diff options
| author | delphij <delphij@FreeBSD.org> | 2015-02-02 18:48:49 +0000 |
|---|---|---|
| committer | delphij <delphij@FreeBSD.org> | 2015-02-02 18:48:49 +0000 |
| commit | 00fdf5663ab60629f1fb9bceeb2653c1d6faafbf (patch) | |
| tree | 32fc525f8ebaaff4efe58cf5abfb3a4f8fa92c1f | |
| parent | c6be6095bb848c7f98e661d0bf3a00d35ef23361 (diff) | |
| download | FreeBSD-src-00fdf5663ab60629f1fb9bceeb2653c1d6faafbf.zip FreeBSD-src-00fdf5663ab60629f1fb9bceeb2653c1d6faafbf.tar.gz | |
MFC r277806:
Use unsigned int for index value.
Without this change a local attacker could trigger a panic by
tricking the kernel into accessing undefined kernel memory.
We would like to acknowledge Francisco Falcon from CORE Security
Technologies who discovered the issue and reported to the
FreeBSD Security Team.
More information can be found at CORE Security's advisory at:
http://www.coresecurity.com/content/freebsd-kernel-multiple-vulnerabilities
This is an errata candidate for releng/10.1 and releng/9.3. Earlier
releases are not affected.
Reported by: Francisco Falcon from CORE Security Technologies
Security: CVE-2014-0998
Reviewed by: dumbbell
| -rw-r--r-- | sys/dev/vt/vt_core.c | 13 |
1 files changed, 8 insertions, 5 deletions
diff --git a/sys/dev/vt/vt_core.c b/sys/dev/vt/vt_core.c index 3af8b9e..bddf12d 100644 --- a/sys/dev/vt/vt_core.c +++ b/sys/dev/vt/vt_core.c @@ -2356,20 +2356,23 @@ skip_thunk: } VT_UNLOCK(vd); return (EINVAL); - case VT_WAITACTIVE: + case VT_WAITACTIVE: { + unsigned int idx; + error = 0; - i = *(unsigned int *)data; - if (i > VT_MAXWINDOWS) + idx = *(unsigned int *)data; + if (idx > VT_MAXWINDOWS) return (EINVAL); - if (i != 0) - vw = vd->vd_windows[i - 1]; + if (idx > 0) + vw = vd->vd_windows[idx - 1]; VT_LOCK(vd); while (vd->vd_curwindow != vw && error == 0) error = cv_wait_sig(&vd->vd_winswitch, &vd->vd_lock); VT_UNLOCK(vd); return (error); + } case VT_SETMODE: { /* set screen switcher mode */ struct vt_mode *mode; struct proc *p1; |
