Date: Fri, 20 May 2016 19:50:32 +0000 (UTC) From: Konstantin Belousov <kib@FreeBSD.org> To: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-head@freebsd.org Subject: svn commit: r300332 - in head/sys: amd64/amd64 i386/i386 Message-ID: <201605201950.u4KJoWA5028092@repo.freebsd.org>
next in thread | raw e-mail | index | archive | help
Author: kib Date: Fri May 20 19:50:32 2016 New Revision: 300332 URL: https://svnweb.freebsd.org/changeset/base/300332 Log: Check for overflow and return EINVAL if detected. Backport this and r300305 to i386. PR: 209661 Reported and reviewed by: cturt Sponsored by: The FreeBSD Foundation MFC after: 3 days Modified: head/sys/amd64/amd64/sys_machdep.c head/sys/i386/i386/sys_machdep.c Modified: head/sys/amd64/amd64/sys_machdep.c ============================================================================== --- head/sys/amd64/amd64/sys_machdep.c Fri May 20 19:46:25 2016 (r300331) +++ head/sys/amd64/amd64/sys_machdep.c Fri May 20 19:50:32 2016 (r300332) @@ -344,7 +344,8 @@ amd64_set_ioperm(td, uap) return (error); if ((error = securelevel_gt(td->td_ucred, 0)) != 0) return (error); - if (uap->start + uap->length > IOPAGES * PAGE_SIZE * NBBY) + if (uap->start > uap->start + uap->length || + uap->start + uap->length > IOPAGES * PAGE_SIZE * NBBY) return (EINVAL); /* Modified: head/sys/i386/i386/sys_machdep.c ============================================================================== --- head/sys/i386/i386/sys_machdep.c Fri May 20 19:46:25 2016 (r300331) +++ head/sys/i386/i386/sys_machdep.c Fri May 20 19:50:32 2016 (r300332) @@ -315,8 +315,9 @@ i386_set_ioperm(td, uap) struct thread *td; struct i386_ioperm_args *uap; { - int i, error; char *iomap; + u_int i; + int error; if ((error = priv_check(td, PRIV_IO)) != 0) return (error); @@ -334,7 +335,8 @@ i386_set_ioperm(td, uap) return (error); iomap = (char *)td->td_pcb->pcb_ext->ext_iomap; - if (uap->start + uap->length > IOPAGES * PAGE_SIZE * NBBY) + if (uap->start > uap->start + uap->length || + uap->start + uap->length > IOPAGES * PAGE_SIZE * NBBY) return (EINVAL); for (i = uap->start; i < uap->start + uap->length; i++) {
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201605201950.u4KJoWA5028092>