From owner-svn-src-head@freebsd.org Mon Oct 9 16:19:28 2017 Return-Path: Delivered-To: svn-src-head@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 0FD8EE35320; Mon, 9 Oct 2017 16:19:28 +0000 (UTC) (envelope-from kib@FreeBSD.org) Received: from repo.freebsd.org (repo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:0]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id A6CE0645EE; Mon, 9 Oct 2017 16:19:27 +0000 (UTC) (envelope-from kib@FreeBSD.org) Received: from repo.freebsd.org ([127.0.1.37]) by repo.freebsd.org (8.15.2/8.15.2) with ESMTP id v99GJQEB059504; Mon, 9 Oct 2017 16:19:26 GMT (envelope-from kib@FreeBSD.org) Received: (from kib@localhost) by repo.freebsd.org (8.15.2/8.15.2/Submit) id v99GJQPs059503; Mon, 9 Oct 2017 16:19:26 GMT (envelope-from kib@FreeBSD.org) Message-Id: <201710091619.v99GJQPs059503@repo.freebsd.org> X-Authentication-Warning: repo.freebsd.org: kib set sender to kib@FreeBSD.org using -f From: Konstantin Belousov Date: Mon, 9 Oct 2017 16:19:26 +0000 (UTC) To: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-head@freebsd.org Subject: svn commit: r324438 - head/sys/i386/i386 X-SVN-Group: head X-SVN-Commit-Author: kib X-SVN-Commit-Paths: head/sys/i386/i386 X-SVN-Commit-Revision: 324438 X-SVN-Commit-Repository: base MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-BeenThere: svn-src-head@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: SVN commit messages for the src tree for head/-current List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 09 Oct 2017 16:19:28 -0000 Author: kib Date: Mon Oct 9 16:19:26 2017 New Revision: 324438 URL: https://svnweb.freebsd.org/changeset/base/324438 Log: Change i386_get_ldt() to return 'EOF' when the requested range of descriptors does not fit into currently allocated LDT, or trim the return if the range fits partially. Before, the function returned EINVAL. Fix two bugs in r324366: use capped num counter for malloc size, and do not leak allocated buffer on EINVAL (by handling EINVAL case as normal, see above). Reviewed by: bde Sponsored by: The FreeBSD Foundation MFC after: 1 week Modified: head/sys/i386/i386/sys_machdep.c Modified: head/sys/i386/i386/sys_machdep.c ============================================================================== --- head/sys/i386/i386/sys_machdep.c Mon Oct 9 16:07:27 2017 (r324437) +++ head/sys/i386/i386/sys_machdep.c Mon Oct 9 16:19:26 2017 (r324438) @@ -534,23 +534,20 @@ i386_get_ldt(struct thread *td, struct i386_ldt_args * uap->start, uap->num, (void *)uap->descs); #endif - if (uap->start >= MAX_LD) - return (EINVAL); - num = min(uap->num, MAX_LD - uap->start); - data = malloc(uap->num * sizeof(union descriptor), M_TEMP, M_WAITOK); + num = min(uap->num, MAX_LD); + data = malloc(num * sizeof(union descriptor), M_TEMP, M_WAITOK); mtx_lock_spin(&dt_lock); pldt = td->td_proc->p_md.md_ldt; nldt = pldt != NULL ? pldt->ldt_len : nitems(ldt); - num = min(num, nldt); - if (uap->start > nldt || uap->start + num > nldt) { - mtx_unlock_spin(&dt_lock); - return (EINVAL); + if (uap->start >= nldt) { + num = 0; + } else { + num = min(num, nldt - uap->start); + bcopy(pldt != NULL ? + &((union descriptor *)(pldt->ldt_base))[uap->start] : + &ldt[uap->start], data, num * sizeof(union descriptor)); } - bcopy(pldt != NULL ? - &((union descriptor *)(pldt->ldt_base))[uap->start] : - &ldt[uap->start], data, num * sizeof(union descriptor)); mtx_unlock_spin(&dt_lock); - error = copyout(data, uap->descs, num * sizeof(union descriptor)); if (error == 0) td->td_retval[0] = num;