e, 09 Jun 2026 19:18:45 +0000 (UTC)
	(envelope-from git@FreeBSD.org)
Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256
	 client-signature RSA-PSS (4096 bits) client-digest SHA256)
	(Client CN "mxrelay.nyi.freebsd.org", Issuer "R13" (not verified))
	by mx1.freebsd.org (Postfix) with ESMTPS id 4gZdxK4jnHz3NXh
	for <dev-commits-src-branches@FreeBSD.org>; Tue, 09 Jun 2026 19:18:45 +0000 (UTC)
	(envelope-from git@FreeBSD.org)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim;
	t=1781032725;
	h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
	 to:to:cc:cc:mime-version:mime-version:content-type:content-type:
	 content-transfer-encoding:content-transfer-encoding;
	bh=8T64V+cVozIuVIbsYw8Y/dylPScn7H7MORmdJcqxDvU=;
	b=almRP8BPchRWMEfVYQMVnKGSbI/79WniYzMcVPDFtPw6SWS+AMaZ9gSgMOhgi62ZD5hs11
	Niqyf/wAYaMQqXeAVlsLiFSpXEeq4WhVyP7vZZxYlFFOWpnpXZW6i+TaQZP66VURSARLD1
	KZW4S81934ZXxmVkIfY0AnXK1zscuROslgK5YbwFd1CvgeueM4Uo8sizkXM0hyI3tLaT4V
	nKlhqP+Sgqjo5NCiutzZQj9LRcDM2Gawk1bFuBnXb48nrzTFkF4rqZYlDd9yRS29D8ESgP
	uVHkEXDOLw8YwAIvyHWQF/ntOehZvwHyKFPHxoHJ+q36ASn66HoI+ovghLJNiQ==
ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1781032725; a=rsa-sha256; cv=none;
	b=SPTxmhPFYILrDeTuWswWk/3VPF0bbnpKYX5GjGuMyvU/oTY1Yn2ldRBFGCbNNzUr8Pn2gl
	pdwYt6FgNhH2mx0pR40T8UZparWi9XhqyHVD8dwat9NEFEfNJb7iFhk4nvPrg+pu8xlcRx
	pzkZ5v8LFwTp5Vtkc5LISp/xwxbWmfjbxMcmeyssSv66ALat7FIhhH9Fp+UfB/imEpihNm
	ISsNBnUu44N3d+hSUs/4WvR8dNpvB+kEsaZifpX06JS7SF6LVKwGZPGdlKRDBJnF8H6G85
	/pnTAR4ICB+cZTyDBLEjCByp6AeDxR2hBL01+LUdeNo8myVpzK+HR9ESjNB3Fw==
ARC-Authentication-Results: i=1;
	mx1.freebsd.org;
	none
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org;
	s=dkim; t=1781032725;
	h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
	 to:to:cc:cc:mime-version:mime-version:content-type:content-type:
	 content-transfer-encoding:content-transfer-encoding;
	bh=8T64V+cVozIuVIbsYw8Y/dylPScn7H7MORmdJcqxDvU=;
	b=L9Px3MKDEriianU2+Bz5ns8yVItyv5zPohfXKBRr/pkTK224hQUnia9BABOfS40+cY2kl0
	81vRdOZ8Ut7P5FLowAUrrRiK6se5ynGg57vvjgw8oos8tipzyRKtycgeJ+KymBLgYhftyp
	0A26dykLlftpbpSqYbMe0eGutyEj2bvhp25V6mT+2ZtuXkQ0yRpFmmquELHCBBE4J0kIHF
	O2itH+8TaGSSPpQGKTiUgeeclWPYDV7e40oEiXCX+OtS6xZediJ/sa5xoYk5rNBrK9DGT9
	aCpgS3wLGP679cHWYSmaQbTQAybj6TtzOgH/VeJ2JbhdUUncvTid3+WmRQZ24g==
Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5])
	by mxrelay.nyi.freebsd.org (Postfix) with ESMTP id 4gZdxK1lkHznFv
	for <dev-commits-src-branches@FreeBSD.org>; Tue, 09 Jun 2026 19:18:45 +0000 (UTC)
	(envelope-from git@FreeBSD.org)
Received: from git (uid 1279)
	(envelope-from git@FreeBSD.org)
	id 3d972
	by gitrepo.freebsd.org (DragonFly Mail Agent v0.13+ on gitrepo.freebsd.org);
	Tue, 09 Jun 2026 19:18:45 +0000
To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-branches@FreeBSD.org
Cc: Ed Maste <emaste@FreeBSD.org>
From: Mark Johnston <markj@FreeBSD.org>
Subject: git: 9cba21c2de16 - releng/14.3 - vt: Avoid integer overflow in CONS_HISTORY ioctl
List-Id: Commits to the stable branches of the FreeBSD src repository <dev-commits-src-branches.freebsd.org>
List-Archive: https://lists.freebsd.org/archives/dev-commits-src-branches
List-Help: <mailto:dev-commits-src-branches+help@freebsd.org>
List-Post: <mailto:dev-commits-src-branches@freebsd.org>
List-Subscribe: <mailto:dev-commits-src-branches+subscribe@freebsd.org>
List-Unsubscribe: <mailto:dev-commits-src-branches+unsubscribe@freebsd.org>
X-BeenThere: dev-commits-src-branches@freebsd.org
Sender: owner-dev-commits-src-branches@FreeBSD.org
List-Id: <dev-commits-src-branches.FreeBSD.org>
List-Post: <mailto:dev-commits-src-branches@FreeBSD.org>
List-Help: <mailto:dev-commits-src-branches+help@FreeBSD.org>
List-Subscribe: <mailto:dev-commits-src-branches+subscribe@FreeBSD.org>
List-Unsubscribe: <mailto:dev-commits-src-branches+unsubscribe@FreeBSD.org>
List-Owner: <mailto:postmaster@FreeBSD.org>
Precedence: list
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: 8bit
X-Git-Committer: markj
X-Git-Repository: src
X-Git-Refname: refs/heads/releng/14.3
X-Git-Reftype: branch
X-Git-Commit: 9cba21c2de1668717a77833ad1533416babe131a
Auto-Submitted: auto-generated
Date: Tue, 09 Jun 2026 19:18:45 +0000
Message-Id: <6a286715.3d972.2875afcb@gitrepo.freebsd.org>

The branch releng/14.3 has been updated by markj:

URL: https://cgit.FreeBSD.org/src/commit/?id=9cba21c2de1668717a77833ad1533416babe131a

commit 9cba21c2de1668717a77833ad1533416babe131a
Author:     Ed Maste <emaste@FreeBSD.org>
AuthorDate: 2026-05-26 16:19:47 +0000
Commit:     Mark Johnston <markj@FreeBSD.org>
CommitDate: 2026-06-07 17:48:17 +0000

    vt: Avoid integer overflow in CONS_HISTORY ioctl
    
    Approved by:    so
    Security:       FreeBSD-SA-26:34.vt
    Security:       CVE-2026-49416
    Reviewed by:    markj, vexeduxr
    Sponsored by:   The FreeBSD Foundation
    Differential Revision: https://reviews.freebsd.org/D57250
    
    (cherry picked from commit 0ae946e7223df5ef3f7980af1d774d7f593f6421)
    (cherry picked from commit deaaddf1d3c4283649945553ad7e3208c8424308)
    (cherry picked from commit b5a4f4bfbc95d5d5361da708728f7f4a6db2ee60)
---
 sys/dev/vt/vt_buf.c  | 9 ++++-----
 sys/dev/vt/vt_core.c | 6 ++++--
 2 files changed, 8 insertions(+), 7 deletions(-)

diff --git a/sys/dev/vt/vt_buf.c b/sys/dev/vt/vt_buf.c
index ea27ea8a5ebf..0fd301bb662a 100644
--- a/sys/dev/vt/vt_buf.c
+++ b/sys/dev/vt/vt_buf.c
@@ -500,7 +500,6 @@ vtbuf_grow(struct vt_buf *vb, const term_pos_t *p, unsigned int history_size)
 {
 	term_char_t *old, *new, **rows, **oldrows, **copyrows, *row, *oldrow;
 	unsigned int w, h, c, r, old_history_size;
-	size_t bufsize, rowssize;
 	int history_full;
 	const teken_attr_t *a;
 	term_char_t ch;
@@ -511,10 +510,10 @@ vtbuf_grow(struct vt_buf *vb, const term_pos_t *p, unsigned int history_size)
 	history_size = MAX(history_size, p->tp_row);
 
 	/* Allocate new buffer. */
-	bufsize = history_size * p->tp_col * sizeof(term_char_t);
-	new = malloc(bufsize, M_VTBUF, M_WAITOK | M_ZERO);
-	rowssize = history_size * sizeof(term_pos_t *);
-	rows = malloc(rowssize, M_VTBUF, M_WAITOK | M_ZERO);
+	new = mallocarray(history_size, p->tp_col * sizeof(term_char_t),
+	    M_VTBUF, M_WAITOK | M_ZERO);
+	rows = mallocarray(history_size, sizeof(term_pos_t *), M_VTBUF,
+	    M_WAITOK | M_ZERO);
 
 	/* Toggle it. */
 	VTBUF_LOCK(vb);
diff --git a/sys/dev/vt/vt_core.c b/sys/dev/vt/vt_core.c
index 50f12512a81c..547bee8be86a 100644
--- a/sys/dev/vt/vt_core.c
+++ b/sys/dev/vt/vt_core.c
@@ -41,6 +41,7 @@
 #include <sys/kbio.h>
 #include <sys/kdb.h>
 #include <sys/kernel.h>
+#include <sys/limits.h>
 #include <sys/linker.h>
 #include <sys/lock.h>
 #include <sys/malloc.h>
@@ -2771,8 +2772,9 @@ skip_thunk:
 		/* XXX */
 		return (0);
 	case CONS_HISTORY:
-		if (*(int *)data < 0)
-			return EINVAL;
+		if (*(int *)data < 0 ||
+		    *(int *)data > UINT_MAX / USHRT_MAX / sizeof(term_char_t))
+			return (EINVAL);
 		if (*(int *)data != vw->vw_buf.vb_history_size)
 			vtbuf_sethistory_size(&vw->vw_buf, *(int *)data);
 		return (0);