upstream/opnsense-src
1
0
Fork 0
mirror of https://github.com/opnsense/src.git synced 2026-06-14 19:20:18 -04:00
Code Issues Projects Releases Packages Wiki Activity Actions

The argument validation in r296956 was not enough to close all possible

Browse source 
overflows in sysarch(2).

Submitted by:	Kun Yang <kun.yang chaitin.com>
Patch by:	kib
Security:	SA-16:15
This commit is contained in:
Gleb Smirnoff 2016-10-25 17:13:46 +00:00
parent bf715082c3
commit ccd08e4d99
1 changed files with 4 additions and 1 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

5
sys/amd64/amd64/sys_machdep.c
View file

@ -608,6 +608,8 @@ amd64_set_ldt(td, uap, descs)
largest_ld = uap->start + uap->num;
if (largest_ld > max_ldt_segment)
largest_ld = max_ldt_segment;
if (largest_ld < uap->start)
return (EINVAL);
i = largest_ld - uap->start;
mtx_lock(&dt_lock);
bzero(&((struct user_segment_descriptor *)(pldt->ldt_base))
@ -620,7 +622,8 @@ amd64_set_ldt(td, uap, descs)
/* verify range of descriptors to modify */
largest_ld = uap->start + uap->num;
if (uap->start >= max_ldt_segment ||
largest_ld > max_ldt_segment)
largest_ld > max_ldt_segment ||
largest_ld < uap->start)
return (EINVAL);
}