Fix bug in linux_wait4 and linux_waitpid where garbage in the status

argument could panic the kernel.

Submitted by: Ian Dowse <iedowse@maths.tcd.ie>
Prompted by: jkh, gallatin
Approved by: prompters

2 files changed, 4 insertions, 0 deletions

diff --git a/sys/compat/linux/linux_misc.c b/sys/compat/linux/linux_misc.c
index 1835c9c..1b2dd31 100644
--- a/sys/compat/linux/linux_misc.c
+++ b/sys/compat/linux/linux_misc.c
@@ -988,6 +988,7 @@ linux_waitpid(struct proc *p, struct linux_waitpid_args *args)
     if (args->status) {
 	if ((error = copyin(args->status, &tmpstat, sizeof(int))) != 0)
 	    return error;
+	tmpstat &= 0xffff;
 	if (WIFSIGNALED(tmpstat))
 	    tmpstat = (tmpstat & 0xffffff80) |
 		      BSD_TO_LINUX_SIGNAL(WTERMSIG(tmpstat));
@@ -1031,6 +1032,7 @@ linux_wait4(struct proc *p, struct linux_wait4_args *args)
     if (args->status) {
 	if ((error = copyin(args->status, &tmpstat, sizeof(int))) != 0)
 	    return error;
+	tmpstat &= 0xffff;
 	if (WIFSIGNALED(tmpstat))
 	    tmpstat = (tmpstat & 0xffffff80) |
 		  BSD_TO_LINUX_SIGNAL(WTERMSIG(tmpstat));
diff --git a/sys/i386/linux/linux_misc.c b/sys/i386/linux/linux_misc.c
index 1835c9c..1b2dd31 100644
--- a/sys/i386/linux/linux_misc.c
+++ b/sys/i386/linux/linux_misc.c
@@ -988,6 +988,7 @@ linux_waitpid(struct proc *p, struct linux_waitpid_args *args)
     if (args->status) {
 	if ((error = copyin(args->status, &tmpstat, sizeof(int))) != 0)
 	    return error;
+	tmpstat &= 0xffff;
 	if (WIFSIGNALED(tmpstat))
 	    tmpstat = (tmpstat & 0xffffff80) |
 		      BSD_TO_LINUX_SIGNAL(WTERMSIG(tmpstat));
@@ -1031,6 +1032,7 @@ linux_wait4(struct proc *p, struct linux_wait4_args *args)
     if (args->status) {
 	if ((error = copyin(args->status, &tmpstat, sizeof(int))) != 0)
 	    return error;
+	tmpstat &= 0xffff;
 	if (WIFSIGNALED(tmpstat))
 	    tmpstat = (tmpstat & 0xffffff80) |
 		  BSD_TO_LINUX_SIGNAL(WTERMSIG(tmpstat));