From 1ff092273d69bc3cb7fa22abfb7238f6e4822369 Mon Sep 17 00:00:00 2001
From: delphij <delphij@FreeBSD.org>
Date: Tue, 27 Jan 2015 19:35:41 +0000
Subject: Use unsigned int for index value.

Without this change a local attacker could trigger a panic by
tricking the kernel into accessing undefined kernel memory.

We would like to acknowledge Francisco Falcon from CORE Security
Technologies who discovered the issue and reported to the
FreeBSD Security Team.

More information can be found at CORE Security's advisory at:
http://www.coresecurity.com/content/freebsd-kernel-multiple-vulnerabilities

This is an errata candidate for releng/10.1 and releng/9.3.  Earlier
releases are not affected.

Reported by:	Francisco Falcon from CORE Security Technologies
Security:	CVE-2014-0998
Reviewed by:	dumbbell
MFC after:	3 days
---
 sys/dev/vt/vt_core.c | 13 ++++++++-----
 1 file changed, 8 insertions(+), 5 deletions(-)

(limited to 'sys/dev/vt')

diff --git a/sys/dev/vt/vt_core.c b/sys/dev/vt/vt_core.c
index 47b3c8a..f0acf22 100644
--- a/sys/dev/vt/vt_core.c
+++ b/sys/dev/vt/vt_core.c
@@ -2367,20 +2367,23 @@ skip_thunk:
 		}
 		VT_UNLOCK(vd);
 		return (EINVAL);
-	case VT_WAITACTIVE:
+	case VT_WAITACTIVE: {
+		unsigned int idx;
+
 		error = 0;
 
-		i = *(unsigned int *)data;
-		if (i > VT_MAXWINDOWS)
+		idx = *(unsigned int *)data;
+		if (idx > VT_MAXWINDOWS)
 			return (EINVAL);
-		if (i != 0)
-			vw = vd->vd_windows[i - 1];
+		if (idx > 0)
+			vw = vd->vd_windows[idx - 1];
 
 		VT_LOCK(vd);
 		while (vd->vd_curwindow != vw && error == 0)
 			error = cv_wait_sig(&vd->vd_winswitch, &vd->vd_lock);
 		VT_UNLOCK(vd);
 		return (error);
+	}
 	case VT_SETMODE: {    	/* set screen switcher mode */
 		struct vt_mode *mode;
 		struct proc *p1;
-- 
cgit v1.1