From owner-svn-src-stable-9@FreeBSD.ORG Mon Feb 2 18:48:50 2015 Return-Path: Delivered-To: svn-src-stable-9@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id DE775415; Mon, 2 Feb 2015 18:48:50 +0000 (UTC) Received: from svn.freebsd.org (svn.freebsd.org [IPv6:2001:1900:2254:2068::e6a:0]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id B0D599C; Mon, 2 Feb 2015 18:48:50 +0000 (UTC) Received: from svn.freebsd.org ([127.0.1.70]) by svn.freebsd.org (8.14.9/8.14.9) with ESMTP id t12Imo3h022071; Mon, 2 Feb 2015 18:48:50 GMT (envelope-from delphij@FreeBSD.org) Received: (from delphij@localhost) by svn.freebsd.org (8.14.9/8.14.9/Submit) id t12ImoO7022070; Mon, 2 Feb 2015 18:48:50 GMT (envelope-from delphij@FreeBSD.org) Message-Id: <201502021848.t12ImoO7022070@svn.freebsd.org> X-Authentication-Warning: svn.freebsd.org: delphij set sender to delphij@FreeBSD.org using -f From: Xin LI Date: Mon, 2 Feb 2015 18:48:50 +0000 (UTC) To: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-stable@freebsd.org, svn-src-stable-9@freebsd.org Subject: svn commit: r278106 - in stable: 10/sys/dev/vt 9/sys/dev/vt X-SVN-Group: stable-9 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-BeenThere: svn-src-stable-9@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: SVN commit messages for only the 9-stable src tree List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 02 Feb 2015 18:48:51 -0000 Author: delphij Date: Mon Feb 2 18:48:49 2015 New Revision: 278106 URL: https://svnweb.freebsd.org/changeset/base/278106 Log: MFC r277806: Use unsigned int for index value. Without this change a local attacker could trigger a panic by tricking the kernel into accessing undefined kernel memory. We would like to acknowledge Francisco Falcon from CORE Security Technologies who discovered the issue and reported to the FreeBSD Security Team. More information can be found at CORE Security's advisory at: http://www.coresecurity.com/content/freebsd-kernel-multiple-vulnerabilities This is an errata candidate for releng/10.1 and releng/9.3. Earlier releases are not affected. Reported by: Francisco Falcon from CORE Security Technologies Security: CVE-2014-0998 Reviewed by: dumbbell Modified: stable/9/sys/dev/vt/vt_core.c Directory Properties: stable/9/sys/ (props changed) stable/9/sys/dev/ (props changed) Changes in other areas also in this revision: Modified: stable/10/sys/dev/vt/vt_core.c Directory Properties: stable/10/ (props changed) Modified: stable/9/sys/dev/vt/vt_core.c ============================================================================== --- stable/9/sys/dev/vt/vt_core.c Mon Feb 2 18:20:10 2015 (r278105) +++ stable/9/sys/dev/vt/vt_core.c Mon Feb 2 18:48:49 2015 (r278106) @@ -1718,20 +1718,23 @@ skip_thunk: } VT_UNLOCK(vd); return (EINVAL); - case VT_WAITACTIVE: + case VT_WAITACTIVE: { + unsigned int idx; + error = 0; - i = *(unsigned int *)data; - if (i > VT_MAXWINDOWS) + idx = *(unsigned int *)data; + if (idx > VT_MAXWINDOWS) return (EINVAL); - if (i != 0) - vw = vd->vd_windows[i - 1]; + if (idx > 0) + vw = vd->vd_windows[idx - 1]; VT_LOCK(vd); while (vd->vd_curwindow != vw && error == 0) error = cv_wait_sig(&vd->vd_winswitch, &vd->vd_lock); VT_UNLOCK(vd); return (error); + } case VT_SETMODE: { /* set screen switcher mode */ struct vt_mode *mode; struct proc *p1;