diff options
| author | das <das@FreeBSD.org> | 2005-03-23 08:28:03 +0000 |
|---|---|---|
| committer | das <das@FreeBSD.org> | 2005-03-23 08:28:03 +0000 |
| commit | d1fb7b8c2ae75f2a9c1997d2f4259a50b7d80512 (patch) | |
| tree | 5e0860959f73809a7babe4c61e6ab8f4bcd20a91 | |
| parent | fbf7a9b2eeca945d9a6947410d6fa2b1c321d366 (diff) | |
| download | FreeBSD-src-d1fb7b8c2ae75f2a9c1997d2f4259a50b7d80512.zip FreeBSD-src-d1fb7b8c2ae75f2a9c1997d2f4259a50b7d80512.tar.gz | |
Bounds check the length parameter to i386_set_ldt() before passing it
to kmem_alloc(). Failure to do this made it possible for user
processes to cause a hard lock on i386 kernels. I believe this only
affects 6-CURRENT on or after 2005-01-26.
Found by: Coverity Prevent analysis tool
Security: Local DOS
| -rw-r--r-- | sys/i386/i386/sys_machdep.c | 2 |
1 files changed, 2 insertions, 0 deletions
diff --git a/sys/i386/i386/sys_machdep.c b/sys/i386/i386/sys_machdep.c index 0056843..5738e1f 100644 --- a/sys/i386/i386/sys_machdep.c +++ b/sys/i386/i386/sys_machdep.c @@ -103,6 +103,8 @@ sysarch(td, uap) if ((error = copyin(uap->parms, &kargs.largs, sizeof(struct i386_ldt_args))) != 0) return (error); + if (kargs.largs.num > MAX_LD || kargs.largs.num <= 0) + return (EINVAL); break; default: break; |
