From owner-svn-src-head@FreeBSD.ORG Tue Jan 27 19:35:42 2015 Return-Path: Delivered-To: svn-src-head@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 50810CB2; Tue, 27 Jan 2015 19:35:42 +0000 (UTC) Received: from svn.freebsd.org (svn.freebsd.org [IPv6:2001:1900:2254:2068::e6a:0]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 3CC5EAFA; Tue, 27 Jan 2015 19:35:42 +0000 (UTC) Received: from svn.freebsd.org ([127.0.1.70]) by svn.freebsd.org (8.14.9/8.14.9) with ESMTP id t0RJZgJO015251; Tue, 27 Jan 2015 19:35:42 GMT (envelope-from delphij@FreeBSD.org) Received: (from delphij@localhost) by svn.freebsd.org (8.14.9/8.14.9/Submit) id t0RJZgbo015250; Tue, 27 Jan 2015 19:35:42 GMT (envelope-from delphij@FreeBSD.org) Message-Id: <201501271935.t0RJZgbo015250@svn.freebsd.org> X-Authentication-Warning: svn.freebsd.org: delphij set sender to delphij@FreeBSD.org using -f From: Xin LI Date: Tue, 27 Jan 2015 19:35:42 +0000 (UTC) To: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-head@freebsd.org Subject: svn commit: r277806 - head/sys/dev/vt X-SVN-Group: head MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-BeenThere: svn-src-head@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: SVN commit messages for the src tree for head/-current List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 27 Jan 2015 19:35:42 -0000 Author: delphij Date: Tue Jan 27 19:35:41 2015 New Revision: 277806 URL: https://svnweb.freebsd.org/changeset/base/277806 Log: Use unsigned int for index value. Without this change a local attacker could trigger a panic by tricking the kernel into accessing undefined kernel memory. We would like to acknowledge Francisco Falcon from CORE Security Technologies who discovered the issue and reported to the FreeBSD Security Team. More information can be found at CORE Security's advisory at: http://www.coresecurity.com/content/freebsd-kernel-multiple-vulnerabilities This is an errata candidate for releng/10.1 and releng/9.3. Earlier releases are not affected. Reported by: Francisco Falcon from CORE Security Technologies Security: CVE-2014-0998 Reviewed by: dumbbell MFC after: 3 days Modified: head/sys/dev/vt/vt_core.c Modified: head/sys/dev/vt/vt_core.c ============================================================================== --- head/sys/dev/vt/vt_core.c Tue Jan 27 19:35:38 2015 (r277805) +++ head/sys/dev/vt/vt_core.c Tue Jan 27 19:35:41 2015 (r277806) @@ -2367,20 +2367,23 @@ skip_thunk: } VT_UNLOCK(vd); return (EINVAL); - case VT_WAITACTIVE: + case VT_WAITACTIVE: { + unsigned int idx; + error = 0; - i = *(unsigned int *)data; - if (i > VT_MAXWINDOWS) + idx = *(unsigned int *)data; + if (idx > VT_MAXWINDOWS) return (EINVAL); - if (i != 0) - vw = vd->vd_windows[i - 1]; + if (idx > 0) + vw = vd->vd_windows[idx - 1]; VT_LOCK(vd); while (vd->vd_curwindow != vw && error == 0) error = cv_wait_sig(&vd->vd_winswitch, &vd->vd_lock); VT_UNLOCK(vd); return (error); + } case VT_SETMODE: { /* set screen switcher mode */ struct vt_mode *mode; struct proc *p1;