From owner-svn-src-stable@freebsd.org Wed Apr 4 05:26:34 2018 Return-Path: Delivered-To: svn-src-stable@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 843EDF90D5C; Wed, 4 Apr 2018 05:26:34 +0000 (UTC) (envelope-from gordon@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "mxrelay.nyi.freebsd.org", Issuer "Let's Encrypt Authority X3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 2EBD189E8A; Wed, 4 Apr 2018 05:26:34 +0000 (UTC) (envelope-from gordon@FreeBSD.org) Received: from repo.freebsd.org (repo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:0]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 276177507; Wed, 4 Apr 2018 05:26:34 +0000 (UTC) (envelope-from gordon@FreeBSD.org) Received: from repo.freebsd.org ([127.0.1.37]) by repo.freebsd.org (8.15.2/8.15.2) with ESMTP id w345QYbd097608; Wed, 4 Apr 2018 05:26:34 GMT (envelope-from gordon@FreeBSD.org) Received: (from gordon@localhost) by repo.freebsd.org (8.15.2/8.15.2/Submit) id w345QYFT097606; Wed, 4 Apr 2018 05:26:34 GMT (envelope-from gordon@FreeBSD.org) Message-Id: <201804040526.w345QYFT097606@repo.freebsd.org> X-Authentication-Warning: repo.freebsd.org: gordon set sender to gordon@FreeBSD.org using -f From: Gordon Tetlow Date: Wed, 4 Apr 2018 05:26:34 +0000 (UTC) To: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-stable@freebsd.org, svn-src-stable-10@freebsd.org Subject: svn commit: r331983 - stable/10/sys/dev/vt X-SVN-Group: stable-10 X-SVN-Commit-Author: gordon X-SVN-Commit-Paths: stable/10/sys/dev/vt X-SVN-Commit-Revision: 331983 X-SVN-Commit-Repository: base MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-BeenThere: svn-src-stable@freebsd.org X-Mailman-Version: 2.1.25 Precedence: list List-Id: SVN commit messages for all the -stable branches of the src tree List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 04 Apr 2018 05:26:34 -0000 Author: gordon Date: Wed Apr 4 05:26:33 2018 New Revision: 331983 URL: https://svnweb.freebsd.org/changeset/base/331983 Log: MFC r331981: Limit glyph count in vtfont_load to avoid integer overflow. Invalid font data passed to PIO_VFONT can result in an integer overflow in glyphsize. Characters may then be drawn on the console using glyph map entries that point beyond the end of allocated glyph memory, resulting in a kernel memory disclosure. Submitted by: emaste Reported by: Dr. Silvio Cesare of InfoSect Security: CVE-2018-6917 Security: FreeBSD-SA-18:04.vt Sponsored by: The FreeBSD Foundation Modified: stable/10/sys/dev/vt/vt_font.c Directory Properties: stable/10/ (props changed) Modified: stable/10/sys/dev/vt/vt_font.c ============================================================================== --- stable/10/sys/dev/vt/vt_font.c Wed Apr 4 05:24:59 2018 (r331982) +++ stable/10/sys/dev/vt/vt_font.c Wed Apr 4 05:26:33 2018 (r331983) @@ -42,6 +42,7 @@ static MALLOC_DEFINE(M_VTFONT, "vtfont", "vt font"); /* Some limits to prevent abnormal fonts from being loaded. */ #define VTFONT_MAXMAPPINGS 65536 +#define VTFONT_MAXGLYPHS 131072 #define VTFONT_MAXGLYPHSIZE 2097152 #define VTFONT_MAXDIMENSION 128 @@ -171,7 +172,8 @@ vtfont_load(vfnt_t *f, struct vt_font **ret) /* Make sure the dimensions are valid. */ if (f->width < 1 || f->height < 1) return (EINVAL); - if (f->width > VTFONT_MAXDIMENSION || f->height > VTFONT_MAXDIMENSION) + if (f->width > VTFONT_MAXDIMENSION || f->height > VTFONT_MAXDIMENSION || + f->glyph_count > VTFONT_MAXGLYPHS) return (E2BIG); /* Not too many mappings. */