Date: Wed, 16 Mar 2016 22:46:57 +0000 (UTC) From: Gleb Smirnoff <glebius@FreeBSD.org> To: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-releng@freebsd.org Subject: svn commit: r296959 - releng/10.3/sys/amd64/amd64 Message-ID: <201603162246.u2GMkvuP049313@repo.freebsd.org>
next in thread | raw e-mail | index | archive | help
Author: glebius Date: Wed Mar 16 22:46:57 2016 New Revision: 296959 URL: https://svnweb.freebsd.org/changeset/base/296959 Log: Merge r296956: Due to invalid use of a signed intermediate value in the bounds checking during argument validity verification, unbound zero'ing of the process LDT and adjacent memory can be initiated from usermode. Submitted by: CORE Security Patch by: kib Security: SA-16:15 Approved by: re (implicit) Modified: releng/10.3/sys/amd64/amd64/sys_machdep.c Directory Properties: releng/10.3/ (props changed) Modified: releng/10.3/sys/amd64/amd64/sys_machdep.c ============================================================================== --- releng/10.3/sys/amd64/amd64/sys_machdep.c Wed Mar 16 22:36:02 2016 (r296958) +++ releng/10.3/sys/amd64/amd64/sys_machdep.c Wed Mar 16 22:46:57 2016 (r296959) @@ -591,8 +591,8 @@ amd64_set_ldt(td, uap, descs) struct i386_ldt_args *uap; struct user_segment_descriptor *descs; { - int error = 0, i; - int largest_ld; + int error = 0; + unsigned int largest_ld, i; struct mdproc *mdp = &td->td_proc->p_md; struct proc_ldt *pldt; struct user_segment_descriptor *dp;
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201603162246.u2GMkvuP049313>