Date: Thu, 2 Jan 2020 23:05:49 +0000 (UTC) From: Eric Joyner <erj@FreeBSD.org> To: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-stable@freebsd.org, svn-src-stable-12@freebsd.org Subject: svn commit: r356304 - in stable/12: sys/sys tests/sys/sys Message-ID: <202001022305.002N5ntT034983@repo.freebsd.org>
next in thread | raw e-mail | index | archive | help
Author: erj Date: Thu Jan 2 23:05:48 2020 New Revision: 356304 URL: https://svnweb.freebsd.org/changeset/base/356304 Log: MFC r354975: bitstring: exit early if _start is past size of the bitstring This fixes a possible buffer read overflow. Sponsored by: Intel Corporation Modified: stable/12/sys/sys/bitstring.h stable/12/tests/sys/sys/bitstring_test.c Directory Properties: stable/12/ (props changed) Modified: stable/12/sys/sys/bitstring.h ============================================================================== --- stable/12/sys/sys/bitstring.h Thu Jan 2 23:00:52 2020 (r356303) +++ stable/12/sys/sys/bitstring.h Thu Jan 2 23:05:48 2020 (r356304) @@ -202,6 +202,11 @@ bit_ffs_at(bitstr_t *_bitstr, int _start, int _nbits, bitstr_t _test; int _value, _offset; + if (_start >= _nbits) { + *_result = -1; + return; + } + if (_nbits > 0) { _curbitstr = _bitstr + _bit_idx(_start); _stopbitstr = _bitstr + _bit_idx(_nbits - 1); @@ -230,6 +235,11 @@ bit_ffc_at(bitstr_t *_bitstr, int _start, int _nbits, bitstr_t *_stopbitstr; bitstr_t _test; int _value, _offset; + + if (_start >= _nbits) { + *_result = -1; + return; + } if (_nbits > 0) { _curbitstr = _bitstr + _bit_idx(_start); Modified: stable/12/tests/sys/sys/bitstring_test.c ============================================================================== --- stable/12/tests/sys/sys/bitstring_test.c Thu Jan 2 23:00:52 2020 (r356303) +++ stable/12/tests/sys/sys/bitstring_test.c Thu Jan 2 23:05:48 2020 (r356304) @@ -246,6 +246,17 @@ BITSTRING_TC_DEFINE(bit_ffs_at) nbits, memloc, i, found_set_bit); } } + + /* Pass a start value beyond the size of the bit string */ + bit_ffs_at(bitstr, nbits, nbits, &found_set_bit); + ATF_REQUIRE_MSG(found_set_bit == -1, + "bit_ffs_at_%d_%s: Failed with high start value of %d, Result %d", + nbits, memloc, nbits, found_set_bit); + + bit_ffs_at(bitstr, nbits + 3, nbits, &found_set_bit); + ATF_REQUIRE_MSG(found_set_bit == -1, + "bit_ffs_at_%d_%s: Failed with high start value of %d, Result %d", + nbits, memloc, nbits + 3, found_set_bit); } BITSTRING_TC_DEFINE(bit_ffc_at) @@ -297,6 +308,17 @@ BITSTRING_TC_DEFINE(bit_ffc_at) nbits, memloc, i, found_clear_bit); } } + + /* Pass a start value beyond the size of the bit string */ + bit_ffc_at(bitstr, nbits, nbits, &found_clear_bit); + ATF_REQUIRE_MSG(found_clear_bit == -1, + "bit_ffc_at_%d_%s: Failed with high start value, Result %d", + nbits, memloc, found_clear_bit); + + bit_ffc_at(bitstr, nbits + 3, nbits, &found_clear_bit); + ATF_REQUIRE_MSG(found_clear_bit == -1, + "bit_ffc_at_%d_%s: Failed with high start value of %d, Result %d", + nbits, memloc, nbits + 3, found_clear_bit); } BITSTRING_TC_DEFINE(bit_nclear)
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?202001022305.002N5ntT034983>