From 8a4d2b06c70bc1ae3079d3ccff486f9fe46eaac4 Mon Sep 17 00:00:00 2001 From: David Schultz Date: Wed, 23 Mar 2005 08:28:03 +0000 Subject: [PATCH] Bounds check the length parameter to i386_set_ldt() before passing it to kmem_alloc(). Failure to do this made it possible for user processes to cause a hard lock on i386 kernels. I believe this only affects 6-CURRENT on or after 2005-01-26. Found by: Coverity Prevent analysis tool Security: Local DOS --- sys/i386/i386/sys_machdep.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/sys/i386/i386/sys_machdep.c b/sys/i386/i386/sys_machdep.c index 0056843c8be..5738e1f96c7 100644 --- a/sys/i386/i386/sys_machdep.c +++ b/sys/i386/i386/sys_machdep.c @@ -103,6 +103,8 @@ sysarch(td, uap) if ((error = copyin(uap->parms, &kargs.largs, sizeof(struct i386_ldt_args))) != 0) return (error); + if (kargs.largs.num > MAX_LD || kargs.largs.num <= 0) + return (EINVAL); break; default: break;