/linux/semop.c: Likewise.
	* sysdeps/unix/sysv/linux/shmat.c: Likewise.
	* sysdeps/unix/sysv/linux/shmctl.c: Likewise.
	* sysdeps/unix/sysv/linux/shmdt.c: Likewise.
	* sysdeps/unix/sysv/linux/alpha/msgctl.c: Likewise.
	* sysdeps/unix/sysv/linux/alpha/semctl.c: Likewise.
	* sysdeps/unix/sysv/linux/alpha/shmctl.c: Likewise.
	* sysdeps/unix/sysv/linux/i386/msgctl.c: Likewise.
	* sysdeps/unix/sysv/linux/i386/semctl.c: Likewise.
	* sysdeps/unix/sysv/linux/i386/shmctl.c: Likewise.
	* sysdeps/unix/sysv/linux/sparc/sparc64/msgctl.c: Likewise.
	* sysdeps/unix/sysv/linux/sparc/sparc64/semctl.c: Likewise.
	* sysdeps/unix/sysv/linux/sparc/sparc64/shmctl.c: Likewise.

3 files changed, 41 insertions, 22 deletions

diff --git a/sysdeps/unix/sysv/linux/i386/msgctl.c b/sysdeps/unix/sysv/linux/i386/msgctl.c
index 684365a922..f7535ae5bd 100644
--- a/sysdeps/unix/sysv/linux/i386/msgctl.c
+++ b/sysdeps/unix/sysv/linux/i386/msgctl.c
@@ -24,6 +24,7 @@
 #include <sysdep.h>
 #include <string.h>
 #include <sys/syscall.h>
+#include <bp-checks.h>
 
 #include "kernel-features.h"
 #include <shlib-compat.h>
@@ -31,13 +32,13 @@
 struct __old_msqid_ds
 {
   struct __old_ipc_perm msg_perm;	/* structure describing operation permission */
-  struct msg *__msg_first;		/* pointer to first message on queue */
-  struct msg *__msg_last;		/* pointer to last message on queue */
+  struct msg *__unbounded __msg_first;	/* pointer to first message on queue */
+  struct msg *__unbounded __msg_last;	/* pointer to last message on queue */
   __time_t msg_stime;			/* time of last msgsnd command */
   __time_t msg_rtime;			/* time of last msgrcv command */
   __time_t msg_ctime;			/* time of last change */
-  struct wait_queue *__wwait;		/* ??? */
-  struct wait_queue *__rwait;		/* ??? */
+  struct wait_queue *__unbounded __wwait; /* ??? */
+  struct wait_queue *__unbounded __rwait; /* ??? */
   unsigned short int __msg_cbytes;	/* current number of bytes on queue */
   unsigned short int msg_qnum;		/* number of messages currently on queue */
   unsigned short int msg_qbytes;	/* max number of bytes allowed on queue */
@@ -64,7 +65,8 @@ extern int __libc_missing_32bit_uids;
 int
 __old_msgctl (int msqid, int cmd, struct __old_msqid_ds *buf)
 {
-  return INLINE_SYSCALL (ipc, 5, IPCOP_msgctl, msqid, cmd, 0, buf);
+  return INLINE_SYSCALL (ipc, 5, IPCOP_msgctl,
+			 msqid, cmd, 0, CHECK_1 (buf));
 }
 compat_symbol (libc, __old_msgctl, msgctl, GLIBC_2_0);
 #endif
@@ -73,7 +75,8 @@ int
 __new_msgctl (int msqid, int cmd, struct msqid_ds *buf)
 {
 #if __ASSUME_32BITUIDS > 0
-  return INLINE_SYSCALL (ipc, 5, IPCOP_msgctl, msqid, cmd | __IPC_64, 0, buf);
+  return INLINE_SYSCALL (ipc, 5, IPCOP_msgctl,
+			 msqid, cmd | __IPC_64, 0, CHECK_1 (buf));
 #else
   switch (cmd) {
     case MSG_STAT:
@@ -81,7 +84,8 @@ __new_msgctl (int msqid, int cmd, struct msqid_ds *buf)
     case IPC_SET:
       break;
     default:
-      return INLINE_SYSCALL (ipc, 5, IPCOP_msgctl, msqid, cmd, 0, buf);
+      return INLINE_SYSCALL (ipc, 5, IPCOP_msgctl,
+			     msqid, cmd, 0, CHECK_1 (buf));
   }
 
   {
@@ -105,7 +109,8 @@ __new_msgctl (int msqid, int cmd, struct msqid_ds *buf)
 	  }
 	if (__libc_missing_32bit_uids <= 0)
 	  {
-	    result = INLINE_SYSCALL (ipc, 5, IPCOP_msgctl, msqid, cmd | __IPC_64, 0, buf);
+	    result = INLINE_SYSCALL (ipc, 5, IPCOP_msgctl,
+				     msqid, cmd | __IPC_64, 0, CHECK_1 (buf));
 	    return result;
 	  }
       }
@@ -124,7 +129,8 @@ __new_msgctl (int msqid, int cmd, struct msqid_ds *buf)
 	    return -1;
 	  }
       }
-    result = INLINE_SYSCALL (ipc, 5, IPCOP_msgctl, msqid, cmd, 0, &old);
+    result = INLINE_SYSCALL (ipc, 5, IPCOP_msgctl,
+			     msqid, cmd, 0, __ptrvalue (&old));
     if (result != -1 && cmd != IPC_SET)
       {
 	memset(buf, 0, sizeof(*buf));
diff --git a/sysdeps/unix/sysv/linux/i386/semctl.c b/sysdeps/unix/sysv/linux/i386/semctl.c
index b553c2aa8b..6fdd83c738 100644
--- a/sysdeps/unix/sysv/linux/i386/semctl.c
+++ b/sysdeps/unix/sysv/linux/i386/semctl.c
@@ -50,6 +50,9 @@ union semun
   struct seminfo *__buf;	/* buffer for IPC_INFO */
 };
 
+#include <bp-checks.h>
+#include <bp-semctl.h>		/* definition of CHECK_SEMCTL needs union semum */
+
 #ifdef __NR_getuid32
 # if __ASSUME_32BITUIDS == 0
 /* This variable is shared with all files that need to check for 32bit
@@ -79,7 +82,8 @@ __old_semctl (int semid, int semnum, int cmd, ...)
 
   va_end (ap);
 
-  return INLINE_SYSCALL (ipc, 5, IPCOP_semctl, semid, semnum, cmd, &arg);
+  return INLINE_SYSCALL (ipc, 5, IPCOP_semctl, semid, semnum, cmd,
+			 CHECK_SEMCTL (&arg, semid, cmd));
 }
 compat_symbol (libc, __old_semctl, semctl, GLIBC_2_0);
 #endif
@@ -98,7 +102,8 @@ __new_semctl (int semid, int semnum, int cmd, ...)
   va_end (ap);
 
 #if __ASSUME_32BITUIDS > 0
-  return INLINE_SYSCALL (ipc, 5, IPCOP_semctl, semid, semnum, cmd | __IPC_64, &arg);
+  return INLINE_SYSCALL (ipc, 5, IPCOP_semctl, semid, semnum, cmd | __IPC_64,
+			 CHECK_SEMCTL (&arg, semid, cmd | __IPC_64));
 #else
   switch (cmd) {
     case SEM_STAT:
@@ -106,7 +111,8 @@ __new_semctl (int semid, int semnum, int cmd, ...)
     case IPC_SET:
       break;
     default:
-      return INLINE_SYSCALL (ipc, 5, IPCOP_semctl, semid, semnum, cmd, &arg);
+      return INLINE_SYSCALL (ipc, 5, IPCOP_semctl, semid, semnum, cmd,
+			     CHECK_SEMCTL (&arg, semid, cmd));
   }
 
   {
@@ -131,7 +137,8 @@ __new_semctl (int semid, int semnum, int cmd, ...)
 	  }
 	if (__libc_missing_32bit_uids <= 0)
 	  {
-	    result = INLINE_SYSCALL (ipc, 5, IPCOP_semctl, semid, semnum, cmd | __IPC_64, &arg);
+	    result = INLINE_SYSCALL (ipc, 5, IPCOP_semctl, semid, semnum, cmd | __IPC_64,
+				     CHECK_SEMCTL (&arg, semid, cmd | __IPC_64));
 	    return result;
 	  }
       }
@@ -151,7 +158,8 @@ __new_semctl (int semid, int semnum, int cmd, ...)
 	    return -1;
 	  }
       }
-    result = INLINE_SYSCALL (ipc, 5, IPCOP_semctl, semid, semnum, cmd, &arg);
+    result = INLINE_SYSCALL (ipc, 5, IPCOP_semctl, semid, semnum, cmd,
+			     CHECK_SEMCTL (&arg, semid, cmd));
     if (result != -1 && cmd != IPC_SET)
       {
 	memset(buf, 0, sizeof(*buf));
diff --git a/sysdeps/unix/sysv/linux/i386/shmctl.c b/sysdeps/unix/sysv/linux/i386/shmctl.c
index ca25ff0c7a..402fb46717 100644
--- a/sysdeps/unix/sysv/linux/i386/shmctl.c
+++ b/sysdeps/unix/sysv/linux/i386/shmctl.c
@@ -25,6 +25,7 @@
 #include <string.h>
 #include <sys/syscall.h>
 #include <bits/wordsize.h>
+#include <bp-checks.h>
 
 #include "kernel-features.h"
 #include <shlib-compat.h>
@@ -40,8 +41,8 @@ struct __old_shmid_ds
   __ipc_pid_t shm_lpid;			/* pid of last shmop */
   unsigned short int shm_nattch;	/* number of current attaches */
   unsigned short int __shm_npages;	/* size of segment (pages) */
-  unsigned long int *__shm_pages;	/* array of ptrs to frames -> SHMMAX */
-  struct vm_area_struct *__attaches;	/* descriptors for attaches */
+  unsigned long int *__unbounded __shm_pages; /* array of ptrs to frames -> SHMMAX */
+  struct vm_area_struct *__unbounded __attaches; /* descriptors for attaches */
 };
 
 struct __old_shminfo
@@ -71,7 +72,8 @@ int __new_shmctl (int, int, struct shmid_ds *);
 int
 __old_shmctl (int shmid, int cmd, struct __old_shmid_ds *buf)
 {
-  return INLINE_SYSCALL (ipc, 5, IPCOP_shmctl, shmid, cmd, 0, buf);
+  return INLINE_SYSCALL (ipc, 5, IPCOP_shmctl,
+			 shmid, cmd, 0, CHECK_1 (buf));
 }
 compat_symbol (libc, __old_shmctl, shmctl, GLIBC_2_0);
 #endif
@@ -80,7 +82,8 @@ int
 __new_shmctl (int shmid, int cmd, struct shmid_ds *buf)
 {
 #if __ASSUME_32BITUIDS > 0
-  return INLINE_SYSCALL (ipc, 5, IPCOP_shmctl, shmid, cmd | __IPC_64, 0, buf);
+  return INLINE_SYSCALL (ipc, 5, IPCOP_shmctl,
+			 shmid, cmd | __IPC_64, 0, CHECK_1 (buf));
 #else
   switch (cmd) {
     case SHM_STAT:
@@ -91,7 +94,8 @@ __new_shmctl (int shmid, int cmd, struct shmid_ds *buf)
 # endif
       break;
     default:
-      return INLINE_SYSCALL (ipc, 5, IPCOP_shmctl, shmid, cmd, 0, buf);
+      return INLINE_SYSCALL (ipc, 5, IPCOP_shmctl,
+			     shmid, cmd, 0, CHECK_1 (buf));
   }
 
   {
@@ -114,8 +118,8 @@ __new_shmctl (int shmid, int cmd, struct shmid_ds *buf)
 	    __set_errno(save_errno);
 	  }
 	if (__libc_missing_32bit_uids <= 0)
-	  return INLINE_SYSCALL (ipc, 5, IPCOP_shmctl, shmid, cmd | __IPC_64,
-				 0, buf);
+	  return INLINE_SYSCALL (ipc, 5, IPCOP_shmctl,
+				 shmid, cmd | __IPC_64, 0, CHECK_1 (buf));
       }
 # endif
 
@@ -131,7 +135,8 @@ __new_shmctl (int shmid, int cmd, struct shmid_ds *buf)
 	    return -1;
 	  }
       }
-    result = INLINE_SYSCALL (ipc, 5, IPCOP_shmctl, shmid, cmd, 0, &old);
+    result = INLINE_SYSCALL (ipc, 5, IPCOP_shmctl,
+			     shmid, cmd, 0, __ptrvalue (&old));
     if (result != -1 && (cmd == SHM_STAT || cmd == IPC_STAT))
       {
 	memset(buf, 0, sizeof(*buf));