From owner-svn-src-stable-10@FreeBSD.ORG Mon Feb 2 18:48:51 2015 Return-Path: Delivered-To: svn-src-stable-10@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 80173416; Mon, 2 Feb 2015 18:48:51 +0000 (UTC) Received: from svn.freebsd.org (svn.freebsd.org [IPv6:2001:1900:2254:2068::e6a:0]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 515C69D; Mon, 2 Feb 2015 18:48:51 +0000 (UTC) Received: from svn.freebsd.org ([127.0.1.70]) by svn.freebsd.org (8.14.9/8.14.9) with ESMTP id t12ImpKp022078; Mon, 2 Feb 2015 18:48:51 GMT (envelope-from delphij@FreeBSD.org) Received: (from delphij@localhost) by svn.freebsd.org (8.14.9/8.14.9/Submit) id t12Impqj022077; Mon, 2 Feb 2015 18:48:51 GMT (envelope-from delphij@FreeBSD.org) Message-Id: <201502021848.t12Impqj022077@svn.freebsd.org> X-Authentication-Warning: svn.freebsd.org: delphij set sender to delphij@FreeBSD.org using -f From: Xin LI Date: Mon, 2 Feb 2015 18:48:51 +0000 (UTC) To: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-stable@freebsd.org, svn-src-stable-10@freebsd.org Subject: svn commit: r278106 - in stable: 10/sys/dev/vt 9/sys/dev/vt X-SVN-Group: stable-10 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-BeenThere: svn-src-stable-10@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: SVN commit messages for only the 10-stable src tree List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 02 Feb 2015 18:48:51 -0000 Author: delphij Date: Mon Feb 2 18:48:49 2015 New Revision: 278106 URL: https://svnweb.freebsd.org/changeset/base/278106 Log: MFC r277806: Use unsigned int for index value. Without this change a local attacker could trigger a panic by tricking the kernel into accessing undefined kernel memory. We would like to acknowledge Francisco Falcon from CORE Security Technologies who discovered the issue and reported to the FreeBSD Security Team. More information can be found at CORE Security's advisory at: http://www.coresecurity.com/content/freebsd-kernel-multiple-vulnerabilities This is an errata candidate for releng/10.1 and releng/9.3. Earlier releases are not affected. Reported by: Francisco Falcon from CORE Security Technologies Security: CVE-2014-0998 Reviewed by: dumbbell Modified: stable/10/sys/dev/vt/vt_core.c Directory Properties: stable/10/ (props changed) Changes in other areas also in this revision: Modified: stable/9/sys/dev/vt/vt_core.c Directory Properties: stable/9/sys/ (props changed) stable/9/sys/dev/ (props changed) Modified: stable/10/sys/dev/vt/vt_core.c ============================================================================== --- stable/10/sys/dev/vt/vt_core.c Mon Feb 2 18:20:10 2015 (r278105) +++ stable/10/sys/dev/vt/vt_core.c Mon Feb 2 18:48:49 2015 (r278106) @@ -2356,20 +2356,23 @@ skip_thunk: } VT_UNLOCK(vd); return (EINVAL); - case VT_WAITACTIVE: + case VT_WAITACTIVE: { + unsigned int idx; + error = 0; - i = *(unsigned int *)data; - if (i > VT_MAXWINDOWS) + idx = *(unsigned int *)data; + if (idx > VT_MAXWINDOWS) return (EINVAL); - if (i != 0) - vw = vd->vd_windows[i - 1]; + if (idx > 0) + vw = vd->vd_windows[idx - 1]; VT_LOCK(vd); while (vd->vd_curwindow != vw && error == 0) error = cv_wait_sig(&vd->vd_winswitch, &vd->vd_lock); VT_UNLOCK(vd); return (error); + } case VT_SETMODE: { /* set screen switcher mode */ struct vt_mode *mode; struct proc *p1;