Although aio_nbytes is size_t, later is is signed to

casted types: to ssize_t in filesystem code and to int in buf code, thus supplying a negative argument leads to kernel panic later. To fix that check user supplied argument in the beginning of syscall. Submitted by: Maxim Dounin <mdounin mdounin.ru>, maxim@
author: glebius <glebius@FreeBSD.org> 2012-01-26 11:59:48 +0000
committer: glebius <glebius@FreeBSD.org> 2012-01-26 11:59:48 +0000
commit: 7900947bc5753da4e1cd11c973f438b5b58721ea (patch)
tree: da21e38138b7c4f0da32f18d3d36b6a3b2184b42 /sys/kern
parent: f84b253d0e86e1ff545be806ad5e2cf702917b93 (diff)
download: FreeBSD-src-7900947bc5753da4e1cd11c973f438b5b58721ea.zip
FreeBSD-src-7900947bc5753da4e1cd11c973f438b5b58721ea.tar.gz
1 files changed, 6 insertions, 0 deletions
diff --git a/sys/kern/vfs_aio.c b/sys/kern/vfs_aio.c
index 7af9f55..fe682d8 100644
--- a/sys/kern/vfs_aio.c
+++ b/sys/kern/vfs_aio.c
@@ -1552,6 +1552,12 @@ aio_aqueue(struct thread *td, struct aiocb *job, struct aioliojob *lj,
 		return (error);
 	}
 
+	/* XXX: aio_nbytes is later casted to signed types. */
+	if ((int)aiocbe->uaiocb.aio_nbytes < 0) {
+		uma_zfree(aiocb_zone, aiocbe);
+		return (EINVAL);
+	}
+
 	if (aiocbe->uaiocb.aio_sigevent.sigev_notify != SIGEV_KEVENT &&
 	    aiocbe->uaiocb.aio_sigevent.sigev_notify != SIGEV_SIGNAL &&
 	    aiocbe->uaiocb.aio_sigevent.sigev_notify != SIGEV_THREAD_ID &&
author	glebius <glebius@FreeBSD.org>	2012-01-26 11:59:48 +0000
committer	glebius <glebius@FreeBSD.org>	2012-01-26 11:59:48 +0000
commit	7900947bc5753da4e1cd11c973f438b5b58721ea (patch)
tree	da21e38138b7c4f0da32f18d3d36b6a3b2184b42 /sys/kern
parent	f84b253d0e86e1ff545be806ad5e2cf702917b93 (diff)
download	FreeBSD-src-7900947bc5753da4e1cd11c973f438b5b58721ea.zip FreeBSD-src-7900947bc5753da4e1cd11c973f438b5b58721ea.tar.gz