Merge r307936:

The argument validation in r296956 was not enough to close all possible overflows in sysarch(2). Submitted by: Kun Yang <kun.yang chaitin.com> Patch by: kib Security: SA-16:15
author: glebius <glebius@FreeBSD.org> 2016-10-25 17:16:08 +0000
committer: glebius <glebius@FreeBSD.org> 2016-10-25 17:16:08 +0000
commit: c4ea095d31613b4c6ba16691ee347e97ed30899f (patch)
tree: ea73e76c32cd569af94f94802e291b17d87cc3f4
parent: 2bf175cb15a320797d6d5a6019f53f82101e47c5 (diff)
download: FreeBSD-src-c4ea095d31613b4c6ba16691ee347e97ed30899f.zip
FreeBSD-src-c4ea095d31613b4c6ba16691ee347e97ed30899f.tar.gz
1 files changed, 4 insertions, 1 deletions
diff --git a/sys/amd64/amd64/sys_machdep.c b/sys/amd64/amd64/sys_machdep.c
index 77abfe8..fb984f5 100644
--- a/sys/amd64/amd64/sys_machdep.c
+++ b/sys/amd64/amd64/sys_machdep.c
@@ -619,6 +619,8 @@ amd64_set_ldt(td, uap, descs)
 		largest_ld = uap->start + uap->num;
 		if (largest_ld > max_ldt_segment)
 			largest_ld = max_ldt_segment;
+		if (largest_ld < uap->start)
+			return (EINVAL);
 		i = largest_ld - uap->start;
 		mtx_lock(&dt_lock);
 		bzero(&((struct user_segment_descriptor *)(pldt->ldt_base))
@@ -631,7 +633,8 @@ amd64_set_ldt(td, uap, descs)
 		/* verify range of descriptors to modify */
 		largest_ld = uap->start + uap->num;
 		if (uap->start >= max_ldt_segment ||
-		    largest_ld > max_ldt_segment)
+		    largest_ld > max_ldt_segment ||
+		    largest_ld < uap->start)
 			return (EINVAL);
 	}
author	glebius <glebius@FreeBSD.org>	2016-10-25 17:16:08 +0000
committer	glebius <glebius@FreeBSD.org>	2016-10-25 17:16:08 +0000
commit	c4ea095d31613b4c6ba16691ee347e97ed30899f (patch)
tree	ea73e76c32cd569af94f94802e291b17d87cc3f4
parent	2bf175cb15a320797d6d5a6019f53f82101e47c5 (diff)
download	FreeBSD-src-c4ea095d31613b4c6ba16691ee347e97ed30899f.zip FreeBSD-src-c4ea095d31613b4c6ba16691ee347e97ed30899f.tar.gz