Date: Thu, 3 Jun 2021 13:29:04 GMT From: Mark Johnston <markj@FreeBSD.org> To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-branches@FreeBSD.org Subject: git: e539e7a0954b - stable/13 - ktrace: Handle negative array sizes in ktrstructarray Message-ID: <202106031329.153DT4T6017241@gitrepo.freebsd.org>
next in thread | raw e-mail | index | archive | help
The branch stable/13 has been updated by markj: URL: https://cgit.FreeBSD.org/src/commit/?id=e539e7a0954bc9fc0e308675b32d157917829cd4 commit e539e7a0954bc9fc0e308675b32d157917829cd4 Author: Mark Johnston <markj@FreeBSD.org> AuthorDate: 2021-05-27 19:49:12 +0000 Commit: Mark Johnston <markj@FreeBSD.org> CommitDate: 2021-06-03 13:28:42 +0000 ktrace: Handle negative array sizes in ktrstructarray ktrstructarray() may be used to create copies of kevent(2) change and event arrays. It is called before parameter validation is done and so should check for bogus array lengths before allocating a copy. Reported by: syzkaller Reviewed by: kib Sponsored by: The FreeBSD Foundation (cherry picked from commit f88510077377157008f648b7036e1d1c9c83ea23) --- sys/kern/kern_ktrace.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/sys/kern/kern_ktrace.c b/sys/kern/kern_ktrace.c index 8728801acdf7..d0f7e0067064 100644 --- a/sys/kern/kern_ktrace.c +++ b/sys/kern/kern_ktrace.c @@ -803,6 +803,8 @@ ktrstructarray(const char *name, enum uio_seg seg, const void *data, if (__predict_false(curthread->td_pflags & TDP_INKTRACE)) return; + if (num_items < 0) + return; /* Trim array length to genio size. */ max_items = ktr_geniosize / struct_size;
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?202106031329.153DT4T6017241>